Enabling MFA only invalidates one session

[t-aleksander]

Describe the bug Enabling MFA invalidates current session to force the user to login again, this time with his MFA of choice. If the user has other active sessions those sessions will still remain active. This is problematic, as it's possible to disable previously enabled MFA from those sessions (or do anything that a logged in user can do, at least until the session expires) without the need to provide otherwise required one time password/keys/wallets etc.

To Reproduce Steps to reproduce the behavior:

1. Have at least 2 sessions active
2. Enable MFA on one of the sessions, this session will be invalidated afterwards
3. Observe that the second session is still active

Expected behavior Enabling MFA should invalidate all sessions of a user.