Step-up re-authorization for sensitive actions
A government service that classifies each requested action by sensitivity and, for sensitive ones, pauses the agent and pushes a confirmation or re-authentication challenge to the citizen.
As agents act under a standing delegation, some of the actions they take will be sensitive or irreversible while most are routine: viewing a tax return status carries little risk, lodging an amended return carries a great deal. The difficulty is re-inserting a human decision point for the high-stakes actions without forcing the citizen to confirm every routine one.
For a high-stakes or irreversible action, an agency needs confidence that the citizen, not the agent alone, authorized this particular step, with the strength of that confirmation proportionate to what is at stake.
Step-up challenges via SMS or push notification exclude users without smartphones, and time-limited challenges penalize users who need more time, so a citizen who cannot meet the challenge is blocked from authorizing the action they intended. Keep the path open with multiple challenge channels (email, phone call, in-person at a shopfront), extended response windows (hours rather than minutes for non-time-critical actions), and a 'pre-approved actions' list the citizen configures during initial delegation setup to reduce interruptions for known-safe actions.
Each requested action is routed by its sensitivity into one of three branches: a low-risk action proceeds on the delegation token alone, a submission pauses for citizen confirmation, and an irreversible action requires step-up re-authentication.
No surface has been built yet; the approach above is the brief for one.
- Established Headline
For demanding stronger authentication at a sensitive action.
- Emerging
Applied to human-agent delegation in tax.
- Frontier
Applied to an AI agent that must confirm asynchronously.
Step-up authentication (NIST SP 800-63B alignment). Step-up authentication maps to NIST
Authentication Assurance Levels: a user at AAL1 (password only) is challenged to step up to
AAL2 (MFA) for sensitive actions. In OIDC this is implemented via acr_values or max_age
parameters in the authorization request. Common triggers: high-value transactions, access to
PII or medical records, account modifications.
Open Banking SCA requirements. PSD2 mandates Strong Customer Authentication for payment initiation and certain data access operations. The bank (not the TPP) performs the authentication challenge, ensuring the citizen, not the agent, confirms the action.
HMRC granular authorizations research (September 2024). HMRC published research (Report 754) exploring customer views on granular authorizations for tax agents. A key finding: HMRC is considering allowing customers to "restrict or control the tasks an agent can see or do within the account or on their behalf," including multiple-agent functionality (more than one agent authorized simultaneously) with different permission sets, directly analogous to an AI agent delegation model.
Step-up re-authorization is directly transferable. The pattern: the agent presents its delegation token; the service evaluates the requested action against a sensitivity classification; low-sensitivity actions (view, status check) proceed on the token alone; medium-sensitivity actions (submit, amend) interrupt the agent's flow and contact the citizen directly (push, SMS, email) for confirmation; and high-sensitivity actions (irrevocable decisions, large payments) require the citizen to re-authenticate at a higher assurance level and explicitly confirm.
The HMRC granular-authorization model shows this is already being designed for human tax agents, and extending it to AI agents is a natural step.
The open problem is latency. Step-up authentication in open banking works because the human is present at the keyboard. For an AI agent operating asynchronously, a step-up challenge introduces a delay the agent must handle gracefully: pause, notify the citizen, wait for confirmation, then resume.
The risk is an agent silently executing high-stakes, irreversible decisions en masse with no human in the loop. Forcing the citizen to re-authenticate and explicitly confirm such actions reintroduces a human decision point before harm is done.