TYPO3 Core

As a backend administrator with maintainer rights one currently logs in to the backend like any editor and on accessing maintainer modules one is asked to re-auth with the password (in PRODUCTION context, IIRC in DEV context this is skipped).

I think under the condition that the user has MFA enabled, instead of asking for the password, an MFA-auth should be done.
The basic principles used here are:

• re-auth makes sense to escalate privileges, e.g. avoid scenarios with unlocked and unattended devices, session hijacking and device not locked but accessible by others, session hijacked or simply unintended mishaps
• passwords are not safe as static secrets. Thus, additional MFA (e.g. TOTP, WebAuthn based hardware tokens) are added because they have better protection (e.g. access to a physical device or being only valid for a small time).
• stealing a session is as easy, stealing a password is easy. stealing an addtional MFA-factor is hard.

In conclusion the re-auth to escalate to the maintainer modules should probably also use MFA (if available), instead of the password, as re-authing a session with a password seems weaker than re-authing it with an MFA.

This here does not consider 3rd party extensions supplying authentication providers in general, just the MFA providers to make it simpler.