right. So this can be done by calling the emailpassword.signIn function from the backend SDK. This would take an email and a password as an input, and return if it's OK or not.
You can get the email from the session's user ID, and the password can be entered by the user when making the API call.
Finally, you want to have some sort of payload in the access token indicating when was the last time they did this step-up-auth, and only ask the user to this when if the session indicates that they last entered that password some time ago.