I was in a meeting today discussing some user scenarios and "Step Up Authentication" came up as a particular scenario we needed to address. But there was a disconnect in how the term was being used that led to confusion. The two usages were:
- Ann authenticates to a web site using an OpenID 2.0 credential (LOA 1). She browses to a section of the web site that contains sensitive material and is not permitted access to that content by the externalized authorization engine (PDP) that is managing the access control for the site. At that point, she is challenged to authenticate again using a higher assurance (LOA 3) credential. She successfully authenticates using an OTP credential and is granted access to the sensitive material.
- Ann authenticates to a web site using an OpenID 2.0 credential (LOA 1). During the authentication process a user interaction flow, involving a third party service provider, is initiated that uses a customized Knowledge Based Authentication (KBA) capability. She successfully answers the questions and her LOA for that session is "bumped up" to LOA 3. She browses to a section of the web site that contains sensitive material and is permitted access to that content by the externalized authorization engine (PDP) that is managing the access control for the site.
Which of the above scenarios comes under the heading of "Step Up Authentication"?
I believe that option (1) is what is meant by the term Step Up Authentication. I look at option (2) as the application of compensating controls. I would be interested in hearing if there is general consensus one way or the other around the term Step Up Authentication.
Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!
This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.