Step Up Authentication

Authentication is often a fine balance between user experience and the security of your application. In an ideal world this process is both seamlessly done in the background and is completely secure. Step up authentication is a step towards this direction by limiting the amount of friction a user encounters when they log in, and only escalating that friction as they seek to perform more sensitive actions within your application.

So what is Step Up Authentication?

Step up authentication prompts the user for basic credentials, such as email and password, to access basic parts of an application. However, a secondary factor is required before the user can perform any sensitive actions, such as altering payment information or switching their primary email on the account. In this way, we can minimize the friction that the user feels when they first log into the app. This is done statically by designating resources that you want to protect. It’s a feature that focuses on adding friction only to the most sensitive parts of your application, while allowing the user as much access as is responsible for the most basic functions of the application.

How does this differ from Multi-Factor Authentication?

Multi-Factor authentication (MFA) is part of the ordinary login process. Instead of just presenting a single form of identification, MFA requires that a secondary form of identification be presented in order to complete the login process. While this is a highly secure way of logging in your users, it presents a lot of friction to the user before they can get logged into your application. Rather than forcing all users to present a secondary factor in order to authenticate into your app, step up authentication is focused on requiring friction only when necessary to make the user experience as smooth as possible.

Is it the same as Adaptive MFA?

Step up authentication and adaptive mfa aren’t synonymous, but step up authentication can be considered a form of adaptive MFA. Adaptive MFA is when some form of risk score is calculated about the login and MFA is requested once the risk score exceeds some threshold. This could be a rule such as if the user fails to login a certain number of times or they are logging in from a new location. These rules tend to be about the behavior of the user. Step up authentication, in contrast, is about assessing the resources themselves and assigning higher security to those resources. These rules trigger a step up authentication regardless of if the user is logging in from their normal IP address or not, since they’re focused on protecting a resource rather than challenging unusual behavior.

How to Implement with Frontegg

We have created a variety of SDK’s to make implementing step up authentication as easy as possible. Today, we’ll take a brief look at what it would take to accomplish this behavior in React, but it is a similar process to initiate step up auth using our other sdk’s. In React, it’s as simple as calling our useIsSteppedUp() hook. This will return true or false depending on if the user has already successfully performed step up authentication. If they have not, you can then call the useStepUp() hook to initiate step up authentication for the user. If the useIsSteppedUp() hook returns true, then the user has already presented an alternative factor and they are ready to be passed on to the more sensitive parts of your application.

Ready to elevate your application’s security without compromising the user experience? Explore Frontegg’s Step Up Authentication today and discover how you can strike the perfect balance between security and usability. Learn more about getting started with step up authentication today!