This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
It seems like it's best-practise to invalidate other sessions on 2FA activation/change ([1], [2]). At the moment, XenForo seems to invalidate other sessions on password change but not on 2FA activation/change.
The scenario goes like this:
Log in to the same account with two different browsers
Enable 2FA in one of the logged-in sessions
Observe that the other browser's session remains active
This has been reported to us via email (with the unfortunately common exaggerations by "bug bounty hunters" that this "poses a significant security risk" etc). I don't consider this to be a security issue (which is why I'm posting it publicly as a suggestion) but wanted to mention it nevertheless because it could be a nice improvement.
Hmm, I am not sure if I would want to have all other sessions invalidated if I just add another 2FA option.
Does not seem to make sense to me to invalidate all other sessions just to reauthenticate them afterwards with the same 2FA option.
So ideally I think that other sessions should only be invalidated if they are not tied to a 2FA option that is still valid after the change.
Eg. when 2FA is initially activated all other sessions should be invalidated.
When adding a 2FA option no other sessions should be affected.
When removing a 2FA option only those sessions that used it should be invalidated.
With the addition of Passkeys as password replacement I think that the current situation is inconsinstent and should be fixed anyway, would be great if this sugestion could be implemented while this is done.
