The level of assurance required for confirmation of identity should be assessed. In some cases different levels of authentication may be needed (e.g. two-factor authentication for some users, but not others), and re-authentication should be considered for some important functionality (e.g. changing password, making a payment, deleting an account), especially where weaknesses have been accepted to reduce application friction for users (e.g. having longer session timeouts, allowing guest check-out, having remember-me functionality).