REQ.141 Force re authentication
System must force users to re authenticate or invalidate the system session once changed the user state (password changing/recovery, lockouts, user deletion, etc)
OWASP-ASVS v3.1-2.26 Verify that sensitive operations (e.g. change password, change email address, add new biller, etc.) require re-authentication (e.g. password or 2FA token). This is in addition to CSRF measures, not instead.
NIST 800-53 IA-11 Re-authentication: The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].