Feature flag to required old password as confirmation when setting a new password

[tricky42]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

A common best practice is to required the user to provide the old password as part of defining a new password. Currently, Kratos does not provide a setting to enforce this as Kratos uses the concept of privileged sessions (https://www.ory.sh/docs/kratos/session-management/session-lifespan#privileged-sessions).

By setting a short privileged_session_max_age value, you can essentially enforce the requirement of reentering the old password to change it.

To make this behavior more explicit, it would be nice to introduce a feature flag that, if set to true, requires providing the old password when setting a new password.

Describe your ideal solution

Add a feature flag that, if set to true, requires the old password to be specified when setting a new password. If the old password is not provided or is incorrect, setting the new password fails. The behavior is not dependent on the value of privileged_session_max_age and the authenticated_at value of the current session.

Workarounds or alternatives

A current workaround achieving a similar behavior is defining a low value for privileged_session_max_age.

Version

Ory Network

Additional Context

No response