Don't forget to design step-up authentication

Sviatoslav NytkaSenior Product Designer at TechMagic

Being logged in only tells the product you authenticated at some point, maybe on a session that's been alive for weeks, maybe on a device that's since been left unlocked on a desk. It doesn't tell the product that the person clicking right now is you.

Step-up authentication closes that gap. At the sensitive action, the product asks you to prove it's you again (with your password/code/MFA).

Victoria ShutenkoSecurity Engineer at TechMagic

The highest-priority actions are changes to recovery channels – email, phone, MFA. Those are the levers an attacker uses to lock the real owner out permanently, so they should always sit behind a fresh check. One detail products often get wrong: the verification factor must be the existing recovery channel, not the one being added. For example, when changing an email address, the verification code should be sent to the current email, not to the new email that is about to replace it.

Few more actions that can lock out the real owner or move data out of the account:

• Exporting personal or sensitive data
• Deleting or closing the account
• Adding payout details, API tokens, or transferring ownership

It’s also important that products handling sensitive data automatically log users out after a period of inactivity.

What actually protects credentials today

1. Step up at the action, freshly. The proof should be close in time to the sensitive action, not inherited from a login hours or weeks ago.
2. Provide users with alternative options to verify their identity, when possible, such as email, phone number, or password verification.
3. Notify out of band. Send a message to a known channel after the change, so if it wasn't the owner, they find out.

Bottom line

Put step-up authentication on the changes that matter, like recovery channels, MFA, data export, deletion. Keep a short grace window so it isn't constant, and tell the user out of band when it happens.