Ask for (old) password to change password or 2fa settings.
Currently the password and 2fa settings can be changed without having to provide the (old) password, which could potentially lead to someone unauthorized changing those settings, if the user forgot to logout. Services also often send emails if password or 2fa settings are changed.
@nd came up with another (additional) idea of seperating the sessions for SSO and selfservice and shortening the session lifetime for the later one.