Auth21 Perspective

Login proves identity. Who proves intent for this action?

OAuth answers who the user is. Step-up at login still does not answer whether they authorized this transfer, this deletion, or this device bind right now.

Most platforms still treat security as a one-time event at session start. In practice, sensitive actions need a separate layer: reusable, auditable verification tied to the operation context — not just the login form.

Further reading