> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/business-owner-default-authority/security-and-governance/enforcing-stronger-authentication-for-risky-login-behavior/step-up-authentication.md).

# Step-Up authentication

### Scope <a href="#scope" id="scope"></a>

This document defines how **Step-Up Authentication** is applied for **Business Accounts** when a login attempt is identified as risky.

Step-Up Authentication requires users to complete **additional verification steps** beyond their primary login method.

***

### Purpose <a href="#purpose" id="purpose"></a>

Step-Up Authentication is designed to:

* Reduce account takeover risk
* Apply stronger authentication only when risk is detected
* Protect sensitive business data and operations
* Maintain a smooth user experience for low-risk logins

***

### When Step-Up Authentication Is Triggered <a href="#when-step-up-authentication-is-triggered" id="when-step-up-authentication-is-triggered"></a>

Step-Up Authentication is enforced when:

* One or more **Risk Detection Signals** exceed configured thresholds
* Organization security policies require additional verification
* Users attempt to access sensitive resources or elevated privileges

***

### Trigger Conditions <a href="#trigger-conditions" id="trigger-conditions"></a>

`Trigger Conditions ├── Medium risk login attempt ├── High risk login attempt ├── Access to sensitive resources ├── Policy-based enforcement └── Compliance requirements`

***

### Step-Up Authentication Methods <a href="#step-up-authentication-methods" id="step-up-authentication-methods"></a>

The system may require one or more of the following:

#### Supported Methods <a href="#supported-methods" id="supported-methods"></a>

* MFA via Authenticator App (TOTP)
* Email verification codes
* Passkeys (FIDO2 / WebAuthn)
* Backup recovery codes (limited use)

> Available methods depend on organization policy configuration.

***

### Authentication Strength Levels <a href="#authentication-strength-levels" id="authentication-strength-levels"></a>

`Authentication Levels ├── Level 1: Primary authentication only ├── Level 2: Primary + one MFA factor └── Level 3: Strong MFA (phishing-resistant)`

| **Risk Level** | **Required Authentication** |
| -------------- | --------------------------- |
| Low            | Level 1                     |
| Medium         | Level 2                     |
| High           | Level 3                     |

***

### Step-Up Decision Flow <a href="#step-up-decision-flow" id="step-up-decision-flow"></a>

1. User submits primary credentials
2. System evaluates risk signals
3. Risk score is calculated
4. Step-up requirement is determined
5. User is prompted for additional verification
6. Access is granted or denied

…*Step-Up Authentication Flow*

***

### User Experience Flow <a href="#user-experience-flow" id="user-experience-flow"></a>

#### Example: Medium Risk Login <a href="#example-medium-risk-login" id="example-medium-risk-login"></a>

1. User logs in from a new device
2. System detects medium risk
3. User is prompted for MFA
4. User completes verification
5. Session continues normally

#### Example: High Risk Login <a href="#example-high-risk-login" id="example-high-risk-login"></a>

1. User logs in from suspicious location
2. System detects high risk
3. Strong MFA is enforced
4. Access is granted only after successful verification

***

### Failure Handling <a href="#failure-handling" id="failure-handling"></a>

If step-up authentication fails:

* User is denied access
* Retry limits are enforced
* Security event is logged
* Admins may be notified based on policy

***

### Session and Trust Handling <a href="#session-and-trust-handling" id="session-and-trust-handling"></a>

After successful step-up authentication:

* Session is marked as verified
* Trust may be temporarily cached
* Re-authentication may be required if risk context changes

***

### Security Controls <a href="#security-controls" id="security-controls"></a>

* Step-up challenges are time-bound
* MFA attempts are rate-limited
* Strong MFA is required for elevated access
* Authentication methods are validated per policy

***

### Audit and Logging <a href="#audit-and-logging" id="audit-and-logging"></a>

The following events are recorded:

* Step-up triggered
* Method requested
* Verification success or failure
* Policy decision applied

Logs are available for security review and compliance audits.
