Step-up authentication allows dynamic requests for stronger authentication when users attempt to access sensitive resources or when risk signals indicate a potential threat. This feature enhances the existing authentication process by requiring multi-factor authentication (MFA) when needed, ensuring that access to high-risk or sensitive data is protected. Step-up authentication is a method that prompts users to reauthenticate with a higher assurance level (e.g., using MFA) when accessing specific resources. This process helps organizations verify user identity with greater certainty, ensuring that only authorized users can access sensitive applications or data. For example, if a user logs in with a username and password (a lower assurance level), they might still be asked to verify their identity via MFA (a higher assurance level) when accessing a sensitive resource, such as financial information or critical applications.

Step-up authentication in ZIdentity enables organizations to:

• Enhance Security: Protect sensitive resources by requiring stronger authentication methods when necessary.
• Provide Dynamic Risk-Based Access: Automatically adjust the level of authentication required based on user behavior or risk signals.
• Simplify Compliance: Meet regulatory requirements by ensuring high-assurance authentication for critical data access.

Use Cases for Step-Up Authentication

Step-up authentication is essential for organizations managing different access levels for users and resources. The following are common scenarios where Step-up authentication is useful:

• Sensitive Resource Access: When users attempt to access critical applications, step-up authentication prompts them to provide additional authentication, as defined by access policies configured in Zscaler Private Access (ZPA), which integrate with ZIdentity to enforce these policies.
• Increased Risk Detected: If the system detects that a user’s behavior is unusual or the environment changes (e.g., accessing from an unrecognized device or location), step-up authentication might be triggered to request a higher authentication level.
• Compliance Requirements: For regulatory reasons, certain data must be protected with MFA to ensure that only authorized users can access it.

How Does Step-Up Authentication Work

Step-up authentication is configured using authentication levels (e.g., AL1 to AL4), representing increasing authentication strength. These levels are hierarchical, where higher levels provide stronger assurance. The following sections outline the key steps in authentication with step-up authentication enabled:

1. User Attempts Access: The user logs in to ZIdentity with standard credentials (e.g., username and password).
2. Accessing a Sensitive Resource: When the user attempts to access a high-sensitivity resource (as defined by policies in ZPA), ZIdentity checks the required authentication level.
3. Step-Up Triggered: If the user’s current authentication level is insufficient (e.g., they logged in with a basic password), ZIdentity prompts the user to reauthenticate, typically using MFA via Zscaler Client Connector.
4. Access Granted: After the user successfully authenticates with the required level, access is granted.

Configuring Step-Up Authentication with ZIdentity

The following steps explain how to configure step-up authentication in ZIdentity:

• 1. Configure Authentication Levels in the ZIdentity Admin Portal
• 2. Configure Access Polices in Supported Zscaler services

  After configuring authentication levels in the ZIdentity Admin Portal, you need to configure access policies for applications or resources with the required authentication levels in ZPA. To learn more, see Configuring Access Policies.

  Close
• 3. Map Authentication Levels with External IdPs

  If you have configured external IdPs for authentication via the OIDC protocol, such as Entra ID or Okta, you need to map the authentication levels to their respective acr values in the IdP. To learn more about external IdPs, see About External Identity Providers.

  Close