I could pick up and prepare PR for that issue.

I was thinking about make two new settings in .ini config: boolean revalidate_superusers_password to toggle the feature (default to 1) and integer revalidate_superusers_password_after with default set to 365.

I see that there is already last_seen option that can be used for that but what about users that don't have last_seen? I see that could happen in two situations:

• if somebody never logged in: then we should look at registration time and re-validate e-mail address if it was >= revalidate_superusers_password_after.
• if someone updated Matomo from version that did not have last_seen saved: do you maybe know how long ago it was added? is is something I should worry about? if so, what to do?

What do you think about that approach?

Wonder if we even need a setting or could just revalidate after 1 year or 6 months or so?

Something to keep in mind though that makes this flow a bit buggy is that we don't validate an email address when adding an account. So the super user email may not actually exist and can therefore not be validated afterwards. It should be edge case though and we could just have an FAQ explaining how t o change the email address or so in the DB.