Describe the bug

During the password change process, the current session is terminated, and a new session begins. While I don't agree with that, it's how WordPress 4.0~6.2 appear to work.

The result of this is that the current sessions metadata is discarded, and the current session becomes a non-2fa session. This also means that the user must revalidate to change settings (even if they just logged in).

This is partially caused by Two-Factor only using the attach_session_information hook during the 2fa checks:

Possibly, the hook should be used outside of the login process with a check to sync over metadata from the current session to the newly generated session if the user is the same.

See https://core.trac.wordpress.org/ticket/58427
See WordPress/wporg-two-factor#191

Per the upstream core ticket, IMHO this is a core bug, but one that Two-Factor probably has to work around.

Steps to Reproduce

1. Login with 2FA
2. Change password
3. Observe 2FA revalidation

Screenshots, screen recording, code snippet

Uploading Screen Recording 2023-05-30 at 2.29.01 pm.mov…

Environment information

• WordPress 6.2.2

Please confirm that you have searched existing issues in this repository.

Yes

Please confirm that you have tested with all plugins deactivated except Two-Factor.

Yes