I am one of those reporters that always point out the need of re authentication when it comes to sensitive and confidential settings. What I am up, is the company to implement re authentication on such.
Of course on a password change page, a re authentication is necessary – that is providing the current password. But, on other actions such as email address change and or deletion of an account ( depending of how the application works ) some people are just ignoring the risk.
The two scenarios I can think where this becomes applicable is when:
- Attacker manages to hijack an account ( Via XSS )
- A computer that is left open
Would you leave the security of your application with usability? The risk of an account being taken over ( email address change ), credit card leakage, and other confidential settings you can think of.
I believe, security weighs over usability on such cases. Yes, it may hamper the usability of your application(a bit ) but it increases your customer security.
Hope this helps you, an add-on in your bug report methodology.