10.4. Step-Up authentication

In step-up authentication, the 2nd factor is required on-demand only.

Users may access applications protected by "weak" authentication (e.g. username and password) and do not have to provide the 2nd factor until a better-protected application requires it.

Consider the following example:

Login-step 1 and 2

  • 1.
    The user logs in using username and password. This login gives access to all applications protected by role weak.
  • 2.
    The user tries to access an application requiring role strong and is therefore sent back to the login application.
  • 3.
    The login application finds out how to further authenticate the user and - in the above example - asks the user to enter a token code.
  • 4.
    After verifying the 2nd factor, the role strong is granted.
  • Note that the user only has to enter the 2nd factor when accessing the application protected with role strong because the 1st factor has already been checked earlier in the session.

Note that the role strong may be issued for only a certain amount of time. See section about role timeouts in 12.2.1. Basic access control concepts.

Further information and links