Step-up Authentication: How It Works and When Should You Use It
9th Mar 2023
Step-up authentication allows users to authenticate themselves and prove their identities when interacting with data online. Most often, it is triggered whenever the user requests a higher-risk action that requires an additional authentication step. Risk-based authentication, or adaptative authentication is another method of validating user identity.
What Step Up Authentication?
Most of your business’s customers will have experienced step-up authentication at some point. Much like multi-factor (MFA), it is a way users can authenticate themselves and prove their identities when interacting with data online.
Typically, during step-up authentication, a user attempts a higher-risk action resulting in a prompt requesting a stronger authentication method than a typical transaction might require. Its purpose is to ensure security protocols remain adequate and proportional to the action being performed while maintaining as frictionless of a user experience as possible.
Implemented to provide an additional layer of security, step-up authentication is frequently used to reauthenticate users during transactions or other in-app actions, rather than during the initial login process.
When is Step-Up Authentication Triggered?
Step-up authentication may be required when:
- A user requests a transaction, such as financial transfer that exceeds a predetermined threshold.
- A user tries to access sensitive data.
- A user attempts to change their privacy or security settings, such as their password, username or contact information.
For example, imagine your user is trying to change their password. While the user is already logged in, clicking the ‘change your password’ option, prompts them to reauthenticate themselves and potentially complete an additional security step, such as checking a tick box to prove they are not robot or engaging with a reCAPTCHA prompt. This is step-up authentication in action, requiring an additional step in addition to the standard authentication flow. This is prompted by the associated risk of fraud posed when a user is changing a password.
Step-Up Authentication vs Multi-Factor Authentication
So, how does this differ from multi-factor authentication (MFA)?
Primarily, step-up authentication is action based. This means it depends on what action the user is requesting, and pre-decided level of risk associated with that specific action.
While it relates to authentication, MFA is fundamentally different. MFA is part of the way users authenticate themselves online--for actions such as logging into their accounts--and refers to the security process requiring multiple factors of authenticationfor users to prove that they are who they say they are.
Traditionally, MFA relies on three potential factors: something you are (biometric data), something you know (a PIN or password), and something you have (a hardware token or your smartphone).
A key similarity between MFA and step-up authentication is that many of the methods used for MFA can also be used as a form of step-up authentication. Despite this, they have different responsibilities in the authentication process, and it is the function of the additional authentication--how and when it is used--which determines how it is classified.
How Does this Differ to Adaptative Authentication?
Risk-based authentication, or adaptative authentication, is another method of validating user identity. While adaptive authentication is a type of step-up authentication, there are noticeable nuances in why it is used and when businesses should implement it.
Fundamentally, they differ as adaptive authentication is step-up authentication which is not action-based but rather context-based. It uses specific dynamic features to evaluate the risk profile of the user. Using this data, users who are deemed to be in higher-risk contexts, are then required to complete an additional authentication step that is proportional to the associated risk.
There are many circumstances which could trigger adaptive authentication with common examples being:
- A user makes a request from an unrecognized device
- A user tries to carry out an action from an IP address which is not near where they usually log on from.
- Or when, the IP addresses of the user has previously been linked to requests categorized as suspicious.