**Why**: Multi-factor authentication requires
confirmation of all factors before changing any single
factor.

**How**: Implement a ?reauthn=true param on top of the usual
MFA flow, and protect all the relevant controllers
with `confirm_recently_authenticated` before action. An authentication
window (default 30 seconds) is defined, within which changes
can be made w/o requiring re-authentication. This allows
the user to log in and immediately change factor(s) without
needing to immediately re-authenticate.

**Why**: PII is encrypted with the user password.
When the password changes, so must the encryption.