[jabbany]

This seems a little dangerous since now the logged in state (likely cookies but maybe also hashed with identifiers like IP etc.) becomes considerably more valuable to steal.

I actually see the opposite done, where any changes to login related things (passwords, 2fa keys) mandate a 2fa re-auth.

[baby]

Heh, stealing a logged state is bad no matter what unless you’re requiring re-auth on important operations. The risk of one losing their second factor is much much higher.