Summary by Subhamoy
Hi team,
I found this issue related to your 2FA system on https://control.stackpath.com/profile/authentication
POC
access the same account on https://control.stackpath.com in two devices.
on device 'A' go to https://control.stackpath.com/profile/authentication > complete all steps to activate the 2FA system.
Now the 2FA is activated for this account.
back to device 'B' reload the page.
The session still active.
Impact
In this scenario when 2FA is activated the other sessions of the account are not invalidated.
2FA is required to login. I believe the expected and recommended behavior here is to terminate the other sessions> request a new login> request the 2FA code> so then give the account access again