---
title: Require Re-authentication for Critical Changes
impact: HIGH
impactDescription: adds a second layer of defense for highly sensitive actions
tags: security, authentication, zero-trust
---

## Require Re-authentication for Critical Changes

Require users to re-enter their password before changing sensitive data like passwords, emails, or MFA settings.

**Incorrect (one-step sensitive change):**

```ruby
def update_email
  current_user.update(email: params[:email])
end
```

**Correct (re-auth required):**

```ruby
def update_email
  if current_user.valid_password?(params[:current_password])
    current_user.update(email: params[:email])
  else
    flash[:error] = "Incorrect password"
    render :edit
  end
end
```

**Tools:** Manual Review
---