If a user account is using OATHAuth, for actions such as PasswordReset, they should be made to enter a new OATHAuth token before being allowed to continue. Similar to how phab has a "secure" mode for certain actions
I'm not sure what else this may be appropriate for, but keeping it "extensible"/making things as requiring reauth might be useful for some wikis for other sensitive actions...
Potentially things like viewing CheckUser stuff in a non fresh session?