What is Step-Up Authentication?

What is step-up authentication?


Step-up authentication is a process where the user is asked to provide additional evidence of their identity before being allowed to access certain resources or perform certain actions in an application. It is an effective way to reduce user friction during sign-up and initial adoption without sacrificing security. Step up authentication is also known as route-based or “just-in-time” authentication.

Step up authentication is generally considered to be a subset of multi-factor authentication (MFA). Rather than front-loading all authentication to the login stage (which happens in MFA), step-up authentication allows users to access certain resources with one set of credentials while protecting other resources behind additional sets of credentials.

How does step-up authentication work?

Let’s take an example of a banking application to explain how step-up authentication works.

Fig: An example of step-up authentication
Fig: An example of step-up authentication

In this example, the user is logged into the banking application after single-factor authentication (e.g. username and password, biometrics), probably because they are logging in from a known device. The user can freely check their account balance, view their credit card statements, and perform other low-risk actions without being asked for more credentials. 

However, when the user wants to perform a high-risk action (e.g. changing their account password, setting up a money transfer to another account), the app performs step-up authentication and prompts the user for more credentials by sending an OTP to their phone or email account as part of an MFA flow.

Also read: Passwordless Authentication 101

Step-up authentication vs adaptive authentication

Adaptive authentication, also called risk-based authentication, is a subset of MFA where additional authentication factors are automatically triggered according to a user’s risk levels. Step-up authentication is often mentioned in the same conversation as adaptive authentication. There are both areas of overlap and clear differences between the two terms. 

While step-up authentication is usually static and based on predefined flows, adaptive authentication is dynamic and can prompt a user based on a risk score that includes a variety of behavioral and contextual signals. Step-up authentication is usually linked to the risk or sensitivity of the action being performed or the resource being accessed, while adaptive authentication is usually linked to the risk profile of the user attempting login.

For example, let’s consider a user that regularly logs into an application from their laptop at home. If the user is on an international trip and tries logging in to the same application from an Internet café, they will be prompted in real time for additional credentials because too many user behavior signals have changed from the baseline. This is adaptive authentication.

If the same user then tries to perform a risky in-app action (e.g. attempting to change their account password), the app can prompt them for additional credentials. This is step-up authentication.

It’s possible for an adaptive authentication solution to trigger a step-up flow based on the risk profile of the login attempt.

When should step-up authentication be used?

If implemented properly, step-up authentication can help uphold high security standards while ensuring a seamless user experience. Developers and product owners should take the following points into consideration while building this authentication approach into their applications:

Risky actions, sensitive resources

As noted earlier in the article, step-up authentication is ideal when the user is performing a risky action or seeking access to sensitive resources in an application. For example, app developers might differentiate between “read” and “write” actions, allowing users to view data with one set of credentials but prompting them for stronger authentication if they wish to edit data.

Broadly, app developers should ask the following questions when deciding on step-up authentication:

  • If an attacker performs this action instead of the real user, how harmful will it be?

  • If an attacker gets access to this data instead of the real user, how harmful will it be?

The considerations listed above can work in both enterprise and consumer settings. For instance, if an organization uses GitHub Enterprise, employees might be allowed to easily review code and create branches. However, if an employee wants to change repository settings, add new users, or push code into production, step-up flows might be triggered.    

When users “want” some friction

Prompting users with step-up authentication in the middle of an app session can lead to frustration. However, if users know that certain app actions are risky and can cause damage if carried out by an attacker, they will understand and even appreciate this type of authentication at the right time.

For example, if an online food delivery app performs step-up authentication every time the user places an order, it’s likely to cause annoyance and ultimately drop-off. However, if the app requires step-up authentication when the user tries to change their delivery address or credit card details, users are much likelier to be patient and agreeable to those flows.

Users want to peruse applications with minimal friction while having peace of mind that their data and access is secure and can’t be compromised. Implementing step-up authentication at the right time can help app developers “show” users that their data is in safe hands.

Free vs paid users

Step-up authentication is an effective way to demarcate access to product capabilities between free and paid users. For example, news publications like The New York Times provide a certain number of free articles per month to all readers. To read more articles, users are presented with a paywall and asked to subscribe with payment details and further information.

Fig: Article limit screen from the The New York Times (a form of step-up authentication)
Fig: Article limit screen from the The New York Times (a form of step-up authentication)

This form of step-up authentication increases app adoption by getting free users in with minimal friction. It aligns the level of authentication with the level of user interest – users that are willing to try the paid version of the application are likely willing to perform an additional authentication step.

For more details on step-up authentication, check out this post from Scott Brady on implementing step-up with OAuth and Open ID Connect.