Currently reauthentication requires the same data as a normal login - typically, for a sensitive account, password and second factor. That's suboptimal for multiple reasons:
- Asking for the password + second factor regularly kind of conditions users to be easily phished. Other authentication services like Google's account system defend against this by never asking the password and second factor together (except on normal login), only one of them. That way, a phishing page that fakes the reauth process accurately does not get enough information to steal the account, and one that asks for all data becomes more suspicious.
- A second factor can only be used once, and for a limited time, so someone who steals it can only do limited damage. A password + second factor together can be used to disable 2FA and have arbitrary control over the account from there on. So when reauthentication happens in a context where the attacker can steal the credentials (temporary XSS, malware, vulnerable network in case of a HTTP-accessible site), not asking for the password makes credentials theft much more dangerous.
- If reauthentication happens relatively often enough to be mildly inconvenient to the user, having to do both steps means twice the inconvenience.