Some actions like changing the password or the email address require elevated security. The old approach was to plug in a password field into whatever form was responsible for the action, and then maybe provide a hook for extensions which provide extra authentication security (such as two-factor). This assumed that the user has a password (not necessarily true with AuthManager) and would have led to a profileration of hooks if more actions start using elevated security, so AuthManager tried a different approach.
That approach consists of calling AuthManager::securitySensitiveOperationStatus(<operation>) (there are various helpers to do this such as SpecialPage::getLoginSecurityLevel) which would return "ok" or "denied" or "needs reauthentication", based on site configuration. (Currently that configuration specifies max acceptable time since last login.) If it returns "ok", the user is allowed to do the action, without any extra password field.
This system could use more consideration. (Per @csteipp: For security, I'd like to talk about the change password form more, and maybe do a followup at some point. I don't like that a session hijacking can lead to password loss, even if the time is limited. https://gerrit.wikimedia.org/r/#/c/240052/96)