Some websites also allow you to disable or rotate your 2FA creds if you're already logged in, without having to re-authenticate with your second authenticator.
This seems a little dangerous since now the logged in state (likely cookies but maybe also hashed with identifiers like IP etc.) becomes considerably more valuable to steal.
I actually see the opposite done, where any changes to login related things (passwords, 2fa keys) mandate a 2fa re-auth.
Heh, stealing a logged state is bad no matter what unless you’re requiring re-auth on important operations. The risk of one losing their second factor is much much higher.
I actually see the opposite done, where any changes to login related things (passwords, 2fa keys) mandate a 2fa re-auth.