You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Enabling MFA invalidates current session to force the user to login again, this time with his MFA of choice. If the user has other active sessions those sessions will still remain active. This is problematic, as it's possible to disable previously enabled MFA from those sessions (or do anything that a logged in user can do, at least until the session expires) without the need to provide otherwise required one time password/keys/wallets etc.
To Reproduce
Steps to reproduce the behavior:
Have at least 2 sessions active
Enable MFA on one of the sessions, this session will be invalidated afterwards
Observe that the second session is still active
Expected behavior
Enabling MFA should invalidate all sessions of a user.
The text was updated successfully, but these errors were encountered:
Describe the bug
Enabling MFA invalidates current session to force the user to login again, this time with his MFA of choice. If the user has other active sessions those sessions will still remain active. This is problematic, as it's possible to disable previously enabled MFA from those sessions (or do anything that a logged in user can do, at least until the session expires) without the need to provide otherwise required one time password/keys/wallets etc.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Enabling MFA should invalidate all sessions of a user.
The text was updated successfully, but these errors were encountered: