Step Up Authentication is used to firewall sensitive information or settings to an authenticated user by requesting that they provide their password or 2FA token again to access these settings.

System Settings, and Company Settings should, by default, require some kind of step up authentication.

When accessing the Settings (Company or System), require that the user.

• Enter their password again if they do not have 2FA enabled or
• Enter their 2FA token instead of their password if they do have 2FA enabled

Add the step up authentication to the session. We can probably piggy back on the Blesta.session_ttl setting in /config/blesta.php to determine how long this Step Up session is valid until. Visiting the Settings when this is active will not prompt for the password or token again, until it has expired.

We may also want to add a banner at the top of the page, like others, to indicate that you have an active Step Up Session, with a button/link to "Drop Access".

Message:
You currently have a step up session open with access to admin settings. If this is no longer needed, drop access.

"drop access" would drop access immediately, requiring the password or token again should they revisit.

It might make sense to add a variable to /config/blesta.php to determine whether this feature is in place or not, as some may be annoyed by it. It should be enabled by default.