We're aware of the re-authentication feature, but it's not something we have any plans of implementing. The problem is that once a user has authenticated on your site using Facebook, they have a real Joomla account. If there is something malicious going on, the user can simply change the Joomla user email and password and login to that account directly. Re-authenticating on Facebook wouldn't really have any effect since the user would still be logged into the underlying Joomla account.
In other words, what should happen if the re-authentication fails? If the user is on a checkout page in a shopping cart and logged into Joomla via Facebook, but can't re-authenticate, do we:
* Log the user out of Joomla (if so, they can just log back in using Joomla and not their FB account)
* Block the account (this could be problematic if it's a genuine mistake)
* ???
Feel free to throw suggestions out, but it's something we've never had requested and, as above, can't really see a good use for or way to implement.
Thanks,
Alex