Executive Brief
AffirmedID Pulse CA and CAEP
Complementary Technologies for Session Security
Understanding the distinction between continuous authentication and continuous access evaluation, and how they work together.
Pulse Continuous Authentication & Identity Assurance | affirmedid.com | May 2026
Executive Summary
While Pulse CA and CAEP (Continuous Access Evaluation Protocol) both address session security, they serve fundamentally different purposes and are not interchangeable solutions. Pulse CA focuses on continuous identity verification, while CAEP focuses on policy enforcement and access control. Understanding this distinction is critical for proper architectural planning.
The Stakes: Organizations deploying session security must understand that continuous authentication and continuous access evaluation are complementary capabilities, not alternatives. Pulse CA verifies who the user is; CAEP enforces what they can do. A complete security posture requires both layers working in concert.
Key Differences
Purpose and Scope
Pulse CA provides continuous authentication, actively monitoring and verifying user identity throughout a session by continuously collecting and evaluating identity factors (knowledge, inherence, and possession) from the user's authentication device.
CAEP provides continuous access evaluation, a standardized protocol for communicating policy decisions and access control events between security components and identity providers to enforce session-level access changes.
Information Flow
| Aspect | Pulse CA | CAEP |
|---|---|---|
| Primary Question | “Is this still the authenticated user?” | “Should this user still have access?” |
| Signal Source | User's authentication device (mobile phone) | Policy engines, IAM systems, security services |
| Data Type | Identity verification metrics (biometrics, device signals, behavioral patterns) | Policy events (session revoked, compliance changed, credential changed) |
| Flow Direction | Metrics: Device → Cloud → Provider → RP; Policy Evaluations: Bidirectional | Events: Policy System → Identity Provider → Session Enforcement |
Technical Architecture
Pulse CA Operates at the Identity Verification Layer
- Continuously collects something you “know, are, have” signals from authentication devices
- Enhances metrics in-flight through cloud processing
- Delivers to logging systems and Policy Enforcement Points (PEPs)
- Extends authentication trust from login through logout
CAEP Operates at the Policy Communication Layer
- Built on SSE (Shared Signals and Events) framework
- Transmits standardized JWT-based Security Event Tokens (SETs)
- Integrates with OIDC and SAML identity providers
- Enforces policy decisions at session boundaries
Use Case Focus
| Pulse CA Addresses | CAEP Addresses |
|---|---|
| Session hijacking prevention through continuous identity verification | Real-time policy propagation to identity providers |
| Detecting user substitution during active sessions | Centralized session revocation across multiple applications |
| Maintaining authentication assurance throughout session lifecycle | Device compliance enforcement |
| Behavioral and biometric anomaly detection | Risk-based access control coordination |
Complementary Nature and Future Integration
Rather than competing solutions, Pulse CA and CAEP represent complementary layers in a comprehensive security architecture.
Current Complementary Architecture
Pulse CA continuously verifies user identity, generating metrics from the authentication device. These metrics feed into Policy Decision Points (PDPs) in the cloud API service. PDPs make access control decisions based on Pulse CA metrics and other RP-provided policy inputs. CAEP communicates these PDP decisions to OIDC/SAML providers for enforcement. Currently, the Pulse CA OIDC/SAML provider, which predates CAEP by years, continues to use custom protocols.
Future Integration Potential
Pulse CA is uniquely positioned to become a primary event source for CAEP implementations in a future platform update.
Continuous Authentication & Identity Assurance Events
Pulse CA could generate CAEP-compliant events when continuous authentication signals indicate identity assurance changes:
- Biometric verification degradation during sessions
- Device possession signal loss
- Behavioral anomaly detection
- Composite authentication confidence changes
Enhanced Policy Context
By contributing continuous authentication events to the CAEP ecosystem, Pulse CA would enable:
- More granular, identity-based access decisions
- Standardized communication of why a session should be terminated, not just that it should be
- Interoperability with other CAEP-aware security systems
- Industry-standard event types for continuous authentication
Standards Evolution
As CAEP matures, continuous authentication events inspired by Pulse CA capabilities could be proposed as formal extensions to the OpenID Foundation specification, enabling broader industry adoption of continuous authentication practices.
Potential CAEP Extensions
The following event types represent natural extensions from Pulse CA to CAEP that would complement CAEP’s existing continuous access evaluation events:
| Event Type | Purpose | Trigger Example |
|---|---|---|
biometric-verification-change |
Biometric authentication state changed during session | Face/fingerprint verification failed mid-session |
device-possession-change |
“What you have” signal weakened or lost | Phone left proximity, secure element unresponsive |
behavioral-anomaly-detected |
User behavior deviated from baseline | Typing patterns, navigation patterns changed |
authentication-strength-degraded |
Composite authentication confidence decreased | Multiple weak signals accumulated |
continuous-auth-failed |
Continuous authentication check explicitly failed | Phone signals indicate different user |
Conclusion
Pulse CA and CAEP serve different but synergistic purposes in modern identity and access management architectures. Pulse CA excels at continuous identity verification, while CAEP excels at policy event communication and enforcement coordination.
Organizations implementing comprehensive session security should consider both technologies, with Pulse CA providing the identity assurance signals that inform policy decisions communicated through CAEP.
Future integration between these technologies promises to deliver industry-standard, interoperable continuous authentication capabilities across the identity ecosystem. By extending CAEP with continuous authentication event types inspired by Pulse CA, the industry can move toward a unified framework where identity verification and access policy enforcement work seamlessly together.
The Path Forward: AffirmedID is committed to advancing both Pulse CA’s continuous authentication capabilities and contributing to the evolution of industry standards like CAEP. As CAEP matures and gains wider adoption, we see a natural convergence where continuous authentication becomes a first-class citizen in the continuous access evaluation ecosystem, not as a replacement for existing CAEP events, but as an essential complement that answers a different but equally critical question: not just whether access should continue, but whether the authenticated identity itself remains trustworthy.
Confidential — AffirmedID — affirmedid.com — Copyright © May 2026
Pulse CA™ — AffirmedID at affirmedid.com — Copyright © June 2026