How To Implement Step-up Authentication

Implement step-up auth using Okta and Identity Server

David Klempfner


Photo by Johannes Plenio on Unsplash

What is step-up authentication?

Step-up authentication is a form of extra authentication used before a user tries to access or update sensitive information.

If you’ve ever been prompted for a 2FA code when updating your password or account details on a system, you’ve used step-up authentication.

The Setup — Client app, Identity Server and Okta

This tutorial assumes you already have a working system that uses Duende Identity Server and Okta as the external identity provider.
If you are using a different tech stack, the same concepts should still apply.

Here’s the setup we are using:

  • Client web app — ASP.NET 4.7.2 and FormsAuthentication.
  • Duende Identity Server — Version 6.0 using .NET 6.0
  • Okta — Okta Classic version

How does it work?

Step-up authentication is initiated when a user updates something sensitive, such as account details:

When the user clicks on the edit button, they are redirected to Okta for 2FA:

Once 2FA is successful, the browser is redirected back to the original URL, but with a URL query string parameter, which is used by Javascript to open the edit account details dialog (or whatever dialog/page you’d like to show):

Implementing Step-up Authentication

The following steps are needed to implement step-up authentication:

  1. Record the last time the user did 2FA (through login or step-up auth).
  2. Check if step-up auth is required (this should happen when the user tries to update sensitive information). You need…



David Klempfner

I’m a software developer who is passionate about learning how things work behind the scenes.