Continuous Authentication & Identity Assurance
That Never Stops Watching
Authenticate with Passkey. Monitor with continuous intelligence. Your users' phones become the unbreakable source of truth from login to logout.
The Gap Attackers Exploit
Traditional authentication checks credentials once—at login. But what happens in the 30 minutes, 2 hours, or full workday after that? Credentials get stolen mid-session. Devices change hands. Users move to unexpected locations. And your security system has no idea until it's too late.
Built as One. Not Bolted Together.
Most CA solutions force you to integrate multiple vendors—authentication here, monitoring there, enforcement somewhere else. We architected Pulse CA as a single, elegant framework where every component was designed to work together from day one.
No Integration Headaches
It's already integrated. The OIDC provider, Auth device, and PDP were built to work together—no duct-taping vendor APIs or hoping they'll talk to each other.
No Gaps in Coverage
The OIDC provider orchestrates authentication, knows session state, and controls logout. CA monitoring starts exactly when it should and stops when the session ends—no blind spots.
Instant Enforcement
PDP trust decisions flow directly to the OIDC provider managing your session. No separate enforcement layer. No hoping policies get applied. Immediate action.
Single Pane of Glass
Correlation IDs link every event from authentication through monitoring to enforcement. Complete audit trail. One cohesive system—not three vendors pointing fingers at each other.
The Complete Framework Components
Five integrated parts working as one elegant system
1. OIDC Client
Your application - any OIDC-compatible app integrates seamlessly. The client initiates login and relies on the OIDC provider for all authentication and session management.
2. OIDC/SAML Provider with AuthZEN PEP
The orchestration hub. Manages authentication ceremonies (Passkey or Auth), maintains session state, receives real-time PDP decisions, and enforces policy. Exposes AuthZEN evaluator endpoints in OIDC and SAML client configurations, enabling relying parties to query authorization decisions inline and register callback endpoints for push notifications when trust state changes.
3. Auth Device (User's Phone)
Bonds with users via behavioral patterns and PIN. Continuously streams trust metrics (Identity, Proximity, 3D Location, Device Health) to the PDP throughout the entire session—regardless of authentication method used.
4. Policy Decision Point (PDP) with AuthZEN
The analysis engine. Receives real-time metrics from Auth devices, calculates trust scores continuously, and implements AuthZEN access evaluation semantics, returning trust-enriched permit/deny decisions to the PEP and registered relying parties. Makes enforcement decisions (continue, step-up, terminate) and feeds results to the OIDC/SAML provider.
5. Sentinel (Endpoint Background Service)
An optional but powerful addition to the Pulse CA framework. Sentinel runs as a persistent background service on the user's endpoint, extending continuous authentication and identity assurance directly to the device. It establishes a cryptographically secure device identity, registers with FIDO2-DA (device assertion without user interaction), and actively verifies the physical proximity of the user's Auth device via BLE. It enforces policy decisions from the PDP and submits real-time AuthZEN evaluations—enabling suspension or termination of endpoint applications when trust conditions are not met. Sentinel hardens the endpoint independently of session state, making it equally effective as a standalone security layer.
What Each Layer Delivers
| Capability | Pulse CA | Sentinel | Combined |
|---|---|---|---|
| Continuous identity verification | ✔ | — | ✔ |
| Continuous trust posture | ✔ | — | ✔ |
| Phishing-resistant authentication | ✔ | — | ✔ |
| Cryptographic device identity | — | ✔ | ✔ |
| Cryptographic session identity | — | ✔ | ✔ |
| Merkle-tree lineage | — | ✔ | ✔ |
| Agent / sub-agent accountability | — | ✔ | ✔ |
| Full Eleven Commandments compliance | Partial | Partial | Full |
Cryptographic Accountability
Sentinel completes the accountability chain that Pulse CA alone cannot close. By anchoring a persistent cryptographic device identity and an ephemeral session identity to every Pulse CA session, Sentinel enables Merkle-tree audit lineage that traces every action—including those of agentic AI sub-agents—back to a specific enrolled endpoint, a verified session, and an authenticated human principal. The result is end-to-end cryptographic accountability: from the person who logged in, through every agent they spawned, to the physical device on which the session ran.
From Pre-Auth to Logout: Complete Session Coverage
The Complete Framework in Action
1. Pre-Authentication Setup
Auth app is installed on user's phone, bonding with the user through behavioral patterns and PIN. CA monitoring capabilities are ready before first login.
2. Authentication Event
User initiates login to your application. Our OIDC/SAML provider orchestrates the authentication ceremony. First-time users choose to register either Passkey (FIDO2) or Auth as their authenticator. Returning users are automatically authenticated with their preferred method. Session correlation ID is established.
3. Continuous Monitoring Begins
Regardless of which authenticator was used for login, Auth app immediately begins streaming trust metrics to the cloud PDP: Identity validation through behavioral patterns, Proximity verification via Bluetooth, 3D Location monitoring via GPS and barometric altitude (latitude, longitude, and floor-level altitude), and Device health tracking.
4. Real-Time Analysis & Enforcement
Throughout the entire session, the PDP continuously analyzes trust scores and feeds decisions to our OIDC/SAML provider for enforcement. High trust: Session continues. Medium trust: Step-up required. Low trust: Session terminated. Normal logout: CA monitoring ends gracefully.
Built for Your Business Model
For MSPs & Their SMB Clients
Complete CA Framework. Simple Deployment.
- Complete Solution: Authentication (Passkey + Auth), Analysis (PDP with AuthZEN), Session Management (OIDC/SAML with AuthZEN evaluators)—everything needed for continuous authentication and authorization
- Compliance Made Simple: Meet ZTA, CMMC, and NIST requirements with automated, real-time enforcement throughout the entire session
- Flexible Scaling: Per-user subscription for up to 1,000 users, on-premises licensing for larger deployments
Pricing Model:
- Subscription: User/month pricing for ≤1,000 users
- Licensed: On-premises deployment for >1,000 users
Built on Modern Security Frameworks
AuthZEN
OpenID Foundation AuthZEN access evaluation, vendor-neutral, interoperable authorization integrated into OIDC and SAML client configurations. Learn more →
Zero Trust Architecture (ZTA)
Continuous verification aligns perfectly with "never trust, always verify" principles
CMMC
Meet Cybersecurity Maturity Model Certification requirements with real-time monitoring and enforcement
NIST
Aligned with NIST guidelines for continuous diagnostics and mitigation
The Attacks That Slip Through Traditional Auth
Mid-Session Credential Theft
Traditional Auth: ✗ User logged in at 9 AM. Credentials stolen at 11 AM. System has no idea.
Pulse CA: ✓ Behavioral anomaly detected immediately. Session terminated. Threat neutralized.
Unexpected Location Change
Traditional Auth: ✗ User authenticated from Boston. Now accessing from Romania. Still trusted. Or same building, wrong floor, 2D geofencing can't tell.
Pulse CA: ✓ 3D location monitoring (latitude, longitude, and barometric altitude) detects both impossible travel and floor-level displacement. Location violations trigger immediate step-up or session termination.
Device Compromise
Traditional Auth: ✗ Phone jailbroken mid-session. Full access continues.
Pulse CA: ✓ Device health monitoring detects compromise. Access revoked instantly.