[jeroenhd]

90 days is such a silly time frame. It won't defend against passwords like Spring2018! (11 characters, capital letter, special character, yyet ccompletely predictable) and people will only pick easier passwords when they're forced to pick new ones.

Even Microsoft has stopped recommending regular password changes. I think password changes can certainly be necessary, for example when problems are found during an audit or when there are indications of abuse, but these old rules are making everyone's lives so much harder than they need to be. I hope the IRS will reconsider soon.

Google's method is quite advanced (different tiers of trust for different kinds of services). It makes total sense that you can search the web using an old session, but need to redo the whole 2FA flow if you want to change your password or recovery options. Unfortunately, working such a system out can be quite a challenge because it's hard to get the API segregated into the right trust levels without massively complicating the code flow.