In MQTT-255 we added enhanced authentication which allows for challenge / response authentication and other authentication in SASL style. We specifically removed the re-validation (multiple authentication) from that issue so we are creating this new issue to track re-validation.

The mechanism used for enhanced authentication (AUTH packet) can be extended without much problem to allow re-validation. However we need to design the semantics. This is not well defined in SASL (basically it just says it is possible without talking much about these semantics).

A few of the issues:
1. Who initiates re-validation. Is is always the client or can the server start it?
2. Is it required to re-validate using the same authentication method used to validate?
3. What can be done during the re-validation?
4. What do we tell the server to do if re-validation fails?
5. Does this work for all authentication methods or just some?
6. Does anybody want this badly enough to spend some time working on it?