How To Implement Step-up Authentication
What is step-up authentication?
Step-up authentication is a form of extra authentication used before a user tries to access or update sensitive information.
If you’ve ever been prompted for a 2FA code when updating your password or account details on a system, you’ve used step-up authentication.
The Setup — Client app, Identity Server and Okta
This tutorial assumes you already have a working system that uses Duende Identity Server and Okta as the external identity provider.
If you are using a different tech stack, the same concepts should still apply.
Here’s the setup we are using:
- Client web app — ASP.NET 4.7.2 and FormsAuthentication.
- Duende Identity Server — Version 6.0 using .NET 6.0
- Okta — Okta Classic version
How does it work?
Step-up authentication is initiated when a user updates something sensitive, such as account details:
When the user clicks on the edit button, they are redirected to Okta for 2FA:
Implementing Step-up Authentication
The following steps are needed to implement step-up authentication:
- Record the last time the user did 2FA (through login or step-up auth).
- Check if step-up auth is required (this should happen when the user tries to update sensitive information). You need…