Merge pull request #432 from bugcrowd/on-2FA-activation-change

updated rec for Failure to Invalidate session upon 2FA activation or …

submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/recommendations.md

@@ -1,8 +1,8 @@
 # Recommendation(s)
 
-At a minimum, all non-current user sessions should be invalidated when the user sets up or changes their 2FA. However, it is best practice to invalidate all sessions upon 2FA activation or change and have the user login to their account again and prompt for the newly created 2FA mechanism.
+All user sessions should be invalidated when the user sets up or changes their 2FA. The application should then have the user login to their account again and prompt for the newly created 2FA mechanism.
 
-Short session expiration should be considered for all user sessions as they allow an attacker less time to use a valid session ID. Session timeout values should be set based upon business needs which take into consideration the criticality of the application and the data contained within.
+It is also best practice to shorten session timeout values based upon business needs. The length of the session should take into consideration the criticality of the application and the data contained within.
 
 For further information, please see Open Web Application Security Project (OWASP):