[Wowfunhappy]

> If weak password hashes were leaked, then the passwords need to be changed too. Increasing the rounds doesn't prevent attacks on the previously leaked weak hashes. Maybe they expect everyone already did that but some people did it before they increased the hash rounds?

I assumed they were just increasing the rounds as a general good practice. The best time to plant a tree was ten years ago, the second best time is now, and all that.

[crote]

If it is just a regular rounds increase, why force an immediate re-auth on all users? It would be way more user-friendly to just wait 6 months or so for natural re-auths to occur, and only do a forced re-auth on the few remaining users afterwards.

[ExoticPearTree]

From an user experience perspective, this would be the way.

At some at the company I work for, we decided to changing hashing algorithms and we did it on the fly when user authenticated again. Users were happy, we were happy.

But as someone already said here, there's a high probability that the OTP seeds were stolen so that's why they are doing this forced reset for MFA re-enrollment.