Currently when a user enable 2fa all existing sessions are still valid. It seems to be considered best-practice to invalidate existing sessions when enabling 2fa.
This could be considered a hardening.
Keep in mind when invalidating sessions all clients need to reauthenticate including the mobile and desktop apps.
So it's a tradeoff between security and convenience.
Also in case of an account compromise the user SHOULD always change the password and also can manually invalidate specific sessions in the settings.
Currently when a user enable 2fa all existing sessions are still valid. It seems to be considered best-practice to invalidate existing sessions when enabling 2fa.
This could be considered a hardening.
Keep in mind when invalidating sessions all clients need to reauthenticate including the mobile and desktop apps. So it's a tradeoff between security and convenience.
Also in case of an account compromise the user SHOULD always change the password and also can manually invalidate specific sessions in the settings.