Key points
- Sessions are evaluated continuously, not only at login
- Token revocation propagates in seconds, not hours
- Microsoft Entra calls this Continuous Access Evaluation (CAE)
- Requires cooperation between IdP and downstream apps
- Central to modern Zero Trust architectures
What it is
Continuous authentication (and the closely related Continuous Access Evaluation pattern) extends the security check beyond initial sign-in. The IdP and resource servers exchange signals so that revocation, policy changes, location change, or device-posture loss can immediately invalidate an in-flight session.
How it works
A classic OAuth access token is valid until it expires (often an hour). Continuous evaluation flips that: resource servers subscribe to revocation and risk events from the IdP. When an admin disables an account, a device falls out of compliance, or risk score spikes, the resource server kills the session on the next request — no waiting for token TTL.
Standards in play: OpenID Shared Signals Framework (SSF), CAEP (Continuous Access Evaluation Profile), and vendor-specific channels in Entra ID and Okta.
When buyers care
- Defending against session hijacking and OAuth token theft
- Enforcing offboarding within seconds rather than hours
- Meeting Zero Trust mandates (EO 14028, NIST 800-207)
- High-assurance B2B SaaS where stale sessions are unacceptable
Common misconceptions
- Short token lifetimes are not the same thing. Short TTLs reduce risk window but still leave a gap; continuous evaluation closes it.
- It is not free. Apps must implement the consumer side of CAEP / SSF, not just the IdP.
FAQ
What's the difference between CAE and continuous authentication?
CAE is Microsoft's product name for their implementation. Continuous authentication is the broader concept.
Which standards should I evaluate against?
OpenID SSF and CAEP are the emerging interoperable standards. Most enterprise IdPs are aligning to them.