OWASP · mackowski · Aug 1, 2025 · Jun 20, 2025 · Jun 20, 2025 · Jun 25, 2025
@@ -85,6 +85,44 @@ The login page and all subsequent authenticated pages must be exclusively access
 
 In order to mitigate CSRF and session hijacking, it's important to require the current credentials for an account before updating sensitive account information such as the user's password or email address -- or before sensitive transactions, such as shipping a purchase to a new address. Without this countermeasure, an attacker may be able to execute sensitive transactions through a CSRF or XSS attack without needing to know the user's current credentials. Additionally, an attacker may get temporary physical access to a user's browser or steal their session ID to take over the user's session.
 
+### Reauthentication After Risk Events
+
+**Overview:**  
+Reauthentication is critical when an account has experienced high-risk activity such as account recovery, password resets, or suspicious behavior patterns. This section outlines when and how to trigger reauthentication to protect users and prevent unauthorized access. For further details, see the [Require Re-authentication for Sensitive Features](#require-re-authentication-for-sensitive-features) section.
+
+#### When to Trigger Reauthentication
+
+- **Suspicious Account Activity**  
+  When unusual login patterns, IP address changes, or device enrollments occur
+- **Account Recovery**  
+  After users reset their passwords or change sensitive account details
+- **Critical Actions**  
+  For high-risk actions like changing payment details or adding new trusted devices
+
+#### Reauthentication Mechanisms
+
+- **Adaptive Authentication**  
+  Use risk-based authentication models that adapt to the user's behavior and context
+- **Multi-Factor Authentication (MFA)**  
+  Require an additional layer of verification for sensitive actions or events
+- **Challenge-Based Verification**  
+  Prompt users to confirm their identity with a challenge question or secondary method
+
+#### Implementation Recommendations
+
+- **Minimize User Friction**  
+  Ensure that reauthentication does not disrupt the user experience unnecessarily
+- **Context-Aware Decisions**  
+  Make reauthentication decisions based on context (e.g., geolocation, device type, prior patterns)
+- **Secure Session Management**  
+  Invalidate sessions after reauthentication and rotate tokens—see the [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+
+#### References
+
+- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)
+- OWASP ASVS – 2.2.2: Reauthentication requirements
+- NIST 800-63B: Digital Identity Guidelines – Authentication Assurance Levels
+
 ### Consider Strong Transaction Authentication
 
 Some applications should use a second factor to check whether a user may perform sensitive operations. For more information, see the [Transaction Authorization Cheat Sheet](Transaction_Authorization_Cheat_Sheet.md).

diff --git a/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md b/cheatsheets/Multifactor_Authentication_Cheat_Sheet.md
@@ -435,6 +435,8 @@ If risk is detected, the system may:
 - Enforce re-authentication
 - Deny access and trigger alerting or account protection flows
 
+For more details on when to trigger reauthentication after high-risk events—such as account recovery or suspicious activity—see the [Reauthentication After Risk Events](Authentication_Cheat_Sheet.md#reauthentication-after-risk-events) section in the Authentication Cheat Sheet
+
 This method is widely used in modern authentication systems to balance usability and security. However, developers must ensure that risk signals cannot be spoofed and that fallback mechanisms are not weaker than the primary MFA methods.
 
 **Example Use Case**: A user logs in from a trusted device in a usual location — no additional prompt is needed. But if they log in from a new country using a Tor exit node, the system requires SMS verification or triggers an account lock until further verification.

@@ -252,6 +252,20 @@ The session ID regeneration is mandatory to prevent [session fixation attacks](h
 
 A complementary recommendation is to use a different session ID or token name (or set of session IDs) pre and post authentication, so that the web application can keep track of anonymous users and authenticated users without the risk of exposing or binding the user session between both states.
 
+### Reauthentication After Risk Events
+
+Web applications should require reauthentication after high-risk events such as:
+
+- Changes to critical user information (e.g., password, email address)
+- Login attempts from new or suspicious IP addresses or devices
+- Account recovery flows (e.g., password reset or compromised-account detection)
+
+For best practices on implementing reauthentication after these events, see the [Reauthentication After Risk Events](Authentication_Cheat_Sheet.md#reauthentication-after-risk-events) section in the Authentication Cheat Sheet
+
+### Additional Resources
+
+- [Why Frequent Reauthentication Can Be a UX Pitfall](https://tailscale.com/blog/frequent-reauth-security?lid=5wso20mx4knj) by Tailscale
+
 ### Considerations When Using Multiple Cookies
 
 If the web application uses cookies as the session ID exchange mechanism, and multiple cookies are set for a given session, the web application must verify all cookies (and enforce relationships between them) before allowing access to the user session.