Skip to content
Step-up MFA for SAP

Step-up MFA for SAP - Smart safeguarding of SSO with MFA

e908e5c5af1a950c53a039b63c9467ab?s=96&d=mm&r=g
Holger Huegel
Product Management Director
February 18, 2025
7 min read

Chapters

Share Article

In today’s Zero Trust enterprise IT security Multi-Factor Authentication (MFA) is one of the most effective measures to significantly safeguard access to endpoints, systems or applications. However, the price for this elevated security is a compromised user experience as MFA requires additional authentication steps which user often perceive as a redundant burden. Especially in SAP environments where Single Sign-On (SSO) is widely adopted to streamline the user login process, the user experience is heavily impacted by the introduction of MFA.

Step-up MFA for SAP leverages the user and business process context to request an additional authentication factor only when the extra layer of security is needed, e.g. for elevated user actions or access to business-critical data. The user experience is significantly improved for most of the users where MFA is not enforced for every login request.

This allows Step-up MFA to safeguard SAP application access while preserving a good user experience.

 

What is Multi-Factor Authentication (MFA)?

Multi-Factor authentication (MFA) is a security process that requires users to provide multiple forms of identity verification before they can access an endpoint, like an MS Windows client, or an application, such as SAP. Rather than relying solely on a password, MFA combines something the user knows (e.g., a password), something the user has (e.g., a smartphone or security token), and something the user is (e.g., biometric data like a fingerprint).

 

Advantages of MFA:

  1. Enhanced Security: By requiring multiple verification methods, MFA makes it significantly harder for attackers to gain unauthorized access to sensitive data and systems.

  2. Reduced Risk of Password Theft: Even if a password is compromised, MFA ensures that an attacker cannot access your SAP system without the second factor.

  3. Compliance with Regulations: Many industries and regulatory bodies require MFA as a mandatory security measure to protect sensitive data. MFA helps ensure compliance with standards like GDPR, HIPAA, and more.

  4. Protects Remote Workforces: As more users access SAP from different devices and locations, MFA ensures that only authorized users can log in, mitigating security risks associated with remote access.

 

What is Single Sign-On (SSO)?

Single Sign-On (SSO) for SAP is an authentication mechanism that allows users to log in (sign-on) once and gain seamless access to multiple SAP applications and systems without needing to re-enter credentials every time. This simplifies the login process by consolidating authentication into a single entry point, which is especially useful for enterprises that use several SAP solutions, such as SAP S/4HANA, SAP Fiori, SAP SuccessFactors, and more.

With SSO users do not have the same password on all systems. When the user logs in at the operating system level using the Microsoft account, SSO utilizes industry standards like Kerberos, X.509 or SAML 2.0 and replaces passwords with security tokens that are validated by the application server. While SSO creates convenience for the user, MFA is required in case an extra layer of security is needed or Zero Trust is part of the company’s security policy.

However, implemented correctly MFA reduces the user experience provided by SSO.

Step-Up MFA dynamically adds an extra layer of security by requiring an additional authentication factor only when the system detects a higher level of risk. For example, if a user is accessing SAP from an unusual location, a new device, or attempting to access sensitive financial data, the system will trigger a secondary authentication factor to verify their identity.

 

Advantages of Step-Up MFA:

  1. Dynamic Risk Assessment: Step-Up MFA adapts based on context, increasing security during high-risk activities or access attempts. It ensures that only authorized individuals can access sensitive SAP data when risks are elevated.

  2. Granular Access Control: With Step-Up MFA, businesses can apply security measures more effectively by focusing on specific, high-risk actions or applications. For instance, accessing payroll data or financial reports may require additional authentication.

  3. Improved User Experience: Since Step-Up MFA is triggered only when necessary, it does not burden users with redundant authentication steps, ensuring that their day-to-day activities remain efficient while keeping sensitive operations highly secure.

  4. Proactive Threat Mitigation: With Step-Up MFA, businesses can detect and prevent unauthorized access before it becomes a problem, providing an added layer of defense against advanced threats and attacks.

Step-up MFA is critical for enhancing SAP security without adding unnecessary friction to low-risk activities. It should be applied dynamically based on user behavior, access patterns, transaction types, and risk factors to balance security and usability.

 

Use Cases

Potential use cases for Step-up MFA are:

  1. Accessing Sensitive Data 

    • A user tries to access Personally Identifiable Information (PII), financial records, HR data, or intellectual property. Step-up MFA ensures that only authorized personnel can access such data, even if their session is already active.

    • Example: Viewing payroll details in SAP HCM or financial transactions in SAP S/4HANA Finance. 

  2. Approving High-Value Transactions

    • A user attempts to approve or execute high-value payments, purchase orders, or financial transactions. Step-up MFA confirms the user’s identity before processing high-value financial actions, reducing fraud risks.

    • Example: A finance manager approving a $100,000 wire transfer in SAP Treasury Management. 

  3. Changing Security or System Configurations

    • An administrator wants to modify user permissions, security settings, or system configurations. Step-up MFA requests a second authentication factor before granting access to the configuration preventing unauthorized elevated user actions or insider attacks.

    • Example: A user attempts to grant SAP Basis admin privileges or modify SAP authorization roles (SU01, PFCG).

  4. Accessing SAP from an Untrusted Device or Network

    • A user logs in from an unknown or non-corporate device, a new location, or a public Wi-Fi network. Step-up MFA ensures that only trusted users can access SAP from untrusted environments. 

    • Example: A remote employee logs in from a hotel Wi-Fi to access SAP S/4HANA.

  5. Executing Critical SAP Transactions

    • A user executes critical SAP transactions with significant impact. Step-up MFA validates the user’s identity before providing access to that transaction.

    • Example: Approving mass material movements in SAP MM, modifying supply chain logistics in SAP IBP, or finalizing a sales deal in SAP CRM.

  6. Accessing SAP Outside of Business Hours

    • A user logs into SAP outside normal working hours.  Step-up MFA detects this unusual access attempt and requests an additional user identity confirmation, reducing the risk of compromised accounts.

    • Example: An employee attempts to log into SAP S/4HANA at 2 AM.

  7. Elevating Privileges Temporarily

    • A user requests temporary admin privileges for troubleshooting or emergency maintenance.  Step-up MFA gets triggered as part of the Privileged Access Management (PAM) procedure, preventing the misuse of elevated privileges.

    • Example: An SAP administrator requests temporary access to SAP Basis transactions (SM21, ST22) or to a Firefighter ID to debug financial transactions.

  8. Logging into SAP with an Inactive Account

    • An SAP user account that hasn’t been used for a long time suddenly attempts to log in. Step-up MFA ensures that the reactivated account belongs to a legitimate user by invoking a second authentication factor.

    • Example: A former employee’s account, reactivated for an audit, attempts to access SAP GRC. 

 

Securing SAP Without Compromising Usability

Businesses must strike a balance between security and user experience. Step-Up MFA enables organizations to enhance SAP security dynamically, without disrupting daily operations. By leveraging contextual risk assessments, companies can ensure strong authentication only when needed, preserving productivity while safeguarding sensitive data.

🔐 Contact us to see how SecurityBridge can enhance your SAP security strategy!

CTA 2025 - Book a demo