I want to add Step-Up authentication to my single-page web application that uses Auth0 lock widget.
The MFA should be triggered on certain action e.g. “Sign contract”.
In Auth0 documentation I have found two ways to do that:
- scope: ‘openid step_up’ that is described here
- scope: ‘openid nonce’, acr_values: ‘http://schemas.openid.net/pape/policies/2007/06/multi-factor’ that I found in this example.
Could you please explain what is the difference and which one is preferable for single-page web app.