Technical Brief
AffirmedID Pulse
Continuous Authentication and Authorization
Identity trust that never stops — and policy enforcement that acts on it.
AffirmedID | affirmedid.com | April 2026
Executive Summary
AffirmedID Pulse is a continuous authentication and authorization platform that addresses two distinct but inseparable gaps in modern security architecture: the session continues long after login, and authorization decisions made at login time age out of date just as quickly.
Pulse was built originally as a continuous authentication solution — extending phishing-resistant identity assurance beyond the login event and throughout the entire active session. It has since expanded to include AuthZEN, the OpenID Foundation's standardized authorization evaluation protocol, making the Pulse Policy Decision Point (PDP) a trust-aware authorization engine that evaluates what users and agents are permitted to do, not just whether they are still who they claim to be.
The result is a unified framework — Continuous Authentication and AuthZEN working as a single pipeline — where the live identity trust signals produced by the Auth device flow directly into every authorization decision, for human users and AI agents alike.
The Two Gaps Pulse Closes
Gap 1: Authentication Ends at Login
Traditional authentication validates credentials once and then extends implicit session trust — sometimes for hours. Credentials stolen mid-session, devices that change hands, and impossible travel all go undetected until it is too late.
Gap 2: Authorization Ages Out
Authorization decisions — roles, scopes, permissions — are evaluated at login time and embedded in tokens that remain valid regardless of what changes afterward. By the time an agent takes a sensitive action, the trust context that justified access may be long gone.
Pulse closes both gaps simultaneously. Continuous Authentication keeps identity trust current throughout the session. AuthZEN evaluates every access decision against that live trust — not against a credential from login.
These Gaps Are Not Theoretical
Two recent, high-profile incidents illustrate exactly where traditional authentication and authorization end — and where Pulse begins.
17 Billion Stolen Session Cookies — 2024
The 2024 discovery of 17 billion stolen cookie records exposed the scale of a tactic now dominating identity-based attacks: session hijacking. Stolen session tokens allow attackers to bypass even the most robust MFA ceremony entirely — presenting a valid, previously authenticated session rather than re-authenticating. No credentials are stolen. No MFA challenge is triggered. The attacker simply arrives already logged in.
Gainsight OAuth Exploitation — November 2025
The November 2025 exploitation of Gainsight OAuth integrations compromised over 200 Salesforce customer environments, demonstrating how stale session trust in a single integration point becomes a weapon across an entire SaaS ecosystem. Once a token was compromised, its authorization — evaluated at login time and unchanged since — permitted lateral movement and privilege escalation long after any reasonable window of trust had passed. The login ceremony was legitimate. The authorization that followed it was not.
How Pulse Works: Authentication and Authorization as a Single Pipeline
Step 1: Dual-Assertion Authentication
Every Pulse session is established through two simultaneous, independent identity assertions rather than one:
- FIDO2 Device Assertion — a cryptographically verified proof of device possession via Passkey or AffirmedID Auth. This provides phishing-resistant authentication at NIST AAL2, confirming the right authenticator was present and that the ceremony was not intercepted.
- Auth Identity Assertion — a continuous behavioral identity assertion produced by the Auth app on the user's phone, derived from behavioral biometrics, proximity, 3D location, and device health. Unlike the point-in-time FIDO2 assertion, this signal remains active and live throughout the session. In combination with FIDO2, step up to NIST AAL3.
Together, these dual assertions provide what authorization systems have always needed but rarely received: a continuously-valid, multi-layered identity foundation that can be relied upon not just at login but at every access decision throughout the session.
Step 2: Continuous Trust Monitoring
From the moment of login to logout, the Auth app streams four real-time trust metrics to the cloud PDP, each linked to the session via a unique correlation ID:
- Identity Trust Score — behavioral biometrics continuously confirming the right person remains in control of the session
- Proximity Trust Score — Bluetooth-based verification that the authenticated user's phone stays physically near the device in use
- 3D Location Trust Score — latitude, longitude, and barometric altitude. Standard geofencing is 2D and cannot distinguish floors within a building. Pulse resolves floor-level position, so a user who moves from floor 12 to floor 3 registers a location anomaly even though both share the same street address.
- Device Health Trust Score — continuous integrity monitoring covering jailbreak detection, hijack indicators, and anomalous device state changes
Step 3: AuthZEN Authorization Evaluation
When a user, application, or AI agent requests access to a protected resource, the relying party queries the Pulse AuthZEN evaluator endpoint embedded in the OIDC or SAML provider. The PDP evaluates the request against current trust context — not stale login-time state — and returns a structured decision:
- Permit — trust is sufficient; access granted
- Deny — trust threshold not met; access blocked
- Permit with conditions — access granted subject to reduced scope or pending step-up authentication
Evaluations are designed for single-digit millisecond response times. The PDP maintains current trust state in-memory, so no metric recomputation is required at query time.
Step 4: Push Notification — From Poll to Push
Pulse inverts the traditional polling model. Relying parties and AI platforms register callback endpoints in their OIDC client or SAML service provider configuration. When the PDP issues an enforcement decision — trust threshold breach, step-up required, session termination — the PEP immediately pushes a notification to all registered endpoints.
For AI agent workflows running for hours without user interaction, push notification is not a convenience — it is a requirement. An agent notified of revocation within milliseconds stops before damage occurs. An agent that discovers revocation at the next poll may already have taken unauthorized actions.
Push notification payloads carry the session correlation ID, the trust event type, current trust scores, and a timestamp. Receiving systems act within milliseconds — revoking tokens, pausing agent workflows, or requiring re-authentication — without waiting for the next request cycle.
Key Benefits
1. Authentication and Authorization in a Single Pipeline
Pulse eliminates the gap between identity trust and access control. The same live signals that drive continuous authentication — behavioral identity, proximity, 3D location, device health — flow directly into every AuthZEN authorization decision. There is no separate authorization layer to configure, synchronize, or maintain.
2. Trust-Enriched Authorization Decisions
Standard AuthZEN decisions are boolean: permit or deny. Pulse extends this with trust context: the composite trust score at time of evaluation, the contributing metric values, and the policy rule that produced the decision. Downstream systems can apply graduated access controls — not just permit/deny, but permit-with-reduced-scope or permit-pending-step-up — based on the precise trust picture at the moment of each request.
3. Dual-Assertion Identity Foundation
A FIDO2 assertion alone proves the authentication ceremony was completed correctly. It does not prove the user is still present five minutes later. Pulse's Auth identity assertion provides the continuous behavioral proof that fills this gap. Together, the dual assertion creates an identity foundation that authorization decisions can genuinely rely on — for the full duration of the session, not just at the moment of login.
4. Hierarchical Agent Authorization with Human-Origin Traceability
Every AI agent — regardless of how autonomous it becomes, how long it runs, or how many sub-agents it spawns — can be traced back to the human who launched it. This is not merely an architectural principle; it is an enforceable security property built into Pulse's AuthZEN implementation.
Sub-agent authorization requests are evaluated not just against the sub-agent's own permissions but against the trust state of the root human session. If the originating human's continuous authentication score degrades or their session is revoked, that signal propagates through the AuthZEN agent chain to all child agents simultaneously. The entire chain stops. The audit trail — correlation ID linked from human to every downstream agent action — remains intact.
5. NIST AAL3 Compliance in a Single Ceremony
Most solutions require two separate authentication ceremonies to reach NIST Authenticator Assurance Level 3. Pulse achieves AAL3 compliance in a single ceremony through the combination of the FIDO2 device assertion and the Auth behavioral identity assertion. Step-up authentication using Auth provides AAL3-compliant MFA for high-privilege actions without requiring a separate session or re-enrollment.
6. Built as One — No Integration Headaches
The OIDC/SAML provider, Auth device, PDP, and AuthZEN evaluator endpoints were designed together and share correlation IDs that trace every event from authentication through every authorization decision and enforcement action. There is no separate enforcement layer. No hoping policies get applied. Immediate, automated action — with a complete and unbroken audit trail.
7. Standard Protocol — Vendor-Neutral Authorization
Pulse implements the OpenID Foundation AuthZEN access evaluation specification — a vendor-neutral, interoperable protocol for PEP-to-PDP communication. Relying parties built to AuthZEN can interact with the Pulse PDP without proprietary integration code. OIDC clients and SAML service providers integrate via standard protocol metadata: the evaluator endpoint URL and callback registration are part of standard client configuration, not a separate out-of-band setup.
8. ZTA, CMMC, and NIST Alignment
Every access decision is re-evaluated against current trust context — no implicit trust from prior authentication. This satisfies Zero Trust Architecture's "never trust, always verify" mandate at the per-request level, not just per-session. PDP decision logging with correlation IDs satisfies CMMC continuous monitoring and audit requirements. The framework aligns with NIST SP 800-207 ZTA principles throughout.
9. Flexible Deployment for MSPs, AISPs, and Integrators
Pulse is available as a per-user subscription (up to 1,000 users) for MSPs and their SMB clients, and as an annually licensed on-premises deployment with white-label capability for integrators embedding the complete framework — Authentication, PDP, OIDC/SAML, and AuthZEN evaluators — into their own platforms.
Architecture Overview
Pulse CA comprises four integrated components working as a single continuous authentication and authorization framework. All components share session-scoped correlation IDs, ensuring every authentication event, trust-score update, AuthZEN evaluation, and enforcement action is fully traceable end-to-end with a complete, tamper-evident audit trail.
| Component | Role | Key Capabilities |
|---|---|---|
| OIDC Client | Your Application | Any OIDC-compatible application. Initiates login, delegates session management to Pulse, and can invoke AuthZEN evaluator endpoints inline during request processing. |
| OIDC/SAML Provider | Orchestration & Enforcement Hub | Manages authentication ceremonies, maintains session state, and exposes AuthZEN evaluator endpoints. Receives PDP decisions and enforces them. Pushes notifications to registered callback endpoints when trust state changes. |
| Auth Device | User's Phone | Bonds to the user via behavioral patterns and PIN. Streams four real-time trust metrics (Identity, Proximity, 3D Location, Device Health) to the PDP continuously throughout the session. |
| Policy Decision Point (PDP) | Trust & Authorization Engine | Ingests live metric streams, computes composite trust scores, evaluates AuthZEN access requests against current trust context, and produces structured permit/deny/step-up decisions. Maintains trust state in-memory for millisecond evaluation latency. |
Scenario Comparison
How Pulse CA — combining Continuous Authentication and AuthZEN — responds to attack and risk scenarios that traditional authentication cannot address:
| Scenario | Traditional Auth | Pulse CA |
|---|---|---|
| Mid-Session Credential Theft | ✗ No visibility after login — breach goes undetected for hours | ✓ Behavioral anomaly detected immediately; AuthZEN blocks further access; session terminated |
| Impossible Travel / Location Violation | ✗ Authenticated from Boston, now accessing from Romania — still trusted | ✓ 3D location anomaly triggers AuthZEN re-evaluation; step-up or immediate termination |
| Device Compromise Mid-Session | ✗ Phone jailbroken mid-session; full access continues | ✓ Device Health score fails; PDP pushes enforcement decision; access revoked in milliseconds |
| AI Agent Outlives Authorized Session | ✗ Agent continues executing after the human's session is revoked — no propagation mechanism | ✓ Revocation propagates through AuthZEN agent chain; all child agents stop immediately |
| High-Privilege Agent Action | ✗ Point-in-time auth cannot detect if trust context has changed since session start | ✓ AuthZEN evaluates action against live trust scores at the moment of the request — not at login |
Conclusion
AffirmedID Pulse addresses the two most significant unguarded gaps in enterprise security: the period between login and logout, and the gap between who authenticated and what they are permitted to do right now. By combining continuous behavioral identity monitoring with AuthZEN policy evaluation in a single integrated framework, Pulse delivers both continuous authentication and continuous authorization — where every access decision is made against a live picture of identity trust, not a credential from hours ago.
For AI-powered platforms and agentic workflows in particular, this combination provides something no point-in-time solution can: enforceable, auditable traceability from every agent action back to the human who authorized it — with revocation that propagates through the entire agent chain in real time.
To evaluate Pulse CA — including AuthZEN authorization in action — visit affirmedid.com/demosetup. Install the Auth app, initiate an OIDC login, and observe real-time trust scores and authorization decisions updating throughout your session.
Start Demo Contact UsUS Patents Apply • Copyright © 2026 Affirmed Identity LLC