When the end-user uses an authentication method that is below the required authentication level, they must perform step-up. This increases the aforementioned authentication level for the duration of the session.

An authentication level is a quantification of the strength of an authentication mechanism.

There are several authentication mechanisms that allow an end-user to perform step-up authentication:

  • PIN
  • SMS
  • Email message
  • Time based one time password (like Google authenticator)
  • Externally delivered code (e.g. via letter)
  • Mobile step-up authentication (provided by the Onegini Token Server)

What is required?

To successfully complete this topic guide you need to ensure following prerequisites:

  • Onegini IdP instance must to be running, for the sake of this guide we assume it's available under the http://localhost address
  • access to Onegini IdP admin console


Login to the admin console and browse to: Smart Security -> Step-up authentication.

On this page you can define the authentication level for every available step-up method. Once the user has completed a specific step-up authentication method the authentication level in their session will have the level of the step-up authentication method that they have completed.

Additionally, you can configure a number of mobile step-up authentication properties. These are explained in the mobile step-up authentication topic guide.

Step-up method priority configuration

Onegini IdP allows to configure priority of supported step up methods. This configuration can be changed in Admin Panel in Smart Security -> Step-up authentication -> Preferred step-up method handling section. There are two ways of configuring this priority:

  • strongest available - step-up authentication method with highest authentication level will be chosen, user's preferred step up method will be ignored
  • user's preference (default value) - user's preferred step-up method will be chosen, even if other method with higher authentication level is available

In case there are multiple step-up methods with highest authentication level available or user has no preferred step-up method defined, then step-up method is chosen based on the following order:

order step-up method
1 mobile authentication
2 time based one time password
3 pin
4 sms
5 email message
6 externally delivered code