How step-up authentication works
With step-up authentication, sessions carry an assurance level that reflects how the user proved their identity. A session opened with just a password sits at a lower level than one confirmed with a passkey or a push approval. Applications and policies then declare the assurance required for specific resources or actions: viewing a dashboard may need only the base level, while changing payout details, exporting data, or entering an admin console demands more.
When a request arrives without sufficient assurance, the user is not rejected; they are challenged. The identity provider prompts for the additional factor, upgrades the session's assurance level on success, and lets the action proceed. Standards support this pattern: OIDC conveys authentication context through claims such as acr, so an application can request and verify the strength of the authentication that backed a token.
Why step-up authentication matters
Uniform security forces a bad trade: either every login is heavy, which drives users to resent and circumvent controls, or every login is light, which underprotects the actions that actually matter. Step-up resolves the trade by spending friction exactly where risk concentrates. Everyday work stays fast, and the rare sensitive operation gets bank-grade verification.
It also blunts session theft. An attacker who hijacks a signed-in session still hits a wall at the moments that matter most, because transferring money, changing credentials, or granting permissions triggers a fresh challenge the attacker cannot answer. In effect, step-up shrinks the blast radius of any single compromised session.
Step-up authentication in practice
Start by classifying actions, not applications: payments, credential and recovery changes, role grants, data exports, and admin operations are the usual step-up candidates. Define which factors satisfy which level, preferring phishing-resistant options such as passkeys for the top tier, and set how long an elevated level remains valid before it decays back down.
Avoid two common mistakes: challenging so often that users develop approval fatigue, and accepting a weak second factor for the highest tier, which defeats the purpose. Step-up combines naturally with adaptive authentication, letting risk signals trigger a challenge even for normally low-risk actions. Monosign provides adaptive and step-up MFA policies, so administrators can require stronger factors for designated applications and sensitive operations.