Step-up authentication: Re-verify users before high-risk operations
Blog post from WorkOS
AuthKit has introduced step-up authentication to address the issue of equal trust levels for all actions within a session, regardless of their sensitivity. This feature allows specific operations to require fresh verification without terminating the existing session, ensuring that actions such as accessing admin panels or changing billing details are executed with confirmed user identity. This is particularly important for applications under compliance regulations like SOC 2, HIPAA, or PCI-DSS, where re-verifying before accessing sensitive data is expected. The new release includes an auth_time claim on tokens to track the last active authentication, a max_age parameter to enforce re-authentication based on a specified time threshold, and a hosted re-authentication flow. The system emits an authentication.reauthenticated event upon successful step-up, and the WorkOS Node core SDK facilitates integration by providing tools to build authorization URLs with max_age and check token freshness.
No tracked trend matches for this post yet.