PropelAuth Logo
Back to Blog

Introducing Step-up MFA: Protect your users’ critical actions

Introducing Step-up MFA: Protect your users’ critical actions

Multi-factor authentication (MFA or 2FA) is an incredibly important security measure. Every PropelAuth project can already provide MFA to it’s users, allowing them to secure their login flows.

However, login flows may not be the only thing that you want to protect. You may have other sensitive actions where you want to force the user to re-authenticate with 2FA.

Step-up Multi-Factor Authentication (also called transactional MFA) solves this problem: it allows you to add extra protection only when users perform critical or high-risk actions.

Image in article: Introducing Step-up MFA: Protect your users’ critical actions

How does it work?

When your user initiates a sensitive action, confirm their identity by asking for a fresh TOTP code:

// Verify the user's TOTP code and get a grant
const { stepUpGrant } = await auth.verifyStepUpTotpChallenge({
  userId,
  code: "123456",
  actionType: "WITHDRAW_FUNDS",
  grantType: "ONE_TIME_USE", // or TIME_BASED
  validForSeconds: 60
});

Use that grant to authorize just that specific action:

// Confirm the grant at the critical moment
await auth.verifyStepUpGrant({
  userId,
  actionType: "WITHDRAW_FUNDS",
  grant: stepUpGrant
});

This ensures each step-up grant is bound specifically to a user, action, and expiration—no room for misuse or replay.

Flexible for any workflow

With just those two APIs, you can power a number of different workflows, like:

Enter an MFA code on every action of this type
Your user is about to perform a very sensitive action. You don’t care if they just entered their MFA code 20 minutes ago, every time they do this action, they must re-enter the code.

Enter an MFA code to get access to a sensitive dashboard
Your user navigates to an admin-only panel which contains a few different sensitive actions. Instead of requiring them to enter a 2FA code on each action, you can gate their access to the page, and generate a TIME_BASED code.

They can then perform as many actions as they want until that code expires.

Built-in Security Protections

Since this is built on top of our existing MFA support, it includes protections against common attacks like brute force or replay. Failed attempts will show up in our audit log so you can get a full view of what’s happening in your product.

You can also scope each grant to a specific action, so grants can only be used for the action they are protecting.

Ready to try it out?

Check out the documentation to give it a try - and always, reach out at support@propelauth.com with any questions or feedback!

Related Posts