On this page
- Definition and key distinctions
- High-risk action triggers in ecommerce
- Recovery paths as attack surfaces
- Effectiveness
- ATO attack landscape
- Step-up / passkey effectiveness (practitioner anecdotes — unnamed retailers)
- UX considerations
- Friction from poor authentication generally
- Passkey-based step-up reduces friction vs password-based step-up
- Friction cost of step-up at scale
- The MFA fatigue benefit
- SMS OTP as step-up factor — discouraged
- Standards and protocols
- RFC 9470 — OAuth 2.0 Step Up Authentication Challenge Protocol
- FIDO2 / WebAuthn as the recommended step-up factor
- Trend toward transaction-based trust
- EU Digital Identity (EUDI) wallet
- Platform specifics
- Shopify
- Descope / platform integrations
- commercetools
- Vendor landscape
- Key terms
- Frontier links
Step-Up Authentication
Step-Up Authentication
A mid-session security pattern in which an ecommerce platform begins a session at a lower trust level and requires additional verification only when a user attempts a high-risk action — such as changing account credentials, redeeming loyalty points, or purchasing gift cards. It is the critical choke point in Account Takeover Fraud → gift card / loyalty fraud cash-out chains.
Definition and key distinctions
Ping Identity (2024-05-24, updated 2026-03-10) defines step-up authentication as "a security approach where users supply their primary login credentials to initially access a system but are prompted with an additional authentication step only when they meet specific conditions — it happens during the session, not at login."
Three patterns are frequently conflated:
| Pattern | When it fires | How it decides | Example |
|---|---|---|---|
| Step-up authentication | Mid-session, on specific actions | Static action-type rules | Always prompt before gift card redemption |
| Adaptive / risk-based MFA | Mid-session, on risk signals | Dynamic real-time assessment | Prompt when device fingerprint is new |
| Login-time MFA | At session start | Configured policy | Require TOTP for every login |
Ping Identity (2024-05-24) draws the distinction clearly: "You can think of step-up checks as a static method, while adaptive authentication is dynamic." Descope (2025-12-16) echoes this: "While adaptive MFA only kicks in when certain risk signals raise red flags, step-up authentication always takes effect if the user attempts certain actions."
Step-up is also distinct from full logout: the user remains in session and receives an inline or modal verification prompt; after successful verification, the high-risk action proceeds. No re-login flow is required.
Step-up vs adaptive MFA — definitional tension: Ping Identity (2024-05-24) and Descope (2025-12-16) treat step-up as strictly static (action-type rules) vs adaptive as dynamic (risk signals). However, MojoAuth's 2026 ATO playbook (2026-05-09) and Shopify's 2026 guide (2026-03-17) describe implementations that blend both — using action-type triggers AND real-time risk signals within the same "step-up" label. The field uses the terms inconsistently; the 2026 consensus position treats them as complementary layers rather than alternatives. Sources: Ping Identity · Descope · MojoAuth/Security Boulevard · Shopify
High-risk action triggers in ecommerce
Shopify's 2026 customer authentication best-practices guide (2026-03-17) specifies: "Require step-up authentication when a customer action directly affects money, identity, or account ownership."
Shopify lists the following explicit triggers:
- Changing shipping address, email, or phone number
- Updating or adding a payment method
- Placing unusually large or high-value orders
- Redeeming gift cards, store credit, or loyalty balances
- Logging in after suspicious or abnormal activity
- Login from new or unrecognized device
- IP/location anomaly or impossible travel
- Multiple failed login attempts
- Bot-activity signals
Ping Identity (2024-05-24) adds: international orders, high-value wire transfers, and accessing sensitive account history data.
MojoAuth (2026-05-09) adds an "account value" trigger: accounts holding more than $500 in stored loyalty points or a saved high-limit credit card should trigger step-up on any account-detail change, regardless of other signals (as-of 2026-05-09; vendor recommendation, no independent study cited).
Recovery paths as attack surfaces
Shopify (2026-03-17) notes: "Recovery is part of authentication — password resets, contact detail changes, and support-assisted access require verification because attackers often target these paths to bypass login protections."
Effectiveness
ATO attack landscape
- The Sift Q4 2025 Digital Trust Index found ecommerce ATO attack rates running roughly 3.4× the cross-industry average, with average confirmed ATO loss per retail account of $442 (as-of Q4 2025; vendor data, Sift). (Source: MojoAuth/Security Boulevard, 2026-05-09)
- ATO attack rates on ecommerce increased 148% year-over-year; mid-market sites ($10M–$250M GMV) saw 167% YoY vs 121% for enterprise (as-of Q4 2025; vendor data, Sift). (Source: MojoAuth/Security Boulevard, 2026-05-09)
- The FBI's 2024 Internet Crime Report recorded losses exceeding $16 billion from credential-based breaches, a 33% increase from the prior year (as-of 2024; cited secondarily by [Shopify](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).
Step-up / passkey effectiveness (practitioner anecdotes — unnamed retailers)
- A footwear retailer cited by MojoAuth (2026-05-09) enrolled 38% of returning customers in passkeys within 90 days; confirmed ATO incidents on passkey-enrolled accounts dropped to zero over the subsequent two quarters, while password-only accounts continued to see approximately 0.4% ATO per month (as-of 2026-05; anecdotal, no retailer named).
- A specialty grocer cited by MojoAuth (2026-05-09) required passkeys for accounts holding more than $200 in stored credit; loyalty fraud loss on those accounts fell 94% in the first six months (as-of 2026-05; anecdotal, no retailer named, low confidence).
- The FIDO Alliance (2025) reported zero confirmed credential-phishing takeovers across passkey-enabled accounts in its state of passkey authentication study, cited secondarily by MojoAuth (2026-05-09).
- Verizon's 2025 DBIR found that approximately 88% of basic web application breaches involve stolen credentials, and MFA prompt bombing appears in 14% of incidents (as-of 2025; cited secondarily by [Shopify](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).
- The 2025 Loyalty Security Alliance report estimated $1 billion in loyalty points fraud across North American retail in 2024 (as-of 2025; cited secondarily by [MojoAuth/Security Boulevard](https://securityboulevard.com/2026/05/account-takeover-protection-for-online-retailers-a-2026-defense-playbook/), 2026-05-09).
UX considerations
Step-up authentication introduces mid-session friction. The key finding across sources is that the friction cost depends heavily on the verification method chosen.
Friction from poor authentication generally
- 42% of consumers abandoned a purchase and 56% gave up on accessing a service entirely because they forgot their password (FIDO Alliance 2024 Authentication Barometer Report, as-of 2024-10-29; cited by Descope, 2025-12-16).
- 82% of consumers have backed out of an online purchase because creating an account was too complicated (Capterra research cited by Descope, 2025-12-16; low confidence — Capterra is a B2B software review site, not a neutral research org).
Passkey-based step-up reduces friction vs password-based step-up
- Microsoft found that passkeys are 3× faster than traditional passwords and 8× faster than passwords combined with standard MFA; sign-in success rate: 98% vs 32% for passwords (Microsoft data cited by Descope, 2025-12-16).
- Passkey authentication takes 14.9 seconds vs 30.4 seconds for passwords; the FIDO Alliance 2025 Passkey Index reports a 73% decrease in login time compared to traditional MFA (as-of 2025; [Corbado](https://www.corbado.com/blog/ecommerce-authentication); vendor data, low-medium confidence).
- Amazon deployed passkeys to all users; 175 million passkeys were created and sign-in success rates improved by 30% (as-of ~2024; Amazon public announcement cited by [Ping Identity](https://www.pingidentity.com/en/resources/blog/post/step-up-authentication.html), 2024-05-24; medium confidence — Ping citing Amazon's own public statement).
Friction cost of step-up at scale
- MojoAuth (2026-05-09) estimates that a well-tuned adaptive engine will step up approximately 3–6% of legitimate sign-ins, and 0.5–2% of those step-ups will fail (user abandons), creating up to 12,000 abandoned sessions per month per 10 million logins (as-of 2026-05; practitioner estimate, no primary study cited; treat as directional only).
The MFA fatigue benefit
Ping Identity (2024-05-24) notes that step-up authentication reduces MFA fatigue "by requiring additional factors only for sensitive actions rather than every login — this method reduces MFA fatigue while maintaining security." Authsignal's founder (2026-01-09) adds that "clear, understandable prompts when step-up authentication is needed" are required for adoption; "companies with clunky UX will get left behind, even if their underlying technology is sound."
SMS OTP as step-up factor — discouraged
SMS OTP as step-up factor: MojoAuth (2026-05-09) explicitly discourages SMS OTP, citing $71 million in US SIM-swap losses in 2024 (FBI IC3 data, cited secondarily), and recommends authenticator-app codes, push approvals, or passkeys as primary step-up factors. Descope (2025-12-16) lists SMS OTP as a valid passwordless method among valid options. Shopify (2026-03-17) does not rank OTP methods by security tier. Sources: MojoAuth/Security Boulevard · Descope · Shopify
Standards and protocols
RFC 9470 — OAuth 2.0 Step Up Authentication Challenge Protocol
RFC 9470 was published September 2023 — pre-2024 — but is included as it is the definitive IETF standard for OAuth-based step-up authentication. No newer version exists as of 2026-06-21.
RFC 9470 (IETF, September 2023) defines the mechanism by which a resource server signals to a client that the current access token's authentication event does not meet requirements, using:
- Error code:
insufficient_user_authenticationin theWWW-Authenticateheader - Parameters:
acr_values(Authentication Context Class Reference — the required strength/method) andmax_age(how recently authentication must have occurred) - The
prompt=loginOIDC parameter forces re-authentication regardless ofmax_age
RFC 9470 extends OAuth 2.0/OIDC: the acr_values request is treated as required (a departure from OpenID Connect Core 1.0, where it was voluntary). (Source: Authlete developer docs, referencing Authlete 3.0 / November 2024)
Authlete 3.0 (November 2024) implements full RFC 9470 support, binding acr and auth_time claims to access tokens. (Source: Authlete)
FIDO2 / WebAuthn as the recommended step-up factor
Ping Identity (2024-05-24, updated 2026-03-10) describes FIDO2/WebAuthn as "the go-to phishing-resistant step-up factor in 2026" — platform passkeys recommended first for UX, roaming security keys (YubiKey etc.) for step-up in shared or kiosk scenarios.
Trend toward transaction-based trust
Authsignal's founder (2026-01-09) describes a shift from binary session models (logged-in/logged-out) toward "transaction-based trust": trust evaluated per transaction, with step-up required for higher-risk transactions. Framed as adaptive authentication "taken to its logical conclusion."
EU Digital Identity (EUDI) wallet
The EU Digital Identity wallet legislation is moving toward implementation by December 2026, which would establish government-backed portable digital identities usable as step-up credentials in ecommerce (as-of 2026-01; [Authsignal](https://www.authsignal.com/blog/articles/5-authentication-trends-that-will-define-2026-our-founders-perspective), 2026-01-09; medium confidence — regulatory implementation timelines frequently slip).
Platform specifics
Shopify
- Shopify's March 2026 customer authentication best-practices guide explicitly names step-up authentication as a required practice, placing it alongside passwordless/passkey-first, MFA, and bot/credential-stuffing defences. (Shopify, 2026-03-17)
- Shopify's Fraud Filter app was sunsetted on January 31, 2025; Shopify Flow is the recommended tool for building rule-based step-up and fraud triggers on the Shopify platform (as-of 2025-01; medium confidence — referenced in search results summary, not direct Shopify docs fetch).
- Shop Pay implements OTP for returning customers and recognises them across merchants; Princess Polly saw 4.1% higher conversion among buyers with existing Shop Pay sessions and a 7.6% reduction in checkout time (as-of 2026-03; Shopify own case study, cited by [Shopify Enterprise](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).
Descope / platform integrations
Descope (2025-12-16) positions itself as a step-up authentication layer for Shopify, Salesforce Commerce Cloud, and WordPress — providing passwordless options, MFA, and SSO beyond what native platforms provide. (Descope)
commercetools
Gap: No native step-up documentation found. commercetools is API-first/headless and delegates authentication to an external IdP via OIDC — RFC 9470 compatibility would depend on the IdP chosen, not commercetools itself. No case study found.
Vendor landscape
| Vendor | Positioning | Source |
|---|---|---|
| Authsignal | Dedicated step-up auth; no-code rules engine; ecommerce vertical focus | authsignal.com, 2026-01-09 |
| Descope | Ecommerce auth layer; Shopify/SFCC/WP integrations; passwordless + MFA + SSO | descope.com, 2025-12-16 |
| Ping Identity | Enterprise IdP with step-up, adaptive MFA, and FIDO2 support | pingidentity.com, 2026-03-10 |
| Authlete | OAuth/OIDC implementation; RFC 9470 full support in Authlete 3.0 (Nov 2024) | authlete.com |
| MojoAuth | Passwordless / step-up auth; ATO playbook guidance | securityboulevard.com, 2026-05-09 |
Key terms
| Term | Meaning |
|---|---|
| Step-up authentication | Mid-session re-verification for high-risk actions; not a full logout |
| ACR (Authentication Context Class Reference) | Specifies the required type/strength of authentication method |
max_age | Maximum time since last authentication event; triggers re-auth if exceeded |
| RFC 9470 | IETF standard for OAuth 2.0 step-up challenges |
| MFA fatigue | User desensitisation from excessive authentication prompts |
| Transaction-based trust | Per-action trust evaluation replacing binary logged-in/logged-out model |
Frontier links
Continuous Access Evaluation (CAE) · Device Bound Session Credentials (DBSC) · Adaptive Authentication · Shopify Flow · EUDI Wallet · Strong Customer Authentication (SCA / PSD2) · Passkeys (WebAuthn) · Account Recovery UX · Conditional UI (WebAuthn)