Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<@U04UQ68083H> Can kratos be configured to invalidate other sessions when 2FA is activated?

I'm sorry, but the knowledge sources do not contain information about configuring Ory Kratos to automatically invalidate (revoke) other sessions specifically when 2FA is activated. The documentation describes how to revoke other sessions after certain actions, such as password changes or account recovery, by using hooks like `revoke_active_sessions` in the relevant self-service flows configuration. However, there is no explicit mention of a similar mechanism tied directly to the activation of 2FA (such as TOTP or other multi-factor methods) by a user.  If you need to revoke sessions after enabling 2FA, you may need to implement this as a custom flow or feature, but this is not covered in the provided documentation or examples [Revoke other active user sessions after changing the password](<https://www.ory.sh/docs/kratos/session-management/revoke-sessions-hook>) [Invalidate other sessions after account recovery](<https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#invalidate-other-sessions>).