Financial institutions have made meaningful advances that take their authentication strategies beyond the static use of simple passwords. The two most common emergent strategies to improve authentication are step-up authentication and continuous authentication. Both approaches are capable of reducing fraud, and can improve the user experience when implemented properly. The two approaches, however, operate on fundamentally different principles. Understanding the capabilities of each, and their differences, is essential when it comes to choosing the right approach of combination of approaches for your organization.
Step-up authentication and continuous authentication aren’t competitors, and you don’t necessarily have to choose only one. In practice, an effective authentication strategy will leverage both and use them where they best suit the scenarios, risk levels, and user journey at your organization.
What is step-up authentication?
Step-up authentication is a conditional mechanism. It requires additional verification when specific risk conditions occur. Step-up systems evaluate the context of a particular interaction, and escalate authentication requirements when circumstances warrant. Step-up systems are straightforward: for example, a user might log in with their password for routine account access like checking balances, but if they attempt something more risky, like a large wire transfer or changing their account settings, the system will prompt them for additional verification. It delivers a significant improvement in protection versus flat authentication requirements, and recognizes that not all actions carry high enough risk to apply additional friction to the customer experience.
Common step-up use cases
To expand on the basic example given above, financial services institutions typically trigger step-up authentication for several common scenarios. Transaction thresholds are among the most common, where a transfer above a certain dollar amount would require additional verification. Adding a new payee or beneficiary, a common action taken by fraudsters, also often requires step-up. Changes to core account information, which might include changing a password, updating contact information, or adding or removing a linked device, generally warrants an additional verification step. Similarly, device and location anomalies like logging in from a new device or new and unexpected location frequently triggers step-up.
What is continuous authentication?
The continuous authentication model is very different. Instead of waiting for a specific event to trigger a challenge, continuous authentication systems maintain an ongoing score to measure identity confidence throughout an authenticated session. Its confidence in the validity of the customer’s identity can rise and fall throughout the session depending on accumulated signals.
The continuous approach aims to solve a fundamental weakness that exists in event-triggered models, which assume that identity, once verified, remains valid up to the next trigger event. But in reality, sessions can be compromised mid-stream – for example a device might be remotely accessed by someone who installed malware, or an authenticated user could walk away from their laptop in a public area while still logged into their online banking. Continuous authentication addresses actions taken after login in these scenarios, because it never stops keeping tabs on whether the behavior of the current actor matches the identity that was established at the start of the session.
Continuous risk assessment explained
Real-time risk assessment is the heart of continuous authentication. This real-time risk assessment combines multiple signal streams, like behavioral biometrics, device telemetry, network parameters, and session behavior by feeding them into a risk engine that uses them all to maintain a dynamic score of identity confidence. The score is continuously updated as new data is collected.
Some of the signals evaluated are behavioral, using patterns like typing cadence, mouse movement, and navigational style that are unique to individual users. Others are technical – device and network signals can confirm whether access is consistent with where the user is usually connected and on their usual laptop or phone. Users will experience seamless access as long as their continuous risk score based on these and other parameters is within the normal range. But when it dips, the system will increase its response proportionately. It might respond with increased monitoring, the use of step-up verification, or even terminating the session entirely.
Continuous versus step-up authentication
Each approach has distinct strengths that help in certain scenarios. To understand why, it’s helpful to compare the impact of each on security as well as on user experience.
Security comparison
Step-up authentication concentrates security efforts where they matter most. It can protect specific, high-value transactions and actions that are capable of causing the most damage if performed by fraudsters. But, the trigger-based model leaves security gaps. Between, or in the absence of, trigger events, the system essentially trusts any activity within the session. Sophisticated attackers may find ways to exploit this trust on a smaller scale. In contrast, continuous authentication addresses this gap by monitoring all activity within the session. Even if session hijacking occurs, behavioral anomalies will make it apparent to the system that’s constantly watching for them. Research indicates that 68% of organizations have no continuous authentication, creating a massive vulnerability for them when they leave sessions completely unmonitored after the initial login. While they do have increased complexity requiring more sophisticated infrastructure and integration of multiple signals to perform real-time scoring, these systems are highly effective at blocking fraudulent activity before it has a chance to happen.
User experience comparison
Continuous authentication and step-up authentication both aim to reduce unnecessary friction, like the blanket use of additional authentication steps for any activity, but their approach to doing so is different. Step-up authentication creates visible friction for users; they’ll notice the interruption when they’re asked for additional verification. But the experience is predictable, and most users will understand why the additional verification is triggered when their activity is higher risk.
In contrast, continuous authentication is generally invisible to the user. The activity happens behind the scenes, so when identity confidence is high the user will have a frictionless and challenge-free experience. The friction only appears if the system detects an anomaly. Unless a legitimate user undertakes an unusual activity like getting a new phone or making a wire transfer to purchase their first home, they will very likely complete their session without seeing a single authentication challenge.
When to use step-up authentication
When it’s easy to clearly define which moments require an extra layer of protection, step-up can provide targeted protection for these specific actions with less infrastructure overhead than continuous monitoring.
High-risk moments
Regardless of behavioral signals, certain user actions inherently represent an elevated risk and can benefit from explicit verification. This includes large financial transactions — the potential damage from a large unauthorized transfer is significant, and justifies introducing friction. Account modification events like a password change or updating security settings also is a clear trigger for the use of step-up authentication as it could enable future fraud.
Payment recipient changes like adding new payees or beneficiaries is a common first step in many fraud schemes. Step-up authentication at this moment creates a checkpoint which can block future fraud.
Additionally, regulatory requirements can drive the implementation of step-up authentication. For example, in Europe, PSD2 mandates the use of strong customer authentication for certain types of payments.
When continuous authentication is the better choice
To protect against attacks that exploit gaps between specific checkpoints, continuous authentication becomes essential. When your risk profile includes sophisticated attackers that are able to operate undetected between step-up events, the visibility provided by continuous monitoring detects threats that trigger-based approaches can’t.
Ongoing user sessions
Long-duration sessions present a particular challenge that may not be adequately met by step-up-only approaches. When users remain logged in for extended periods, as is common with mobile banking and wealth management platforms, an extended window is created in which compromise (for example, via malware) can go undetected. Continuous authentication maintains identity assurance throughout the session, detecting if control is transferred to an unauthorized user.
In another example, session hijacking and man-in-the-browser attacks specifically target the already-authenticated state. After a user has passed their initial login and any step-up challenge, attackers who intercept their session inherit their authenticated status. But, continuous behavioral monitoring can detect this kind of takeover; the attacker’s interaction patterns will differ from the legitimate user’s baseline behavior.
Continuous authentication also detects fraud patterns that unfold gradually. Attackers conducting reconnaissance on an account might never trigger step-up thresholds while they build their way toward their eventual fraud. But, continuous authentication would notice the differences in their behavior from the actual user even on those reconnaissance logins.
Why most organizations need both
Continuous and step-up authentication protect against different threat vectors, and they are most effective when used together. Organizations that see them as competing approaches and choose one are more vulnerable to attacks that the other would catch.
Complementary strategies
Continuous monitoring is the baseline for a layered authentication strategy. It maintains identity assurance through the session and looks for behavioral anomalies and session takeovers. Step-up authentication is the layer that offers targeted protection at the most critical moments, and ensure that high-risk activities receive explicit verification – even if the continuous layer appears normal.
Consider a practical example where a customer logs in from their usual mobile phone, connected to their usual network at home. Continuous authentication confirms that these and their other behavioral patterns match expectations, and maintains high confidence throughout the session. If they initiate a wire transfer to a new recipient, step-up authentication will be triggered irrespective of those signals, because the specific action is high-risk and warrants explicit verification.
Research from Liminal confirms the industry is implementing both of these tools in an integrated manner. Over 92% of organizations believe that effectively stopping fraud requires integrating multiple signals into authentication, and 79% are planning to unify their authentication and fraud strategies. Organizations won’t be choosing one approach over the other, but will be integrating both in a coordinated framework.
Frequently Asked Questions
What is step-up authentication?
Step-up authentication adds verification for high-risk actions. It triggers an additional identity challenge when an action is taken like making a large transfer or changing a password. This way, the most damaging potentially fraudulent activities receive a higher level of security without applying maximum security and increased friction to every interaction in a session.
Is continuous authentication better than step-up?
No, they serve different purposes. The two strategies work best when used together in a layered strategy that uses continuous authentication to maintain ongoing identity assurance throughout a session while step-up is used to add targeted verification for the most high-risk moments. In this way, neither is better than the other as organizations and their customers are best protected when the organization strategically implements both.
How do you choose an authentication approach?
The right approach will incorporate an assessment of your organization’s risk tolerance, user experience goals, and threat models to determine the appropriate solution or combination of solutions. For organizations with well-defined high-risk moments, it may be best to start with step-up authentication for these critical touchpoints and layer in additional tools later that protect the entire session. In contrast, organizations that are frequently faced with sophisticated attacks like session hijacking should prioritize continuous monitoring. Ultimately, most enterprises will find that they benefit from the implementation and layering of both.
See these approaches in action
Download the e-Book to get more real-world examples of how continuous and step-up authentication work together across the entire customer lifecycle.
Becky Kiichle-Gross — Principal Software Product Manager at Mitek
Becky Kiichle-Gross is Principal Software Product Manager at Mitek, where she leads the development of the company’s image capture and multimodal biometric authentication solutions. Becky has a deep understanding in product development and has managed several product launches across markets including retail, healthcare, aerospace, and banking. With extensive expertise and a passion for solving customer problems, Becky is instrumental in driving innovations that help clients combat fraud and bolster trust.
