Most sites w/ strong 2FA require re-authorizing the 2nd factor in order to make any changes to 2FA settings. Without that, certain types of attacks could disable 2FA, add unauthorized keys, etc.

For convenience, there could be a ~5 minute time window when re-auth isn't required, similar to sudo in Unix-based systems.

Related #476