How To Implement Step-up Authentication

Implement step-up auth using Okta and Identity Server

Photo by Johannes Plenio on Unsplash

What is step-up authentication?

Step-up authentication is a form of extra authentication used before a user tries to access or update sensitive information.

If you’ve ever been prompted for a 2FA code when updating your password or account details on a system, you’ve used step-up authentication.

The Setup — Client app, Identity Server and Okta

This tutorial assumes you already have a working system that uses Duende Identity Server and Okta as the external identity provider.
If you are using a different tech stack, the same concepts should still apply.

Here’s the setup we are using:

• Client web app — ASP.NET 4.7.2 and FormsAuthentication.
• Duende Identity Server — Version 6.0 using .NET 6.0
• Okta — Okta Classic version

How does it work?

Step-up authentication is initiated when a user updates something sensitive, such as account details:

When the user clicks on the edit button, they are redirected to Okta for 2FA: