Step-up authentication raises the authentication bar for sensitive operations within an already-authenticated session. Examples: changing bank account info, exporting personal data, modifying MFA settings, downloading tax documents, or initiating large transactions.
The pattern: a user logs in normally with password + MFA, but when they try to perform a sensitive action, the system prompts for fresh authentication — re-entering MFA, biometric verification, or a hardware key tap. This protects against scenarios where a session is hijacked or the user steps away from a logged-in device.
Step-up authentication is now table stakes for fintech, healthcare, and financial advisor portals.