Gateway- vs. application-triggered step-up

Gateway-triggered step-up

Ideally, applications requiring higher authentication levels are determined in the Airlock Gateway with separate mappings requiring a role that triggers the step-up.

The Gateway can then enforce that the required roles are granted and that step-up authentication was successful.

Application-triggered step-up

However, there are situations in which only the logic of the target application can decide whether a step-up is required or not.

This is usually the case when a user performs a critical operation in an application and this critical operation cannot be separated from other operations by means of Airlock Gateway mapping.


  • User is authenticated weakly for a webshop, then executes a transaction involving a lot of money. The application may then decide that the session must be upgraded by asking for a 2nd factor.
  • Note that this is not the same as transaction approval. Here, the session is upgraded whereas transaction approval secures only one specific transaction.

  • A portal consists of a half-public (weak authentication) and a restricted (strong authentication) area but it cannot be split accordingly using Airlock Gateway mappings. The application then triggers the step-up when the user accesses the restricted part for the first time in the session.

Application-triggered Step-Up can be necessary but it is less secure than its Gateway-triggered counterpart.

Further information and links

  • Configuration in the Loginapp UI: seeStep-up.