Step-up authentication is an extra verification check added before a sensitive action is allowed. Instead of trusting the current session alone, a system may ask for a password re-entry, one-time code, device prompt, or biometric confirmation before changing recovery settings, viewing secrets, or issuing a reset token.
It matters because account recovery and other privilege-changing workflows are high-value targets. If an attacker steals a session, social-engineers support, or abuses an automated help flow, step-up authentication can stop a low-friction request from becoming account takeover. In defense, it is used to protect actions that change identity state, not just to log in. Good implementations pair step-up checks with short-lived tokens, rate limits, and alerts to the legitimate owner. Weak implementations, by contrast, let a normal session perform sensitive changes without re-verifying the user.