What Is Step-Up Authentication and Where Does It Come Into Play?

Written by Kelsey Kinzer on August 10, 2021

Share This Article

The online world can be a scary place, and one that offers many opportunities for malicious individuals to compromise your digital security. While passwords are still the most common way to protect digital accounts, the growing number of SaaS-based applications and services means remembering the right password for each one is a daunting task. While users are encouraged to create new passwords for each website they visit, the simple truth is that they will often reuse an older password for simplicity’s sake.

This introduces a significant risk to your online security.

If an account is ever compromised, criminal hackers will have access to not only the information for that site, but possibly many others for which the victim may have used the same password. The risk for businesses can be even greater and a breach of its online security can be catastrophic. It can mean a loss of customer trust, loss of revenue, and a loss of reputation.

How Multi-Factor Authentication Helps

For this reason, many companies now require more than a simple password for access to their online accounts. This is called multi-factor authentication (MFA) or Two Factor Authentication (2FA), and it can be an effective way to mitigate the risks associated with online security.

For most individuals, MFA is introduced in the form of a “second factor” that’s used in conjunction with a user’s password. This can be something as simple as a one-time passcode (OTP) sent via email or a text message. or something more complex like a biometric identifier. Often, a smartphone app is used to deliver a time-based one-time password (TOTP) or facilitate a push notification.

Whatever option is ultimately chosen, the second factor is used to make sure that the user is who they say they are. If the user’s second factor doesn’t match, then access is denied.

Step-Up Authentication vs Multi-Factor Authentication

Step-up authentication, as the name suggests, is the process of transitioning from a single authentication factor (such as a password) to multiple authentication factors. This might seem the same as MFA, but how and where step-up authentication is used plays a critical factor.

A step-up authentication process provides a more robust and secure authentication process. While MFA is often used to protect user data, step-up authentication is more often used to protect the business itself.

With step-up authentication, users can use some resources, but when they need to access more sensitive information, they’re prompted for further authorization. This type of authentication tries to find a balance between security and convenience.

Step-Up Authentication Examples

You have probably already been exposed to step-authentication in some fashion in your online activities already. However, some easy-to-understand examples of its use are:

  • Employees needing to access their corporate email on a personal laptop, but needing to log in through a VPN to access the corporate network
  • Viewing banking information through an app on a smartphone, but needing to authenticate and log in before initiating any fund transfers

With step-up authentication, access to specific resources can be restricted based on the sensitivity of the information.

Let’s explore one of these scenarios in a bit more depth to provide a clearer picture:

Let’s assume that you needed to do some banking. You log into your bank on your PC and you’re prompted for a username and password. If this is a new computer that you are logging in from, you will often be asked to verify your identity further with a security passphrase that you created when you opened the account. Common passphrases are “mother’s family name” or “name of your first pet” or something similar. Alternatively, you could receive an SMS with a specific code. These are both examples of MFA.

While you’re logging into the account, you’ll probably get a prompt to make sure that you don’t have to enter the passphrase again as long as you continue to use the same browser. In this case, MFA is also accounting for your location and IP address to help you save a step for the future.

Now, while you might be logged in and authenticated, let’s assume that you want to change your password. You go to the account settings page and choose the change password option. At this stage, it’s likely that you’ll be prompted to reauthenticate, respond to a reCAPTCHA prompt, or more. This is an example of step-up authentication in action.

In this case, the bank tries to provide you with additional security against the potential threat that someone else has maliciously accessed your computer or otherwise gained access to your account (or a robot is trying to initiate a password change). By forcing you to reauthenticate, they are ensuring once again that it is you making the change and that you have all of the necessary information to validate your identity.

How Step-Up Authentication Compares to Adaptive Authentication

When comparing authentication methods, step-up, adaptive, and MFA are often used interchangeably, but there are some very important distinctions that need to be understood.

MFA can be considered the parent, as both step-up and adaptive authentication systems utilize features from MFA. MFA is the overarching technology that requires users to submit multiple authentication factors during an access transaction in order to validate their identity.

Step-up authentication adds additional authentication requirements based on the resources being accessed within an application or service. Adaptive authentication, on the other hand, looks at a user’s risk profile and makes a determination as to whether or not additional authentication is required.

To determine risk, adaptive authentication tools consider a user’s physical location in comparison to their IP address, as well as records of previous malicious attempts from that IP address. In addition to location, job functions are also a consideration for assessing risk as well as a variety of other factors.

Using Step-Up Authentication

Protecting business resources and user information is critical at all times. However, employees must also be able to access the information and systems they need to do their jobs. To navigate this dichotomy, step-up authentication is ideal.

With step-up authentication, it’s possible to create more dynamic controls that protect sensitive data or systems within business applications or environments through real-time validation rather than simply through static role-based access. When combined with security principles like Zero Trust security and least privilege, step-up authentication can bridge the gap between security and accessibility. 

These different levels of authentication are more user-friendly as they limit the hoops employees need to go through to access less sensitive information, while still protecting the organization and its data should an account be compromised.

Step-Up Authentication and JumpCloud

Though the implementation of step-up authentication is unique for each situation, the JumpCloud Directory Platform provides multiple ways to deliver step-up authentication throughout the organization. By leveraging multi-factor authentication across multiple resources like applications, devices, networks, infrastructure, and more and developing conditional access policies to govern secure access based on identity, device, and network, JumpCloud makes it easy to secure access without slowing end users down. 

To see this in action, sign up for a free account today. Your first 10 users and 10 devices are free, and you’ll receive 10 days of 24/7 premium in-app chat support as well.

Kelsey Kinzer

Kelsey is a passionate storyteller and SEO Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter