Comment 2 for bug 1564864

Thanks to Facundo for clarifying, the bit I missed was that a discharge macaroon can be refreshed without requiring a new 2FA otp (as long the the user is still valid, didn't change his password, etc).