👟Step Up Authentication

What is step-up authentication and how does OTP Guard use it?

Step-up authentication is the process of requesting additional credentials before a high-risk operation, such as initiating a transaction - or in the case of OTP Guard, authorizing a Github pull request. OTP Guard is, at its core, a step-up authentication service for Github PRs.

The step-up credentials are usually a second authentication factor such as a TOTP code, but sites may sometimes ask for a password, email a special link, or similar.

In addition to the core mechanic of authorizing pull requests, OTP Guard uses step-up authentication to manage additional authenticators.

Adding and Deleting Authenticators on OTP Guard

The first authenticator registered for a Github organization on OTP Guard can be done immediately. Additional authenticators after the first will require a step-up with an existing authenticator. Any existing authenticator will work for the step-up. Likewise, deleting an authenticator will require a step-up. It is recommended to always have multiple authenticators registered, of different types, in case access is lost to one.

The Cross-Device Problem: Stepping up with Platform Authenticators

Platform authenticators can be device-bound - meaning they exist only on the device they were created on. Device-bound authenticators present a challenge when trying to configure additional authenticators on different devices. How to step-up on a new device when the authenticator exists on another device? There are a few ways to work around this:

  • Use a security key authenticator which can be swapped between devices.

  • Use a TOTP code from a registered TOTP authenticator

  • (Not yet implemented) Use the QR code UI that some browsers offer (such as Chrome), for hybrid authentication

  • (Not yet implemented) Step-up on the old device, and generate an on-the-fly TOTP code that can be used on the new device

Losing access to an authenticator

If you have lost access to all your authenticators and are unable to step-up to create a new one, contact your Github organization administrator. They will have to delete all your existing authenticators, and then you can create a new one without having to step up.

Note that the administrator still has to step-up with an authenticator of their own in order to delete someone else's.

Last updated