At present, session management has been separated from 2FA and is only available on the Enterprise plan. As a result, 2FA on plans below Enterprise is effectively optional at the user level. If a user never logs out of their session, they may not be prompted to authenticate again using 2FA.

This significantly weakens the intended security benefits of 2FA and undermines standard data security practices. For 2FA to function as a meaningful security control, it needs to be supported by proper session management, including the ability to terminate active sessions.

2FA is widely considered a baseline security feature and should not be restricted to Enterprise-level plans but available on all plans. Or is this just a money grab?

Without session management and the ability to terminate sessions, 2FA cannot operate effectively and its implementation remains incomplete.