However, there are situations in which only the logic of the target application can decide whether a step-up is required or not.
This is usually the case when a user performs a critical operation in an application and this critical operation cannot be separated from other operations by means of Airlock Gateway mapping.
Examples:
- User is authenticated weakly for a webshop, then executes a transaction involving a lot of money. The application may then decide that the session must be upgraded by asking for a 2nd factor.
Note that this is not the same as transaction approval. Here, the session is upgraded whereas transaction approval secures only one specific transaction.
- A portal consists of a half-public (weak authentication) and a restricted (strong authentication) area but it cannot be split accordingly using Airlock Gateway mappings. The application then triggers the step-up when the user accesses the restricted part for the first time in the session.
Application-triggered Step-Up can be necessary but it is less secure than its Gateway-triggered counterpart.