Certain actions like fiddling with 2FA or deleting an account or forum should require re-authentication, perhaps forcing them to authenticate through all their authentication methods (both password and 2FA, if they have 2FA enabled).
We don't want to annoy users too much though, so we should probably have a grace period after that where the system doesn't bother them as much, although it should still have an "Are you sure?" for deleting accounts.
Alternatively, we might want to force mods / admins to re-authenticate in order to access the Control Panel rather than ambushing them when they're doing one particular action, although the notion of the Control Panel might grow weak in the future, if we start exporting functionality out of there in favour of making the software friendlier and less filled with ceremony.
Perhaps, a hybrid approach might work? Needs research.
Certain actions like fiddling with 2FA or deleting an account or forum should require re-authentication, perhaps forcing them to authenticate through all their authentication methods (both password and 2FA, if they have 2FA enabled).
We don't want to annoy users too much though, so we should probably have a grace period after that where the system doesn't bother them as much, although it should still have an "Are you sure?" for deleting accounts.
Alternatively, we might want to force mods / admins to re-authenticate in order to access the Control Panel rather than ambushing them when they're doing one particular action, although the notion of the Control Panel might grow weak in the future, if we start exporting functionality out of there in favour of making the software friendlier and less filled with ceremony.
Perhaps, a hybrid approach might work? Needs research.