# Step Up Authentication

Step-up authentication is the process of requesting additional credentials before a high-risk operation, such as initiating a transaction - or in the case of OTP Guard, authorizing a Github pull request. OTP Guard is, at its core, a step-up authentication service for Github PRs.

The step-up credentials are usually a second authentication factor such as a [TOTP code](https://docs.otpguard.com/authenticator-types), but sites may sometimes ask for a password, email a special link, or similar.

In addition to the core mechanic of authorizing pull requests, OTP Guard uses step-up authentication to manage additional authenticators.

#### Adding and Deleting Authenticators on OTP Guard

The first authenticator registered for a Github organization on OTP Guard can be done immediately. Additional authenticators after the first will require a step-up with an existing authenticator. Any existing authenticator will work for the step-up. Likewise, deleting an authenticator will require a step-up. It is recommended to always have multiple authenticators registered, of different types, in case access is lost to one.<br>

<figure><img src="https://1087776537-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUy8uevMRurglHhNOtV6Y%2Fuploads%2F5ZWRVWi74IbX1ZpeOpjw%2Fimage.png?alt=media&#x26;token=d72fddce-e625-4122-b3ab-4d3588595564" alt="" width="375"><figcaption><p>Step-up authentication dialog when registering a new security key.</p></figcaption></figure>

**The Cross-Device Problem: Stepping up with Platform Authenticators**

Platform authenticators can be *device-bound* - meaning they exist only on the device they were created on. Device-bound authenticators present a challenge when trying to configure additional authenticators on different devices. How to step-up on a new device when the authenticator exists on another device? There are a few ways to work around this:

* Use a security key authenticator which can be swapped between devices.
* Use a TOTP code from a registered TOTP authenticator
* (Not yet implemented) Use the QR code UI that some browsers offer (such as Chrome), for *hybrid* authentication
* (Not yet implemented) Step-up on the old device, and generate an on-the-fly TOTP code that can be used on the new device

**Losing access to an authenticator**

If you have lost access to all your authenticators and are unable to step-up to create a new one, contact your Github organization administrator. They will have to delete all your existing authenticators, and then you can create a new one without having to step up.

Note that the administrator still has to step-up with an authenticator of their own in order to delete someone else's.