Any recommendations about the usage of max_age will be specified in the Mobile Connect Profile 1.2.
What is left to do here?
This is a difficult topic in the context of multi-factor and risk-based authentication. A 2nd factor (reauthentication) use case is better addressed using prompt=login together with acr_values.
The discussion of max_age will be brought to the OpenID Connect community