Skip to main content

Step-Up Authentication Overview

Step-Up Authentication prompts customers to re-authenticate before accessing sensitive resources or performing critical actions. This additional security layer helps protect high-value transactions and sensitive data without invalidating the customer's current session.

What is Step-Up Authentication?

Step-Up Authentication challenges already authenticated users to verify their identity again via a secondary authentication factor. Unlike standard authentication flows, Step-Up Authentication:

  • Does not invalidate the current user session

  • Provides temporary elevated access privileges

  • Returns a SecondFactorAuthenticationToken upon successful verification

  • Can be triggered selectively for specific resources or actions

Common Use Cases

  • Accessing financial information or making transactions

  • Changing critical account settings (email, password, security questions)

  • Viewing sensitive personal data

  • Performing administrative actions

  • Accessing protected documents or resources

Standard Workflow

All Step-Up Authentication APIs follow this pattern:

  • Active Session: The customer is already authenticated with a valid access_token.
  • Resource Request: The customer attempts to access a protected resource on your website
  • Challenge Prompt: The customer is prompted to Step-Up Authenticate via your chosen method
  • Token Generation: Upon successful authentication, a SecondFactorAuthenticationToken is returned
  • Token Validation: The SecondFactorAuthenticationToken is validated on your back-end before granting access to the requested resource

Note: The workflow may vary depending on the authentication method used (PIN, MFA, Email OTP, etc.).

Available Authentication Methods

Multi-Factor Authentication (MFA)

Step-Up Authentication can leverage your existing MFA configuration. Supported MFA methods include:

  • SMS OTP: One-time passcode sent via text message

  • Email OTP: Verification code sent to registered email

  • Authenticator Apps (TOTP): Time-based OTP from apps like Google Authenticator, Microsoft Authenticator, or Duo

  • Security Questions: Pre-configured security questions and answers

  • Push Notifications: QR code-based verification

  • Passkeys: Public-key cryptography-based authentication

  • Backup Codes: Pre-generated fallback codes for emergency access

Email OTP (Without MFA)

Step-Up Authentication can be performed using Email OTP even when MFA is not enabled on your site. This provides flexible re-authentication options for various use cases.

Email OTP Workflow

  • Retrieve Access Token: User logs in with standard credentials and obtains an access_token

  • Send OTP: Call the Send Email OTP for Step-Up Authentication API with the user's email address

  • Verify OTP: User provides the OTP, which is verified using the Verify Email OTP for Step-Up Authentication API

  • Receive Token: Upon successful verification, a SecondFactorAuthenticationToken is returned

  • Validate Token: Verify the SecondFactorAuthenticationToken to grant access to the protected resource

PIN Authentication

PIN-based Step-Up Authentication allows users to verify their identity using a Personal Identification Number. Refer to the PIN Authentication API documentation for specific implementation details.

API Endpoints

Step-Up Authentication APIs are available under the /identity/v2/auth/account/reauth/ path:

  • PUT /identity/v2/auth/account/reauth/2fa/BackupCode - Authenticate using backup codes

  • PUT /identity/v2/auth/account/reauth/2fa/otp - Authenticate using OTP

  • Additional endpoints for other authentication methods

Token Management

SecondFactorAuthenticationToken

The SecondFactorAuthenticationToken is a temporary credential that confirms successful Step-Up Authentication. This token:

  • Has a limited expiration time (specified in the ExpireIn field)

  • Should be validated server-side before granting resource access

  • Does not replace or invalidate the original access_token

Example Response:

{
  "SecondFactorValidationToken": "47*****5-7***-****-****-09*******ece",
  "ExpireIn": "2018-06-13T06:35:13.0503845Z"
}

Security Considerations

  • Always validate the SecondFactorAuthenticationToken server-side before granting access

  • Set appropriate token expiration times based on your security requirements

  • Implement rate limiting to prevent brute-force attacks

  • Log Step-Up Authentication attempts for audit purposes

  • Consider the user experience when determining which resources require Step-Up Authentication

Configuration

Step-Up Authentication can be configured in the LoginRadius Admin Console under the Security section. MFA settings configured for standard authentication flows can also be leveraged for Step-Up Authentication.

For detailed API specifications and implementation examples, refer to the individual Step-Up Authentication APIs.

Multi-Factor Authentication

MFA Step-Up Authentication by Authenticator Code

Step-Up Auth Validate PIN

Send Email OTP for Step Up Authentication