hi, everyone! We are using Kratos for user authentication in our app (website). We have a following sign up flow: • user signs up by providing his email and password • we send a link to verify email • user clicks on that link • registration process is complete Later a user has an option to enable email 2FA using one time codes. As soon as he enables this option, our app starts requiring aal2 authentication level, and user is presented with a screen to provide that code. If the user just verified his email (or phone number for sms otp) within the current session is there a way to "automatically" upgrade his session to aal2? Otherwise it disrupts the flow within the site quite a bit so we would like to avoid that. As another option I was thinking of the following workaround: • user saves his setting/desire to use email 2fa (or sms, doesn't really matter) • we save the date when 2FA is enabled • we log out all existing sessions except current one • for any session started after that date we require 2fa on the backend side • we still allow aal1 for the current session, thus not requiring to provide 2fa code immediately Does this sound feasible? Any drawbacks, suggestions?