# Step Up Authentication

Step-up authentication is the process of requesting additional credentials before a high-risk operation, such as initiating a transaction - or in the case of OTP Guard, authorizing a Github pull request. OTP Guard is, at its core, a step-up authentication service for Github PRs.

The step-up credentials are usually a second authentication factor such as a [TOTP code](https://docs.otpguard.com/authenticator-types), but sites may sometimes ask for a password, email a special link, or similar.

In addition to the core mechanic of authorizing pull requests, OTP Guard uses step-up authentication to manage additional authenticators.

#### Adding and Deleting Authenticators on OTP Guard

The first authenticator registered for a Github organization on OTP Guard can be done immediately. Additional authenticators after the first will require a step-up with an existing authenticator. Any existing authenticator will work for the step-up. Likewise, deleting an authenticator will require a step-up. It is recommended to always have multiple authenticators registered, of different types, in case access is lost to one.<br>

<figure><img src="https://1087776537-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUy8uevMRurglHhNOtV6Y%2Fuploads%2F5ZWRVWi74IbX1ZpeOpjw%2Fimage.png?alt=media&#x26;token=d72fddce-e625-4122-b3ab-4d3588595564" alt="" width="375"><figcaption><p>Step-up authentication dialog when registering a new security key.</p></figcaption></figure>

**The Cross-Device Problem: Stepping up with Platform Authenticators**

Platform authenticators can be *device-bound* - meaning they exist only on the device they were created on. Device-bound authenticators present a challenge when trying to configure additional authenticators on different devices. How to step-up on a new device when the authenticator exists on another device? There are a few ways to work around this:

* Use a security key authenticator which can be swapped between devices.
* Use a TOTP code from a registered TOTP authenticator
* (Not yet implemented) Use the QR code UI that some browsers offer (such as Chrome), for *hybrid* authentication
* (Not yet implemented) Step-up on the old device, and generate an on-the-fly TOTP code that can be used on the new device

**Losing access to an authenticator**

If you have lost access to all your authenticators and are unable to step-up to create a new one, contact your Github organization administrator. They will have to delete all your existing authenticators, and then you can create a new one without having to step up.

Note that the administrator still has to step-up with an authenticator of their own in order to delete someone else's.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.otpguard.com/step-up-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.