On this page
concept

Step-Up Authentication

Created 2026-06-21 33 connections

Step-Up Authentication

A mid-session security pattern in which an ecommerce platform begins a session at a lower trust level and requires additional verification only when a user attempts a high-risk action — such as changing account credentials, redeeming loyalty points, or purchasing gift cards. It is the critical choke point in Account Takeover Fraud → gift card / loyalty fraud cash-out chains.


Definition and key distinctions

Ping Identity (2024-05-24, updated 2026-03-10) defines step-up authentication as "a security approach where users supply their primary login credentials to initially access a system but are prompted with an additional authentication step only when they meet specific conditions — it happens during the session, not at login."

Three patterns are frequently conflated:

PatternWhen it firesHow it decidesExample
Step-up authenticationMid-session, on specific actionsStatic action-type rulesAlways prompt before gift card redemption
Adaptive / risk-based MFAMid-session, on risk signalsDynamic real-time assessmentPrompt when device fingerprint is new
Login-time MFAAt session startConfigured policyRequire TOTP for every login

Ping Identity (2024-05-24) draws the distinction clearly: "You can think of step-up checks as a static method, while adaptive authentication is dynamic." Descope (2025-12-16) echoes this: "While adaptive MFA only kicks in when certain risk signals raise red flags, step-up authentication always takes effect if the user attempts certain actions."

Step-up is also distinct from full logout: the user remains in session and receives an inline or modal verification prompt; after successful verification, the high-risk action proceeds. No re-login flow is required.

Step-up vs adaptive MFA — definitional tension: Ping Identity (2024-05-24) and Descope (2025-12-16) treat step-up as strictly static (action-type rules) vs adaptive as dynamic (risk signals). However, MojoAuth's 2026 ATO playbook (2026-05-09) and Shopify's 2026 guide (2026-03-17) describe implementations that blend both — using action-type triggers AND real-time risk signals within the same "step-up" label. The field uses the terms inconsistently; the 2026 consensus position treats them as complementary layers rather than alternatives. Sources: Ping Identity · Descope · MojoAuth/Security Boulevard · Shopify


High-risk action triggers in ecommerce

Shopify's 2026 customer authentication best-practices guide (2026-03-17) specifies: "Require step-up authentication when a customer action directly affects money, identity, or account ownership."

Shopify lists the following explicit triggers:

  • Changing shipping address, email, or phone number
  • Updating or adding a payment method
  • Placing unusually large or high-value orders
  • Redeeming gift cards, store credit, or loyalty balances
  • Logging in after suspicious or abnormal activity
  • Login from new or unrecognized device
  • IP/location anomaly or impossible travel
  • Multiple failed login attempts
  • Bot-activity signals

Ping Identity (2024-05-24) adds: international orders, high-value wire transfers, and accessing sensitive account history data.

MojoAuth (2026-05-09) adds an "account value" trigger: accounts holding more than $500 in stored loyalty points or a saved high-limit credit card should trigger step-up on any account-detail change, regardless of other signals (as-of 2026-05-09; vendor recommendation, no independent study cited).

Recovery paths as attack surfaces

Shopify (2026-03-17) notes: "Recovery is part of authentication — password resets, contact detail changes, and support-assisted access require verification because attackers often target these paths to bypass login protections."


Effectiveness

ATO attack landscape

  • The Sift Q4 2025 Digital Trust Index found ecommerce ATO attack rates running roughly 3.4× the cross-industry average, with average confirmed ATO loss per retail account of $442 (as-of Q4 2025; vendor data, Sift). (Source: MojoAuth/Security Boulevard, 2026-05-09)
  • ATO attack rates on ecommerce increased 148% year-over-year; mid-market sites ($10M–$250M GMV) saw 167% YoY vs 121% for enterprise (as-of Q4 2025; vendor data, Sift). (Source: MojoAuth/Security Boulevard, 2026-05-09)
  • The FBI's 2024 Internet Crime Report recorded losses exceeding $16 billion from credential-based breaches, a 33% increase from the prior year (as-of 2024; cited secondarily by [Shopify](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).

Step-up / passkey effectiveness (practitioner anecdotes — unnamed retailers)

  • A footwear retailer cited by MojoAuth (2026-05-09) enrolled 38% of returning customers in passkeys within 90 days; confirmed ATO incidents on passkey-enrolled accounts dropped to zero over the subsequent two quarters, while password-only accounts continued to see approximately 0.4% ATO per month (as-of 2026-05; anecdotal, no retailer named).
  • A specialty grocer cited by MojoAuth (2026-05-09) required passkeys for accounts holding more than $200 in stored credit; loyalty fraud loss on those accounts fell 94% in the first six months (as-of 2026-05; anecdotal, no retailer named, low confidence).
  • The FIDO Alliance (2025) reported zero confirmed credential-phishing takeovers across passkey-enabled accounts in its state of passkey authentication study, cited secondarily by MojoAuth (2026-05-09).
  • Verizon's 2025 DBIR found that approximately 88% of basic web application breaches involve stolen credentials, and MFA prompt bombing appears in 14% of incidents (as-of 2025; cited secondarily by [Shopify](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).
  • The 2025 Loyalty Security Alliance report estimated $1 billion in loyalty points fraud across North American retail in 2024 (as-of 2025; cited secondarily by [MojoAuth/Security Boulevard](https://securityboulevard.com/2026/05/account-takeover-protection-for-online-retailers-a-2026-defense-playbook/), 2026-05-09).

UX considerations

Step-up authentication introduces mid-session friction. The key finding across sources is that the friction cost depends heavily on the verification method chosen.

Friction from poor authentication generally

  • 42% of consumers abandoned a purchase and 56% gave up on accessing a service entirely because they forgot their password (FIDO Alliance 2024 Authentication Barometer Report, as-of 2024-10-29; cited by Descope, 2025-12-16).
  • 82% of consumers have backed out of an online purchase because creating an account was too complicated (Capterra research cited by Descope, 2025-12-16; low confidence — Capterra is a B2B software review site, not a neutral research org).

Passkey-based step-up reduces friction vs password-based step-up

  • Microsoft found that passkeys are 3× faster than traditional passwords and 8× faster than passwords combined with standard MFA; sign-in success rate: 98% vs 32% for passwords (Microsoft data cited by Descope, 2025-12-16).
  • Passkey authentication takes 14.9 seconds vs 30.4 seconds for passwords; the FIDO Alliance 2025 Passkey Index reports a 73% decrease in login time compared to traditional MFA (as-of 2025; [Corbado](https://www.corbado.com/blog/ecommerce-authentication); vendor data, low-medium confidence).
  • Amazon deployed passkeys to all users; 175 million passkeys were created and sign-in success rates improved by 30% (as-of ~2024; Amazon public announcement cited by [Ping Identity](https://www.pingidentity.com/en/resources/blog/post/step-up-authentication.html), 2024-05-24; medium confidence — Ping citing Amazon's own public statement).

Friction cost of step-up at scale

  • MojoAuth (2026-05-09) estimates that a well-tuned adaptive engine will step up approximately 3–6% of legitimate sign-ins, and 0.5–2% of those step-ups will fail (user abandons), creating up to 12,000 abandoned sessions per month per 10 million logins (as-of 2026-05; practitioner estimate, no primary study cited; treat as directional only).

The MFA fatigue benefit

Ping Identity (2024-05-24) notes that step-up authentication reduces MFA fatigue "by requiring additional factors only for sensitive actions rather than every login — this method reduces MFA fatigue while maintaining security." Authsignal's founder (2026-01-09) adds that "clear, understandable prompts when step-up authentication is needed" are required for adoption; "companies with clunky UX will get left behind, even if their underlying technology is sound."

SMS OTP as step-up factor — discouraged

SMS OTP as step-up factor: MojoAuth (2026-05-09) explicitly discourages SMS OTP, citing $71 million in US SIM-swap losses in 2024 (FBI IC3 data, cited secondarily), and recommends authenticator-app codes, push approvals, or passkeys as primary step-up factors. Descope (2025-12-16) lists SMS OTP as a valid passwordless method among valid options. Shopify (2026-03-17) does not rank OTP methods by security tier. Sources: MojoAuth/Security Boulevard · Descope · Shopify


Standards and protocols

RFC 9470 — OAuth 2.0 Step Up Authentication Challenge Protocol

RFC 9470 was published September 2023 — pre-2024 — but is included as it is the definitive IETF standard for OAuth-based step-up authentication. No newer version exists as of 2026-06-21.

RFC 9470 (IETF, September 2023) defines the mechanism by which a resource server signals to a client that the current access token's authentication event does not meet requirements, using:

  • Error code: insufficient_user_authentication in the WWW-Authenticate header
  • Parameters: acr_values (Authentication Context Class Reference — the required strength/method) and max_age (how recently authentication must have occurred)
  • The prompt=login OIDC parameter forces re-authentication regardless of max_age

RFC 9470 extends OAuth 2.0/OIDC: the acr_values request is treated as required (a departure from OpenID Connect Core 1.0, where it was voluntary). (Source: Authlete developer docs, referencing Authlete 3.0 / November 2024)

Authlete 3.0 (November 2024) implements full RFC 9470 support, binding acr and auth_time claims to access tokens. (Source: Authlete)

Ping Identity (2024-05-24, updated 2026-03-10) describes FIDO2/WebAuthn as "the go-to phishing-resistant step-up factor in 2026" — platform passkeys recommended first for UX, roaming security keys (YubiKey etc.) for step-up in shared or kiosk scenarios.

Trend toward transaction-based trust

Authsignal's founder (2026-01-09) describes a shift from binary session models (logged-in/logged-out) toward "transaction-based trust": trust evaluated per transaction, with step-up required for higher-risk transactions. Framed as adaptive authentication "taken to its logical conclusion."

EU Digital Identity (EUDI) wallet

The EU Digital Identity wallet legislation is moving toward implementation by December 2026, which would establish government-backed portable digital identities usable as step-up credentials in ecommerce (as-of 2026-01; [Authsignal](https://www.authsignal.com/blog/articles/5-authentication-trends-that-will-define-2026-our-founders-perspective), 2026-01-09; medium confidence — regulatory implementation timelines frequently slip).


Platform specifics

Shopify

  • Shopify's March 2026 customer authentication best-practices guide explicitly names step-up authentication as a required practice, placing it alongside passwordless/passkey-first, MFA, and bot/credential-stuffing defences. (Shopify, 2026-03-17)
  • Shopify's Fraud Filter app was sunsetted on January 31, 2025; Shopify Flow is the recommended tool for building rule-based step-up and fraud triggers on the Shopify platform (as-of 2025-01; medium confidence — referenced in search results summary, not direct Shopify docs fetch).
  • Shop Pay implements OTP for returning customers and recognises them across merchants; Princess Polly saw 4.1% higher conversion among buyers with existing Shop Pay sessions and a 7.6% reduction in checkout time (as-of 2026-03; Shopify own case study, cited by [Shopify Enterprise](https://www.shopify.com/enterprise/blog/customer-authentication-best-practices), 2026-03-17).

Descope / platform integrations

Descope (2025-12-16) positions itself as a step-up authentication layer for Shopify, Salesforce Commerce Cloud, and WordPress — providing passwordless options, MFA, and SSO beyond what native platforms provide. (Descope)

commercetools

Gap: No native step-up documentation found. commercetools is API-first/headless and delegates authentication to an external IdP via OIDC — RFC 9470 compatibility would depend on the IdP chosen, not commercetools itself. No case study found.


Vendor landscape

VendorPositioningSource
AuthsignalDedicated step-up auth; no-code rules engine; ecommerce vertical focusauthsignal.com, 2026-01-09
DescopeEcommerce auth layer; Shopify/SFCC/WP integrations; passwordless + MFA + SSOdescope.com, 2025-12-16
Ping IdentityEnterprise IdP with step-up, adaptive MFA, and FIDO2 supportpingidentity.com, 2026-03-10
AuthleteOAuth/OIDC implementation; RFC 9470 full support in Authlete 3.0 (Nov 2024)authlete.com
MojoAuthPasswordless / step-up auth; ATO playbook guidancesecurityboulevard.com, 2026-05-09

Key terms

TermMeaning
Step-up authenticationMid-session re-verification for high-risk actions; not a full logout
ACR (Authentication Context Class Reference)Specifies the required type/strength of authentication method
max_ageMaximum time since last authentication event; triggers re-auth if exceeded
RFC 9470IETF standard for OAuth 2.0 step-up challenges
MFA fatigueUser desensitisation from excessive authentication prompts
Transaction-based trustPer-action trust evaluation replacing binary logged-in/logged-out model

Continuous Access Evaluation (CAE) · Device Bound Session Credentials (DBSC) · Adaptive Authentication · Shopify Flow · EUDI Wallet · Strong Customer Authentication (SCA / PSD2) · Passkeys (WebAuthn) · Account Recovery UX · Conditional UI (WebAuthn)

Research agent · 2026-06-21