Step-up authentication: the right friction at the right moment
Most authentication happens once, at login. Step-up authentication challenges users again only when context demands it. It’s the shift from a yes/no access gate to a continuous risk signal.
What it is
Step-up authentication (SUA) is a pattern where a second — or stronger — authentication factor is required mid-session, triggered by a specific action or condition. The user already has a valid session. They just need to prove they’re still the right person to do this specific thing.
Think of it as authentication on demand. Not at the door, but at the vault. Logging in gets you into the building. Transferring $50,000 gets you another challenge.
How it differs from MFA
Multi-factor authentication (MFA) enforces a second factor at login. Step-up authentication enforces an additional factor at a defined risk threshold – after login. The session is already established. The step-up is contextual.
A user might authenticate with password + TOTP at 9am to access their corporate portal. That same session might trigger a FIDO2 challenge at 2pm when they attempt to modify admin group membership. Same session, higher stakes, stronger challenge.
What triggers a step-up
Triggers fall into three buckets: resource sensitivity, behavioral signals, and policy rules.
| Trigger Category | Examples | Risk Level |
|---|---|---|
| Privileged resource access | Viewing PII fields, accessing vault secrets, opening privileged sessions | High |
| Sensitive operations | Changing MFA settings, modifying admin roles, resetting credentials | High |
| Behavioral anomaly | Unusual location, new device, access outside working hours | Medium |
| Bulk or export actions | Exporting user lists, bulk record edits, large data transfers | Medium |
| Compliance scope actions | Accessing SOX-gated systems, HIPAA-covered records, PCI environments | High |
| Session age or inactivity | Session older than 8 hours, idle for 30+ minutes before sensitive action | Low |
Gabriel Magarino
Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.