Step-up authentication is an authentication method available for eService providers to allow users to access certain resources with minimal credentials, while requiring additional verification when accessing sensitive information. Matching authentication levels and authentication methods with the sensitivity (or value) of the resource provides a good balance between security and ease of use.

This blog will concentrate on and explore step-up authentication, what it is, how it interacts with SSO and its benefits.

What is step-up authentication?

Step-up authentication is the use of two separate authentication methods, at differing intervals throughout login and information access. A lower level of assurance method is used to access the basic information before a higher level of assurance method is then requested if the user wants to access more sensitive information.

Step-up authentication is technically an upgrade to an existing authentication level. The basic concept is that initially, users authenticate themselves using a lower-level authentication method. For example, the username and password created during the account registration or one of the social media methods like Apple, Google, or Facebook. This login creates a session which is typically stored to a web browser cookie, and this allows the users to access certain types of services and information.

If the users want to access more sensitive information or, for example handle money-related transactions, then they must upgrade the authentication level of the existing session to a higher degree. This is where the step-up authentication takes place. From the users’ point of view, it is just another authentication workflow where they use a higher level of assurance authentication method, such as Bank ID, Time-based One-Time Password (TOTP) codes, mobile PKI, ID cards or similar. This adaptive approach ensures that only authorised users can access the sensitive information, thereby managing the risk level without negatively impacting the usability.

Step-up authentication and SSO

One of the basic features of a modern CIAM System is the single sign-on (SSO). It is a great feature that allows users to move between different services of the same service provider without the need to re-authenticate in between. The SSO between different applications requires the user session to be authenticated to a specific level or re-authentication will be requested. The different MFA authentication workflows utilise the so-called ‘weakest method first’ principle where the lower level of assurance methods are executed first, followed by the higher assurance methods. This is the same principle usually applied in step-up authentication. If users have not yet executed the higher level of assurance within step-up authentication, they may be blocked from using the SSO within applications that require the higher level of authentication. In these cases, the users must execute a new authentication which is not part of the step-up authentication.

Why choose Step-up authentication?

There are several so-called multiple authentication request schemes to choose from. These include multifactor authentication (MFA), step-up authentication and risk based authentication (RBA). Although there are some similarities between these, including the authentication methods being the same and step-authentication and RBA both being based on MFA. There are also some fundamental differences, like the conditions of when and where those extra authentication steps are requested. Step-up Authentication sits between MFA and RBA. Making it an ideal authentication method when your system requires a higher level of authentication than basic MFA can provide but does not require the intricacies of RBA.

In comparison to MFA, which requests two authentication methods during the initial login process, step-up authentication only requests the additional higher-level authentication when the user wants to access sensitive information, or perform higher risk, higher value transactions. This not only makes the system more user friendly but also saves costs in comparison to traditional MFA due to only requesting secondary authentication as and when required.

Step-up authentication and Risk-Based Authentication (RBA) differ in that step-up authentication allows access to different parts of a service using both single-factor and multi-factor authentications, while RBA only utilises multi-factor authentication as a means of added security when suspicious activity is detected, without providing any additional access to the service.

By raising the assurance level of an authentication method, we make services more secure. However, at the same time, the access procedure becomes more complex for the end user, thus potentially increasing frustration, which we want to avoid. In addition, added security of MFA usually increases the cost for the service providers in form of transaction-based pricing per authentication action. Step-up authentication and RBA provide optional approaches to solve these issues.


Nowadays, people understand the role of the cyber security of eServices and are becoming more familiar with the higher level of assurance authentication procedures. However, usability is a key factor for a successful eService. Providing easy access without compromising security can be a separator between you and your competition.

Step-up authentication provides the best of both worlds, easy usability when accessing protected resources and a high-security level when accessing more sensitive information. Even if criminal hackers managed to get users’ credentials to access their services, sensitive information or money-related transactions would not be available without using the higher level of assurance method required to access these resources. This, combined with the cost savings that service providers can achieve with step-up authentication, makes it a very attractive option when evaluating different authentication method schemes for their eServices.

As a Customer and Identity Management System (CIAM) vendor, Ubisecure’s Identity Platform offers various authentication method options for the eService providers. These methods can be used individually, as a single-factor manner, or as a combination of two or more, offering various schemes for authentication.

If you’d like to find out more about step-up authentication, contact us and speak to one of our technical experts.