---
title: Re-authenticate Before Critical Changes
impact: HIGH
impactDescription: prevents unauthorized sensitive operations if a session is left unattended or hijacked
tags: authentication, critical, reauthentication, security, kotlin
---

## Re-authenticate Before Critical Changes

Even if a user has an active session, critical identity or financial changes must require "fresh" authentication (typically the current password, an OTP, or a biometric check). This prevents an attacker who has hijacked a session or gained physical access to an unlocked device from taking full control of the account.

**Incorrect (no confirmation for critical actions):**

```kotlin
// DANGEROUS: Deleting an account without confirming credentials
@PostMapping("/account/delete")
fun delete() {
    userService.delete(currentUserId)
}

// DANGEROUS: Changing email without verification
@PostMapping("/account/change-email")
fun changeEmail(@RequestBody req: EmailChangeRequest) {
    userService.updateEmail(currentUserId, req.newEmail)
}
```

**Correct (require current password or 2FA):**

```kotlin
@PostMapping("/account/delete")
fun delete(@RequestBody req: ConfirmationRequest) {
    // 1. Confirm current password
    val isValid = authService.verifyPassword(currentUserId, req.currentPassword)
    if (!isValid) {
        throw BadCredentialsException("Invalid password for confirmation")
    }
    
    // 2. Log exactly who and when initiated this
    logger.security("Account deletion initiated", "userId" to currentUserId)
    
    userService.delete(currentUserId)
}

// For systems with 2FA
@PostMapping("/account/change-email")
fun changeEmail(@RequestBody req: EmailChangeRequest) {
    // Require TOTP/SMS code for sensitive changes
    if (!mfaService.verifyCode(currentUserId, req.totpCode)) {
        throw AccessDeniedException("Valid multi-factor authentication code required")
    }
    
    userService.updateEmail(currentUserId, req.newEmail)
}
```

**Actions requiring re-authentication:**
- Changing passwords or security questions.
- Updating email addresses or MFA settings.
- Account deletion or deactivation.
- Modifying linked bank accounts or credit cards.
- Transferring large sums of money.

**Tools:** Spring Security (Step-up Auth), Ktor Auth, Manual Review, OWASP ASVS
