What is step-up authentication?
Step-up authentication is a login method that aims to strike a balance between strong security and convenience. It requires users to provide stronger proof of their identities, like a fingerprint or a code sent to their phone, when they try to access sensitive information or perform security-critical actions.
This is important for two reasons:
- Simple passwords are no longer enough to keep accounts and sensitive data safe, as well as company identities secured.
- Users get to enjoy a simpler, more seamless login experience for every-day, low-risk tasks.
How does step-up authentication work?
Step-up authentication begins with a standard credential-based login, just like any other authentication method. This allows users to perform routine tasks without additional hassle. However, as soon as the system detects anything unusual or risky, it triggers additional verification steps.
Here’s a typical workflow in more detail:
- The user enters their username and password, or any other primary credentials.
- The system checks if the login credentials are correct.
- If they are valid, the user is granted access to their account or platform.
During the session, if the system identifies a risky activity, like accessing sensitive data, attempting a high-value transaction or deleting a production database, it takes the following steps:
- The system prompts the user to provide a second form of verification, which can be a SMS or email code, biometric verification or an authenticator app code.
- The user provides the additional proof needed for user authentication.
- If the additional proof is correct, the user is allowed to access the resource or perform the action. If it is incorrect, access is denied.
The difference between step-up auth and other types of authentication
Next, we will compare step-up authentication to two other popular authentication methods: multi-factor authentication (MFA) and adaptive authentication.
Step-up authentication vs. MFA
Multi-factor authentication or MFA is an authentication mechanism that requires more than just a username and password to confirm the user’s identity. Secondary authentication factors can be:
- Something the user knows (knowledge-based authentication,using a password or PIN).
- Something the user has (a phone, hardware token or email access).
- Something the user is (biometric authentication using data like a fingerprint or facial recognition).
Even though step-up authentication also prompts the user for additional login factors, it only does so based on risk or activity. Here are some additional differences between the two:
Aspect
MFA
Step-up authentication
Trigger mechanism
Always requires multiple factors, regardless of the risk level
The system analyzes different factors to determine if additional verification is necessary
Use case
Designed for general account security
Focused on securing high-risk actions or sensitive data, without disrupting user experience
User experience
Can feel repetitive as MFA is used at every login
Seamless for low-risk actions; only activates when necessary
Examples
Logging into a cloud account with a password + one-time code
Accessing sensitive data in a production environment
When to use which?
- Use MFA if you need strong authentication and security across all account logins, especially for systems where even general access can be risky.
- Use step-up authentication if you want a balance between user convenience and security, and general access is typically not risky.
Step-up authentication vs. adaptive authentication
Adaptive authentication is a security approach in which the system adjusts the login requirements based on the context of a login attempt or user activity. It uses data like location, device type, behavior patterns and time of access to gauge risk and adjust the difficulty level of the authentication process.
For example, if a user logs in from a familiar device and location, the system may only ask for a password. But if the same user logs in from a new country and/or at an unusual time, it may dynamically trigger additional login factors, like an OTP or biometric verification.
Here are the differences between adaptive authentication and step-up authentication:
Aspect
Adaptive authentication
Step-up authentication
Trigger mechanism
Considers a wide range of real-time contextual factors at the time of initial login and beyond
Triggers during the session if a high-risk action is detected
User experience
Better, as authorized users may not be prompted for additional factors if the context remains the same
Slightly less optimal, as even authorized users may have to re-authenticate themselves before performing any high-risk action
Use of data
Uses real-time data like IP address, device type and user behavior
Generally focused on predefined triggers (e.g., a transaction threshold)
Flexibility
Highly dynamic and relies on advanced algorithms
More static and rule-based
When to use which?
- Use step-up authentication when you want a straightforward, rule-based approach to secure specific actions, and the system does not require real-time analysis of user behavior or contextual data.
- Use adaptive authentication when your organization wants a more dynamic security system that adapts based on the context of each user interaction.
Pros & cons of step-up authentication
Here are the pros and cons of step-up authentication:
Pros
- Reduces the chances of unauthorized access by adding an extra layer of protection for high-risk actions.
- Balances security and user experience by minimizing interruptions during regular use.
- Customizable to fit specific security needs and risk profiles, e.g. you can define a list of high-risk activities and sensitive resources.
- Works well for both small and large organizations, as it can be applied selectively without overhauling the entire system.
Cons
- Requires careful planning to define high-risk actions and integrate with existing systems.
- Needs regular updates to account for new risks and changes in user behavior or system needs.