Staged Authentication

This is called step up authentication; I can't find any non-IBM references to it, but it has been discussed repeatedly in Identity Ecosystem Steering Group working group meetings. I've been less involved for the past year, but this was one of those topics that we all recognize as valuable, but not urgent. (so please, work on this, do the research and present a solution).

I thought I recalled mention of this in NIST 800-63, but I can't find it right now. Closely related to your question, is what NIST calls "multi-token authentication" where multiple independent tokens are used in tandem to achieve a higher level of assurance.

The Claimant presents token authenticators generated by two or more tokens to prove his or her identity to the Verifier. The combination of tokens is characterized by the combination of factors used by the tokens (both inherent in the manifestation of the tokens, and those used to activate the tokens). A Verifier that requires a Claimant to enter a password and use a single-factor cryptographic device is an example of multi-token authentication. The combination is considered multi-factor, since the password is something you know and the cryptographic device is something you have. NIST 800-63

If you can't find anything on step-up authentication, you might look for people who are working in multi-token authentication.

I think I've also heard this referred to as dynamic authentication, but it appears that Visa has absorbed that term for a proprietary technique, so I would discard that as a search term.


I've never heard of specific, generally accepted terminology for it, but it's an application of the principle of least privilege.

I've seen applications that does this calls this by various terms:

  • Linux: sudo/su
  • Windows: User Account Control (UAC)
  • Atlassian JIRA: websudo/secure administrator session
  • Github: Sudo Mode