Two-factor authentication (2FA) is one of the highest-leverage controls you can add to an account, but it is not magic. Attackers rarely "crack" 2FA directly. They work around it by stealing sessions, tricking you into approving a login, or taking over the recovery channels that sit behind 2FA.
| If you see this | Do this first | Why it works |
|---|---|---|
| You get an unexpected 2FA prompt or login alert | Do not approve it. Change your password from a trusted device and sign out everywhere. | Real-time phishing and stolen sessions often depend on you acting fast. Cutting sessions removes the attacker’s foothold. |
| Your phone suddenly stops getting calls/texts, or your carrier says your SIM changed | Treat it as possible SIM swapping. Call your carrier and lock down the line (port-out PIN, account PIN). | SMS codes and password resets can be intercepted if your number is moved to an attacker-controlled SIM. |
| You find unfamiliar devices/sessions on a major account | Revoke sessions, remove unknown devices, and review recovery email/phone methods. | Many takeovers persist through sessions and recovery channels, not just a password. |
| You used backup codes and now they are missing or were stored in your email | Regenerate backup codes and store them offline (not in the same inbox that resets the account). | Backup codes are "single-factor" if an attacker can read where you stored them. |
Do not: approve a push notification or provide a one-time code to anyone, even if the request looks like it came from support. The only safe time to approve is when you initiated the login yourself.
How 2FA gets bypassed in practice
Session hijacking (stolen cookies and tokens)
2FA happens at sign-in. If an attacker steals an active session token, they can sometimes skip the sign-in flow entirely. This shows up as "new device" activity without a clean 2FA challenge, or as actions taken from a session you do not recognize. See: session hijacking.
Real-time phishing and reverse-proxy logins
Modern phishing is often interactive. You land on a fake login page, you enter your password, you enter the 2FA code, and the attacker relays those values to the real service immediately. The result is a legitimate login, plus an attacker session they can keep using.
If the account supports it, phishing-resistant methods like passkeys and security keys reduce this risk because the secret cannot be typed into a fake site.
SIM swapping and number porting
SMS-based 2FA depends on your phone number staying under your control. In a SIM swap, the attacker convinces a carrier to move your number to their SIM (often using stolen personal data). Once they control the number, they can intercept sign-in codes and password reset flows.
Malware on the device
If a device is infected, attackers can capture what you type and what you see. That can include passwords, one-time codes, and even session tokens. Malware is less common than phishing for most people, but when it is present it can make otherwise-good 2FA choices ineffective until the device is cleaned.
Recovery-channel takeover (the control plane behind 2FA)
Most accounts can be recovered without your normal 2FA method if the attacker can access your recovery email, recovery phone number, backup codes, or a linked "sign in with" identity. That is why securing the primary inbox that resets everything matters as much as enabling 2FA on the individual account.
Which 2FA method matches which threat
| Method | Strong against | Still vulnerable to |
|---|---|---|
| SMS codes | Password guessing and basic credential stuffing | SIM swapping, number porting, real-time phishing, session theft |
| Authenticator app codes (TOTP) | SIM swapping and most automated attacks | Real-time phishing, device malware, session theft |
| Push approvals | Many automated attacks, some phishing attempts | MFA fatigue (spamming prompts), real-time phishing if you approve, session theft |
| Passkeys / security keys | Real-time phishing, most credential theft | Session theft on an already-compromised device, poor recovery hygiene |
| Backup codes | Lockouts (when used correctly) | Any compromise of where they are stored |
Hardening moves that reduce re-compromise
- Upgrade the factor: if the account supports passkeys or security keys, prefer them over SMS.
- Lock your phone number down: add a carrier account PIN and a port-out PIN, and remove weak carrier account recovery options where possible.
- Protect the control plane: secure your primary email with strong sign-in (ideally passkeys/security key), alerts, and a unique password stored in a password manager.
- Store backup codes offline: treat them like keys, not like notes to keep in your email.
- Reduce session persistence: after a scare, sign out everywhere on the impacted service and review connected apps and OAuth grants.
If you are dealing with active suspicious logins across multiple accounts, start with the highest-leverage containment flow: been hacked.
2FA is not a single switch you flip. It is a trade between usability, recovery reliability, and resistance to the most likely bypass methods in your situation.
When attackers get in despite 2FA, it usually means one of two things: they stole a session, or they owned the recovery path. Fixing the password alone does not address either problem.
If you want 2FA to actually change outcomes, treat your email inbox, phone number, and recovery settings as one system. Strengthen the weakest link and the rest of your defenses start to hold.