On the profile page in home assistant you are required to re-enter your password in order to change it. This makes sense and is a general good security practice.
However there are other options on the same page that are almost as dangerous and don’t have this protection. Specifically users should be required to re-enter their password to generate a long-term access token as this allows nearly complete access to the account on that system (and lasts forever unless manually expunged). Changing 2 factor authentication settings (enabling or disabling) also seems like it should require password re-entry to proceed.
I think HA should require users re-enter their current password in order to change these options as well.