Step-Up authentication

Scope

This document defines how Step-Up Authentication is applied for Business Accounts when a login attempt is identified as risky.

Step-Up Authentication requires users to complete additional verification steps beyond their primary login method.

Purpose

Step-Up Authentication is designed to:

  • Reduce account takeover risk

  • Apply stronger authentication only when risk is detected

  • Protect sensitive business data and operations

  • Maintain a smooth user experience for low-risk logins

When Step-Up Authentication Is Triggered

Step-Up Authentication is enforced when:

  • One or more Risk Detection Signals exceed configured thresholds

  • Organization security policies require additional verification

  • Users attempt to access sensitive resources or elevated privileges

Trigger Conditions

Trigger Conditions ├── Medium risk login attempt ├── High risk login attempt ├── Access to sensitive resources ├── Policy-based enforcement └── Compliance requirements

Step-Up Authentication Methods

The system may require one or more of the following:

Supported Methods

  • MFA via Authenticator App (TOTP)

  • Email verification codes

  • Passkeys (FIDO2 / WebAuthn)

  • Backup recovery codes (limited use)

Available methods depend on organization policy configuration.

Authentication Strength Levels

Authentication Levels ├── Level 1: Primary authentication only ├── Level 2: Primary + one MFA factor └── Level 3: Strong MFA (phishing-resistant)

Risk Level

Required Authentication

Low

Level 1

Medium

Level 2

High

Level 3

Step-Up Decision Flow

  1. User submits primary credentials

  2. System evaluates risk signals

  3. Risk score is calculated

  4. Step-up requirement is determined

  5. User is prompted for additional verification

  6. Access is granted or denied

Step-Up Authentication Flow

User Experience Flow

Example: Medium Risk Login

  1. User logs in from a new device

  2. System detects medium risk

  3. User is prompted for MFA

  4. User completes verification

  5. Session continues normally

Example: High Risk Login

  1. User logs in from suspicious location

  2. System detects high risk

  3. Strong MFA is enforced

  4. Access is granted only after successful verification

Failure Handling

If step-up authentication fails:

  • User is denied access

  • Retry limits are enforced

  • Security event is logged

  • Admins may be notified based on policy

Session and Trust Handling

After successful step-up authentication:

  • Session is marked as verified

  • Trust may be temporarily cached

  • Re-authentication may be required if risk context changes

Security Controls

  • Step-up challenges are time-bound

  • MFA attempts are rate-limited

  • Strong MFA is required for elevated access

  • Authentication methods are validated per policy

Audit and Logging

The following events are recorded:

  • Step-up triggered

  • Method requested

  • Verification success or failure

  • Policy decision applied

Logs are available for security review and compliance audits.

PreviousRisk Detection signalsNextRoles & permissions

Last updated