Step-Up Authentication
What is Step-Up Authentication?
Step-Up AuthenticationA pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
Step-up authentication adds friction only when needed. A user signs in once with their normal credentials and then, when they request a sensitive action — transferring funds, changing recovery email, reading PII, or accessing a privileged admin panel — the relying party demands a fresh, stronger proof. NIST SP 800-63B and OpenID Connect's acr_values / max_age parameters formalize this concept: applications can ask for a specific Authentication Context Class Reference (e.g. urn:mace:incommon:iap:silver) or require reauthentication within N seconds. Common implementations include re-prompting for a passkey, TOTP code, hardware key, or biometric just before the privileged operation. The pattern preserves usability for everyday browsing while protecting high-value transactions.
● Examples
- 01
A banking app that asks for a hardware-key tap before approving a wire transfer above 5,000 EUR.
- 02
GitHub's sudo mode that re-prompts for a passkey before destructive actions like deleting a repository.
● Frequently asked questions
What is Step-Up Authentication?
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for. It belongs to the Identity & Access category of cybersecurity.
What does Step-Up Authentication mean?
A pattern that requires additional or stronger authentication factors when a user attempts a higher-risk operation than their current session was originally authorized for.
How do you defend against Step-Up Authentication?
Defences for Step-Up Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Step-Up Authentication?
Common alternative names include: Re-authentication, Transaction authentication, Step-up MFA.