Gateway (WAF)-triggered step-up
Ideally, applications requiring higher authentication levels are determined in the Airlock Gateway (WAF) with separate mappings requiring a role that triggers the step-up.
The Gateway (WAF) can then enforce that the required roles are granted and that step-up authentication was successful.
Application-triggered step-up
However, there are situations in which only the logic of the target application can decide whether a step-up is required or not.
This is usually the case when a user performs a critical operation in an application and this critical operation cannot be separated from other operations by means of Airlock Gateway (WAF) mapping.
Examples:
- ●User is authenticated weakly for a webshop, then executes a transaction involving a lot of money. The application may then decide that the session must be upgraded by asking for a 2nd factor.
- ●A portal consists of a half-public (weak authentication) and a restricted (strong authentication) area but it cannot be split accordingly using Airlock Gateway (WAF) mappings. The application then triggers the step-up when the user accesses the restricted part for the first time in the session.
Note that this is not the same as transaction approval. Here, the session is upgraded whereas transaction approval secures only one specific transaction.
Application-triggered Step-Up can be necessary but it is less secure than its Gateway (WAF)-triggered counterpart.
Further information and links
- ●Configuration in the Loginapp REST UI: seeStep-up flow-based authentication authentication.
- ●Configuration in the JSP-Loginapp: 17.4.1.14. Step-up authentication configuration