Problem is that the expiration and "reauth" is handled by the third-party provider (there's no longer an actual cryptographic reauth step), and it's not like anyone is auditing this or is even incentivized to. It's pure security theater.