What is step-up authentication and how does it work?
Step-up authentication refers to the practice of requiring additional levels of authentication to ensure that high-risk actions involving sensitive information and transactions are not accessed by unauthorized people. This extra layer of protection is usually triggered based on the specific activity the user intends to perform.
An example of step-up authentication is when a user is logged into their bank or e-commerce account and requests an action that is considered sensitive, such as the transfer of a large sum of money. In such cases the user will be required to provide additional information to authenticate their identity and ensure only the legitimate user is requesting the action.
Step-up Authentication vs Multi-factor Authentication
The word “step-up authentication” is used to describe the process in which an additional form of identification is requested according to the risk that a given activity may represent if it is performed by fraudsters. For step-up authentication, companies can choose to implement any form of additional authentication, such as using a one-time password via SMS, requiring a security key, or use of an authentication app, among others.
Multi-factor authentication (MFA), on the other hand, is part of the normal authentication flow and requires users to provide proof of their identity with at least two or more factors of authentication, including something you know, something you have, or something you are. MFA is also used as part of the strategy to implement step-up authentication.
Logging in to a mobile app or an e-commerce website can be used as an example to better illustrate how multifactor authentication and step-up authentication work differently in practice. Typically customers can browse product details and add products to their cart often without requiring any form of authentication. Once a user wants to begin checkout they will be required to log in using their credentials, the most common is still the association of username and password. Increasingly financial services companies are requiring users to log in using multi-factor authentication, meaning the use of two more methods of authentication. The use of MFA is in response to a large number of stolen credentials available for purchase on the DarkWeb and the increasing use of social engineering to steal users’ sensitive data. Using MFA makes it harder for fraudsters to take over user accounts.
Once logged into the app, if a particularly sensitive action is requested by the user, this may trigger step-up authentication comprising additional authentication steps required to ensure that the user is legitimate.
Are Step-up and Adaptive Authentication the same thing
Step-up authentication can be considered a type of adaptive authentication. Instead of always requiring a user to provide multiple pieces of information to prove their identity, which can be frustrating, step-up authentication strategies adapt to the sensitivity of the action being requested. Adaptive authentication analyzes the context of the situation, such as the type of activity to be performed, the IP address and the user's location and associated risk. Depending on the result of this risk assessment, step-up authentication is triggered for high-risk situations.
Examples of step-up authentication in action
- The user enters incorrect credentials repeatedly
When a user inputs incorrect passwords multiple times, this can be viewed as high-risk suspicious behavior that triggers step-up authentication. In this case, the user is sent a magiclink via email, which the user has to click to reset their password.
- User logins from a new location, not within the user’s usual location behavior pattern
If a user logs in to a mobile account at a trusted location, which is frequently visited and within the user’s normal location pattern, this can be considered a low-risk requiring single-factor authentication. If the user is at a location they have never visited before and tries to do a large money transfer, for example, step-up authentication would be triggered and the user would be required to provide additional credentials, such as a one-time passcode, to verify they are the legitimate user.
In summary, step-up authentication is triggered whenever the user requests higher-risk actions that require additional authentication steps. In contrast, multi-factor authentication is part of the normal authentication flow and consists of requiring two or more authentication factors to increase security on the account.