Update last login time for non-login requests?
If a user keeps a logged-in session (by visiting the site at least every two weeks), the "Last Login At" time will not reflect the last time the user visited the site, but the last time they had to actually enter their password and 2FA code. I don't think it's necessarily a good idea to update the DB every request but maybe I have a warped perception of potential perf issues. I think the last login time is also stored in the session info though, which is loaded anyway, so we could compare that to the current time and update it daily (or at another time interval).