Incremental Authentication:
Why Verify What Hasn't Changed?

Traditional authentication treats every request the same: full verification, every time. But if a user's device, location, and session context haven't changed, why re-verify everything?

H33's incremental authentication takes a smarter approach. When only a small portion of the authentication context changes, we only verify the delta—delivering 4x+ faster re-authentication for typical updates.

How It Works

H33 tracks authentication context as a set of claims, each with its own verification status:

• Identity claims: User ID, email, phone number
• Device claims: Fingerprint, trusted device status
• Location claims: IP geolocation, network type
• Temporal claims: Session age, last activity
• Behavioral claims: Typing patterns, interaction style

When a request arrives, we compute the delta between current and previous context. Only changed claims require re-verification.

// Initial authentication - full verification
const initial = await h33.auth.fullStack({
  userId: 'user_123',
  context: fullContext
});

// Context update - only IP changed
const updated = await h33.auth.incrementalUpdate({
  sessionId: initial.sessionId,
  delta: {
    ipAddress: newIpAddress  // Only this changed
  }
});
// Verifies just the location claim - much faster

Use Cases

Mobile users moving between networks: When a user switches from WiFi to cellular, only the network context changes. Incremental auth verifies the new IP without re-checking biometrics.

Permission escalation: User requests access to a sensitive resource. Incremental auth adds the permission claim without re-authenticating identity.

Session extension: User is still active but session is aging. Refresh temporal claims without full re-verification.

Security Model

Incremental authentication maintains full security through:

• Claim dependencies: Some claims require others to be fresh (e.g., location changes may require device re-verification)
• Risk scoring: High-risk deltas trigger full re-authentication
• Anomaly detection: Unusual delta patterns are flagged
• Claim expiration: All claims have TTLs requiring periodic refresh

When Full Auth is Triggered

Certain conditions always require full authentication:

• Session expired or invalidated
• Device fingerprint changed
• Geographic location moved significantly
• Risk score exceeds threshold
• Sensitive operation requested
• Explicit logout/re-login

Implementation

// Configure incremental auth behavior
const authConfig = {
  incrementalAuth: {
    enabled: true,
    maxDeltaAge: '15m',      // How old can unchanged claims be
    riskThreshold: 0.6,       // Trigger full auth above this
    sensitiveOperations: ['transfer', 'delete', 'export']
  }
};

// The SDK handles delta computation automatically
app.use(h33.middleware(authConfig));

// In your routes, auth is already incremental
app.post('/api/data', async (req, res) => {
  // req.auth contains current claims
  // Incremental updates happened automatically
});

The Performance Impact

For applications where user context is relatively stable between requests, incremental authentication delivers significant improvements. Most requests see only minor context changes, meaning most authentications can use the fast path.

Combined with session resume and proof caching, H33's intelligent authentication system minimizes redundant verification while maintaining complete security.