What is Step-Up Authentication: How it Works and Examples

Beyond Identity Blog | Tuesday, November 9, 2021

User authentication is a vital part of corporate security, but it is one of the hardest cybersecurity challenges for companies to solve. Traditional password-based authentication is broken for a variety of different reasons, and many attempts to fix it fall short due to security issues or lack of adoption.

A major limitation of many authentication schemes is that they are “one size fits all.”  As a result, companies must make a choice between the security and usability of their systems. Step-up authentication provides an alternative that allows companies to tailor authentication processes based on risk in a way that is secure, scalable, and user-friendly.

What is step-up authentication?

Step-up authentication is an adaptive authentication scheme that allows authentication mechanisms to be tailored to the sensitivity of the requested access and activities. Riskier actions, like trying to gain access to sensitive resources, require “stepped up security” by making the user go through more stringent authentication methods. Less risky requests can be performed after completing a simpler authentication process and don’t require a “step up.”

How and why is step-up authentication used?

The ability to support different levels of authentication allows a system to balance usability and security. The more stringent the authentication process, the more time-consuming and less user-friendly it is to log in. On the other hand, a simple authentication process may not provide adequate protection, creating the potential for data breaches or other security incidents.

Step-up authentication is used to implement risk-based authentication processes. Before the authentication process is performed, the system can collect data about the user’s request including the sensitivity of the requested access and contextual information about the level of risk that the device poses. This data can then be used to select an appropriate authentication process that provides the required level of security while optimizing the user experience.

Examples of when step-up authentication would be used

Authentication is vital to providing secure access to sensitive resources and data, but not all requests are created equal. Different factors can impact the risk posed by a particular request, such as the requested access to details about the device and the user making the request. 

These scenarios where different requests may require different authentication mechanisms are an ideal use case for risk policies and step-up authentication.

Viewing vs. editing data

An e-commerce website or application may select varying levels of authentication based upon how a customer is using the service. For example, different levels of authentication may be used for viewing data vs. modifying it.

Certain personal data contained within a user account on an e-commerce site (name, address, etc.) must be protected under GDPR, PCI DSS, and similar regulations. However, the potential impacts of exposing this information to an unauthorized user are limited as viewing this data doesn’t allow an attacker to perform fraudulent transactions unless they also have access to other information (such as payment card data). An e-commerce application may choose to use a simpler authentication mechanism for user requests to view relatively low-risk data.

Editing this data, on the other hand, presents a greater risk to the account owner. By modifying the address information on a user’s account, an attacker could potentially have future purchases shipped to them instead of the user. For this reason, requests to edit data or make purchases should be protected by a stronger authentication mechanism.

Higher-risk scenarios

Adaptive authentication can also be used to mitigate the risk that a user poses to an application or themselves. Environmental factors can impact the probability that a user is or was the victim of a cyberattack.

One factor that might make a difference is the user’s location when making a request. A mobile device is much less likely to be lost or stolen at the kitchen table than in a cafe. Users accessing a site from home could use a simpler authentication method, while more high-risk locations may require additional steps.

The current state of the device is another important factor. Rooted or jailbroken devices and ones with recently installed apps (especially from third-party app stores) are more likely to be infected with malware. Requests from these devices may require additional authentication steps compared to devices without these risk factors.

Balance security and usability with step-up authentication

Not all requests are created equal. Different actions, users, and devices carry varying levels of risk to the user and to the organization. Preventing data breaches and other security incidents while maintaining a positive user experience requires the creation and enforcement of risk-based policies using step-up authentication.

Beyond Identity makes it simple for companies to implement strong, multi-factor adaptive authentication. Based on request sensitivity and analysis of risk factors, Beyond Identity dynamically will add biometric verification to application authentication processes based on your company’s risk policies.

Several Beyond Identity products support step-up authentication, including:

To learn more about step-up authentication with Beyond Identity, request a free demo.