As the cybersecurity threat landscape continues to evolve, the need for robust authentication measures becomes an essential necessity for organizations and developers. But finding the sweet spot between user convenience and security can sometimes be hard and users can get frustrated.

Step-up authentication offers that perfect balance between user convenience and security. But what is it, how does it work, and what are its best uses?

Let’s find out.

What is step-up authentication?

Step-up authentication, also known as route-based or “just-in-time” authentication, is a process where the user is asked to provide additional evidence of their identity to access sensitive resources, perform higher-risk actions, or behave in other ways that deviate from their typical usage patterns. This additional layer of security is implemented in response to specific triggers or contextual factors that suggest a higher risk of unauthorized access. 

Considered a subset of multi-factor authentication (MFA), the main purpose of step-up authentication is to reduce friction during initial sign-up or log-in, without compromising security. But unlike in MFA, rather than front-loading all authentication to the login stage, step-up authentication allows users to access certain resources with one set of credentials while protecting other resources behind additional sets of credentials. Additional security measures are invoked only when the circumstances demand it.

Step-up authentication vs. adaptive authentication

Step-up authentication and adaptive authentication both aim to enhance security by adjusting the level of authentication based on certain factors. However, they differ in their approach and scope.

Adaptive authentication, also called risk-based authentication, is another subset of MFA where additional authentication factors are automatically triggered according to a user’s risk levels. It is a more comprehensive approach that continuously assesses risk and adjusts the authentication level in real-time. 

While step-up authentication is usually based on predefined flows, adaptive authentication is dynamic and can prompt a user based on a risk score that includes a variety of behavioral and contextual signals. 

Step-up authentication is usually linked to the risk or sensitivity of the action being performed or the resource being accessed. Adaptive authentication is usually linked to the risk profile of the user attempting to log in.

Adaptive authentication can include step-up authentication as one of its components but is not limited to it.


Step-Up Authentication

Adaptive Authentication

Scope

Targeted towards specific predefined situations

Broader scope encompassing various risk factors

Trigger

Event-specific triggers (e.g., high-risk transactions, sensitive data access)

Continuous assessment of various risk factors and contextual information

Implementation

Applied in response to specific triggers

Real-time decision-making based on evolving risk profile during the session

Continuous Assessment

Not continuously assessing risk; triggered by specific events

Continuous evaluation of risk throughout the session

An example of how step-up authentication works

Let’s take an example of a banking application to explain how step-up authentication works.

Fig: An example of step-up authentication
Fig: An example of step-up authentication

In this example, the user is logged in to the banking application after single-factor authentication (e.g., username and password or biometrics), probably because they are logging in from a known device. The user can freely check their account balance, view their credit card statements, and perform other low-risk actions without being asked for more credentials. 

However, when the user wants to perform a high-risk action, like changing their account password or transferring money to another account, the app prompts them for additional identity verification by sending an OTP to their phone or email account as part of an MFA flow.

When should you use step-up authentication?

Developers and product owners should consider the following points while building this authentication approach into their applications.

When dealing with risky actions or sensitive resources

As noted earlier, step-up authentication is ideal when users perform risky actions or seek to access sensitive information. For example, app developers might differentiate between “read” and “write” actions, allowing users to view data with one set of credentials but prompting them for extra authentication if they wish to edit data.

Broadly, app developers should ask the following questions when deciding on step-up authentication:

  • If an attacker performs this action instead of the actual user, how harmful will it be?

  • If an attacker gets access to this data instead of the actual user, how harmful will it be?

These considerations can work in both enterprise and consumer settings. For instance, if an organization uses GitHub Enterprise, employees might be allowed to review code and create branches easily. However, employees might trigger step-up flows if they attempt to change repository settings, add new users, or push code into production.    

When users “want” some friction

Prompting users with step-up authentication in the middle of an app session can lead to frustration. But if users know that specific app actions are risky and can cause damage if carried out by an attacker, they will understand and even appreciate this type of authentication at the right time.

For example, if an online food delivery app performs step-up authentication every time users place an order, it’s likely to annoy and cause drop-off. However, if the app requires step-up authentication when users try to change their delivery address or credit card details, they are likelier to be patient and agreeable to those flows.

Users want to peruse applications with minimal friction while having peace of mind that their data and access are secure and can’t be compromised. Implementing step-up authentication at the right time can help app developers “show” users that their sensitive data is safe.

When distinguishing between free and paid users

Step-up authentication is an effective way to restrict access to product capabilities between free and paid users. For example, news publications like The New York Times provide a certain number of monthly free articles to all readers. To read more articles, users are presented with a paywall and asked to subscribe with payment details and further information.

Fig: Article limit screen from the The New York Times (a form of step-up authentication)
Fig: NYT paywall as step-up authentication

This form of step-up authentication increases app adoption by getting free users in with minimal friction. It aligns authentication with user interest levels – users willing to try the paid version of the application are likely ready to perform an additional authentication step.

Step up your authentication with Descope

Step-up authentication proves invaluable in securing applications without compromising user experience. However, its implementation requires thoughtful consideration, including which authentication methods to use, which actions or resources to trigger the step-up flow on, and so on. 

Descope can help you implement step-up authentication within your application by leveraging drag-and-drop workflows and SDKs. You can choose from a wide range of auth methods, create and customize user-facing screens, and deploy it in your app with a few lines of code.

Sign up for a Free Forever account to get started with Descope. Have questions about step-up authentication or our platform? Book time with our auth experts.