Sign in Subscribe
Concepts

The failed login attempt came from inside the network.

Andrios Robert

1 min read

You open the logs. The access proxy has done its job, forwarding requests and application traffic. But the audit trail is incomplete unless it captures both the authentication step and the context that triggered it. Without detailed logs, step-up authentication becomes blind.

Logs from an access proxy must show the original request, the authentication state before escalation, the policy that triggered the step-up, and the session changes after it. This makes it possible to reconstruct incidents, trace user actions, and prove compliance. Each entry should contain the timestamp, source IP, HTTP method, requested resource, authentication method used, and the outcome.

Step-up authentication is only as strong as the visibility around it. A proxy that handles standard access control and also enforces multi-factor revalidation for sensitive endpoints must write those events to a tamper-proof log stream. Without this, attackers who gain initial access can escalate quietly.

The optimal setup pushes logs from the access proxy to a centralized log aggregation system in near real time. That system indexes every authentication event, step-up trigger, and proxy decision. Filtering for “step-up” gives defenders a clear list of high-risk actions. Cross-referencing with user IDs, session tokens, and device fingerprints turns logs into a map of trust transitions.

To rank and resolve problems fast, keep log formats structured—JSON works well. Include event type fields like auth_step_up_initiated and auth_step_up_passed. Alert on unusual sequences, such as repeated step-up failures followed by successful access from the same IP.

Whether you use an open source access proxy or a managed service, prioritize full coverage. That means request logs, authentication logs, policy evaluation logs, and any external identity provider events linked to the proxy. Step-up authentication without these logs is a locked door without a record of who knocked.

See how to capture, stream, and search every step-up authentication event in your access proxy with hoop.dev—set it up and watch it live in minutes.