# Step-up Authentication using Push Notifications

{% hint style="warning" %}
Onboarding for CIBA is only for Government agencies and on a case-by-case basis.  
{% endhint %}

## Introduction

This guide illustrates the Step-up Authentication (Push Notifications) Flow and the APIs that Relying Parties (RP) need to integrate with.

The Step-up authentication feature can be employed in use-cases where RPs require their users to perform an additional layer of authentication before proceeding on with a **high-risk transaction**. This kind of authentication is done by triggering a push notification to the user’s Singpass Mobile Application.

RPs who are looking to opt-in for Step-up Authentication are required to integrate with Singpass operating in the **Client-initiated Backchannel Authentication (CIBA) Poll Mode** (see [CIBA specs](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7)). Refer to this diagram for an overview of the CIBA authentication flow between an RP, Singpass and its dependencies.

<figure><img src="https://4204905545-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FE7FCbKTvZEx7uI8INZXT%2Fuploads%2FAjF2OPRhkzjBzKHje75F%2Fimage.png?alt=media&#x26;token=994c3461-0d5d-463e-9f59-c4d87a2e8bf5" alt=""><figcaption><p>CIBA Authentication Flow between RP, Singpass and its dependencies</p></figcaption></figure>