Step-up describes the upgrade of an already authenticated session to a higher security level by running through at least one additional authentication step.
- Example:
The system protects two target applications: Portal and E-Banking.
- The Portal application is protected by a username/password step.
- The E-Banking additionally requires the completion of an mTAN step.
Assume the user first wants to access the portal for which only a username/password is required. If, later on, the user decides to access the e-banking application, the step-up concept exempts the user from repeating the username/password step. He only needs to provide the correct mTAN OTP.
This behavior is implemented with tags and the concept of skip conditions. A step can be skipped in the execution of a flow if all tags defined in the skip condition are already present in the session. In the example described above, the username and password check step can be skipped, since the success tag(s) from the username password check step are already present in the session. For this to work, steps define the same tag set for Tags On Success and Skip Condition Tags. The concept of application-triggered step-up is supported in that the triggering application can redirect the browser to the authentication flow containing the step-up step(s).