Invalidate Session on 2FA Activation/Change

[Steffen]

It seems like it's best-practise to invalidate other sessions on 2FA activation/change ([1], [2]). At the moment, XenForo seems to invalidate other sessions on password change but not on 2FA activation/change.

The scenario goes like this:

1. Log in to the same account with two different browsers
2. Enable 2FA in one of the logged-in sessions
3. Observe that the other browser's session remains active

This has been reported to us via email (with the unfortunately common exaggerations by "bug bounty hunters" that this "poses a significant security risk" etc). I don't consider this to be a security issue (which is why I'm posting it publicly as a suggestion) but wanted to mention it nevertheless because it could be a nice improvement.

 

[Kirby]

Hmm, I am not sure if I would want to have all other sessions invalidated if I just add another 2FA option.
Does not seem to make sense to me to invalidate all other sessions just to reauthenticate them afterwards with the same 2FA option.

So ideally I think that other sessions should only be invalidated if they are not tied to a 2FA option that is still valid after the change.

Eg. when 2FA is initially activated all other sessions should be invalidated.
When adding a 2FA option no other sessions should be affected.
When removing a 2FA option only those sessions that used it should be invalidated.

With the addition of Passkeys as password replacement I think that the current situation is inconsinstent and should be fixed anyway, would be great if this sugestion could be implemented while this is done.