We require reauthentication for security-sensitive operations; that gets annoying if we use it for a lot of things, and extra annoying for people who have more secure logins (e.g. long random passwords they need to look up in a password manager, or two-factor authentication). We should make it possible for providers to act differently during reauthentication (some ideas here) and make reauthentication shorter:
- no need for login captcha (where enabled)
- maybe no need for second factor?
- or maybe when there is a second factor no need for the password?