Gateway (WAF)- vs. application-triggered step-up

Gateway (WAF)-triggered step-up

Ideally, applications requiring higher authentication levels are determined in the Airlock Gateway (WAF) with separate mappings requiring a role that triggers the step-up.

The Gateway (WAF) can then enforce that the required roles are granted and that step-up authentication was successful.

Application-triggered step-up

However, there are situations in which only the logic of the target application can decide whether a step-up is required or not.

This is usually the case when a user performs a critical operation in an application and this critical operation cannot be separated from other operations by means of Airlock Gateway (WAF) mapping.


  • User is authenticated weakly for a webshop, then executes a transaction involving a lot of money. The application may then decide that the session must be upgraded by asking for a 2nd factor.
  • Note that this is not the same as transaction approval. Here, the session is upgraded whereas transaction approval secures only one specific transaction.

  • A portal consists of a half-public (weak authentication) and a restricted (strong authentication) area but it cannot be split accordingly using Airlock Gateway (WAF) mappings. The application then triggers the step-up when the user accesses the restricted part for the first time in the session.

Application-triggered Step-Up can be necessary but it is less secure than its Gateway (WAF)-triggered counterpart.