Currently when a user logs in (or reauthenticates) the login timestamp gets stored and elevated security checks just verify that that timestamp was less than $wgReauthenticateTime seconds ago. This is somewhat insecure - an attacker can wait for the user to do something mildly sensitive, then take over the account and use it for something very sensitive. It would be better if every different action type (security level) would require separate reauthentication.

This would require exposing the security level of the ongoing reauthentication to the auth framework, which is a good thing in general (as it would go a long way towards T197153: Make some providers optional for reauthentication).