Step-Up Authentication
What is Step-Up Authentication?
Step-Up AuthenticationA pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
Step-up authentication adds friction only when needed. A user signs in once with their normal credentials and then, when they request a sensitive action — transferring funds, changing recovery email, reading PII, or accessing a privileged admin panel — the relying party demands a fresh, stronger proof. NIST SP 800-63B and OpenID Connect's acr_values / max_age parameters formalize this concept: applications can ask for a specific Authentication Context Class Reference (e.g. urn:mace:incommon:iap:silver) or require reauthentication within N seconds. Common implementations include re-prompting for a passkey, TOTP code, hardware key, or biometric just before the privileged operation. The pattern preserves usability for everyday browsing while protecting high-value transactions.
● Examples
- 01
A banking app that asks for a hardware-key tap before approving a wire transfer above 5,000 EUR.
- 02
GitHub's sudo mode that re-prompts for a passkey before destructive actions like deleting a repository.
● Frequently asked questions
What is Step-Up Authentication?
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for. It belongs to the Identity & Access category of cybersecurity.
What does Step-Up Authentication mean?
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
How does Step-Up Authentication work?
Step-up authentication adds friction only when needed. A user signs in once with their normal credentials and then, when they request a sensitive action — transferring funds, changing recovery email, reading PII, or accessing a privileged admin panel — the relying party demands a fresh, stronger proof. NIST SP 800-63B and OpenID Connect's acr_values / max_age parameters formalize this concept: applications can ask for a specific Authentication Context Class Reference (e.g. urn:mace:incommon:iap:silver) or require reauthentication within N seconds. Common implementations include re-prompting for a passkey, TOTP code, hardware key, or biometric just before the privileged operation. The pattern preserves usability for everyday browsing while protecting high-value transactions.
How do you defend against Step-Up Authentication?
Defences for Step-Up Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Step-Up Authentication?
Common alternative names include: Re-authentication, Transaction authentication, Step-up MFA.
● Related terms
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- identity-access№ 015
Adaptive Authentication
An authentication approach that adjusts the strength and number of factors required in real time based on signals such as device, location, and behavior.
- identity-access№ 940
Risk-Based Authentication (RBA)
An authentication strategy that computes a real-time risk score for each sign-in and varies the response — allow, challenge, or block — based on that score.
- identity-access№ 216
Continuous Authentication
An approach that keeps validating a user's identity throughout the session — using behavioral and device signals — rather than authenticating only once at login.
- identity-access№ 793
Passkey
A phishing-resistant FIDO2/WebAuthn credential — a device-bound or syncable asymmetric key pair that replaces passwords with a cryptographic challenge-response.
- identity-access№ 760
OpenID Connect (OIDC)
An identity layer built on top of OAuth 2.0 that lets clients verify a user's identity and obtain basic profile information via signed ID tokens.