IDSync — identity software buyer platform
Run Stack Finder

Authentication

Step-Up Authentication

Step-up authentication prompts a user who is already signed in for an additional, stronger factor before allowing a sensitive action — like transferring money, changing payout details, or accessing PII.

Last reviewed 5/30/2026

Key points

  • Triggered by action sensitivity, not just login
  • Usually requires a phishing-resistant factor (passkey, WebAuthn, hardware key)
  • Implemented via OIDC acr_values / amr claims or vendor risk APIs
  • Different from MFA at login — it happens mid-session
  • Core to PSD2 Strong Customer Authentication and high-assurance workflows

What it is

Step-up authentication is a control that asks an already-authenticated user to re-verify identity with a stronger factor before performing a high-risk action. The user is not logged out; the session is upgraded.

Classic examples: a banking app prompts for a passkey before a wire transfer, an admin console requires a hardware key before deleting a tenant, a payroll system asks for re-authentication before changing bank details.

How it works

The relying party signals required assurance using OIDC acr_values (Authentication Context Class Reference) or max_age. The IdP enforces the policy — for example, prompting for WebAuthn if the existing session only used password+TOTP — and returns an updated ID token with new amr (Authentication Methods References) and auth_time claims. The app inspects those claims before authorizing the action.

When buyers care

  • Fintech, payments, and crypto products subject to SCA / PSD2
  • SaaS admin actions (tenant deletion, billing changes, role grants)
  • Healthcare and HR systems accessing sensitive records
  • B2B platforms where compromised sessions are the dominant attack path

Common misconceptions

  • Step-up is not the same as MFA. MFA happens at login; step-up happens mid-session, per action.
  • More prompts is not better. Step-up should be reserved for genuinely sensitive actions or risk signals — over-prompting trains users to click through.
  • Re-entering a password is not step-up. A real step-up uses a stronger factor than the current session has.

FAQ

How is step-up different from re-authentication?

Re-authentication forces any factor again. Step-up specifically requires a higher assurance level than what the session currently holds.

Does step-up work with SSO?

Yes. The relying party sends acr_values (or vendor-specific equivalents) to the IdP, which re-prompts and returns updated assurance claims.

What's the right step-up factor in 2026?

A phishing-resistant factor — passkey or hardware security key. SMS and TOTP no longer meet the bar for high-value actions.