# Step-Up authentication

### Scope <a href="#scope" id="scope"></a>

This document defines how **Step-Up Authentication** is applied for **Business Accounts** when a login attempt is identified as risky.

Step-Up Authentication requires users to complete **additional verification steps** beyond their primary login method.

***

### Purpose <a href="#purpose" id="purpose"></a>

Step-Up Authentication is designed to:

* Reduce account takeover risk
* Apply stronger authentication only when risk is detected
* Protect sensitive business data and operations
* Maintain a smooth user experience for low-risk logins

***

### When Step-Up Authentication Is Triggered <a href="#when-step-up-authentication-is-triggered" id="when-step-up-authentication-is-triggered"></a>

Step-Up Authentication is enforced when:

* One or more **Risk Detection Signals** exceed configured thresholds
* Organization security policies require additional verification
* Users attempt to access sensitive resources or elevated privileges

***

### Trigger Conditions <a href="#trigger-conditions" id="trigger-conditions"></a>

`Trigger Conditions ├── Medium risk login attempt ├── High risk login attempt ├── Access to sensitive resources ├── Policy-based enforcement └── Compliance requirements`

***

### Step-Up Authentication Methods <a href="#step-up-authentication-methods" id="step-up-authentication-methods"></a>

The system may require one or more of the following:

#### Supported Methods <a href="#supported-methods" id="supported-methods"></a>

* MFA via Authenticator App (TOTP)
* Email verification codes
* Passkeys (FIDO2 / WebAuthn)
* Backup recovery codes (limited use)

> Available methods depend on organization policy configuration.

***

### Authentication Strength Levels <a href="#authentication-strength-levels" id="authentication-strength-levels"></a>

`Authentication Levels ├── Level 1: Primary authentication only ├── Level 2: Primary + one MFA factor └── Level 3: Strong MFA (phishing-resistant)`

| **Risk Level** | **Required Authentication** |
| -------------- | --------------------------- |
| Low            | Level 1                     |
| Medium         | Level 2                     |
| High           | Level 3                     |

***

### Step-Up Decision Flow <a href="#step-up-decision-flow" id="step-up-decision-flow"></a>

1. User submits primary credentials
2. System evaluates risk signals
3. Risk score is calculated
4. Step-up requirement is determined
5. User is prompted for additional verification
6. Access is granted or denied

…*Step-Up Authentication Flow*

***

### User Experience Flow <a href="#user-experience-flow" id="user-experience-flow"></a>

#### Example: Medium Risk Login <a href="#example-medium-risk-login" id="example-medium-risk-login"></a>

1. User logs in from a new device
2. System detects medium risk
3. User is prompted for MFA
4. User completes verification
5. Session continues normally

#### Example: High Risk Login <a href="#example-high-risk-login" id="example-high-risk-login"></a>

1. User logs in from suspicious location
2. System detects high risk
3. Strong MFA is enforced
4. Access is granted only after successful verification

***

### Failure Handling <a href="#failure-handling" id="failure-handling"></a>

If step-up authentication fails:

* User is denied access
* Retry limits are enforced
* Security event is logged
* Admins may be notified based on policy

***

### Session and Trust Handling <a href="#session-and-trust-handling" id="session-and-trust-handling"></a>

After successful step-up authentication:

* Session is marked as verified
* Trust may be temporarily cached
* Re-authentication may be required if risk context changes

***

### Security Controls <a href="#security-controls" id="security-controls"></a>

* Step-up challenges are time-bound
* MFA attempts are rate-limited
* Strong MFA is required for elevated access
* Authentication methods are validated per policy

***

### Audit and Logging <a href="#audit-and-logging" id="audit-and-logging"></a>

The following events are recorded:

* Step-up triggered
* Method requested
* Verification success or failure
* Policy decision applied

Logs are available for security review and compliance audits.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://oten.gitbook.io/identity-support/user-guide/business-account/business-owner-default-authority/security-and-governance/enforcing-stronger-authentication-for-risky-login-behavior/step-up-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.