We have a mechanism where we allow logins only with the second factor if
the last login was very recent (maybe this is not a good idea anyway).
But for most people the totp is more annoying to get than the password.
So let's use the reissue mechanism only with webauthn.