[g_p]

> maybe someone else here has a better idea why it is a good idea to require password and two step authentication every twenty four hours?

Not saying it's directly the answer here, but some distributed systems lack proper session blocking or revocation, as a session is a signed JWT or similar standalone token.

If the security decision makers favour a 24 hour guaranteed lockout, rather than risking someone whose access has been suspended having an old session still live, this could make sense from being able to know and show access is always "gone" in 24 hours of blocking their ability to get a new token.