Step-up

When the end-user uses an authentication method that is below the required authentication level, they must perform step-up. This increases the aforementioned authentication level for the duration of the session.

An authentication level is a quantification of the strength of an authentication mechanism.

There are several authentication mechanisms that allow an end-user to perform step-up authentication:

• PIN
• SMS
• Email message
• Time based one time password (like Google authenticator)
• Externally delivered code (e.g. via letter)
• Mobile step-up authentication (provided by the Onegini Token Server)

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

• Onegini IDP instance must to be running, for the sake of this guide we assume it's available under the http://localhost address
• access to Onegini IDP admin console

Configuration

Login to the admin console and browse to: Smart Security -> Step-up authentication.

On this page you can define the authentication level for every available step-up method. Once the user has completed a specific step-up authentication method the authentication level in their session will have the level of the step-up authentication method that they have completed.

Additionally, you can configure a number of mobile step-up authentication properties. These are explained in the mobile step-up authentication topic guide.

Step-up method priority configuration

Onegini IDP allows to configure priority of supported step up methods. This configuration can be changed in Admin Panel in Smart Security -> Step-up authentication -> Preferred step-up method handling section. There are two ways of configuring this priority:

• strongest available - step-up authentication method with highest authentication level will be chosen, user's preferred step up method will be ignored
• user's preference (default value) - user's preferred step-up method will be chosen, even if other method with higher authentication level is available

In case there are multiple step-up methods with highest authentication level available or user has no preferred step-up method defined, then step-up method is chosen based on the following order: