You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently when a user enable 2fa all existing sessions are still valid. It seems to be considered best-practice to invalidate existing sessions when enabling 2fa.
This could be considered a hardening.
Keep in mind when invalidating sessions all clients need to reauthenticate including the mobile and desktop apps.
So it's a tradeoff between security and convenience.
Also in case of an account compromise the user SHOULD always change the password and also can manually invalidate specific sessions in the settings.
The text was updated successfully, but these errors were encountered:
Currently when a user enable 2fa all existing sessions are still valid. It seems to be considered best-practice to invalidate existing sessions when enabling 2fa.
This could be considered a hardening.
Keep in mind when invalidating sessions all clients need to reauthenticate including the mobile and desktop apps.
So it's a tradeoff between security and convenience.
Also in case of an account compromise the user SHOULD always change the password and also can manually invalidate specific sessions in the settings.
The text was updated successfully, but these errors were encountered: