Security vs Usability – Reauthentication

I am one of those reporters that always point out the need of re authentication when it comes to sensitive and confidential settings. What I am up, is the company to implement re authentication on such.

Of course on a password change page, a re authentication is necessary – that is providing the current password. But, on other actions such as email address change and or deletion of an account ( depending of how the application works ) some people are just ignoring the risk.

The two scenarios I can think where this becomes applicable is when:

  1. Attacker manages to hijack an account ( Via XSS )
  2. A computer that is left open

Would you leave the security of your application with usability? The risk of an account being taken over ( email address change ), credit card leakage, and other confidential settings you can think of.

I believe, security weighs over usability on such cases. Yes, it may hamper the usability of your application(a bit ) but it increases your customer security.

Hope this helps you, an add-on in your bug report methodology.