Yes, a hacker can bypass two-factor authentication, but rarely by cracking the second factor itself. Most 2FA bypass is theft of the session that authentication creates: an attacker steals or replays a valid session cookie, a refresh token, or the login itself in real time, and walks in without a fresh prompt. That does not mean MFA is useless. It means the account stays exposed after login, and phishing-resistant MFA closes most of the gap.
- The common bypass is not cracking a code, it's stealing the authenticated session. SpyCloud recaptured 17.3 billion stolen session cookies from infected devices in 2024.
- About 31% of malware-stolen credentials in 2025 shipped with a session cookie attached, ready for replay (Recorded Future).
- Real-time phishing (adversary-in-the-middle) relays your code the moment you enter it, so the attacker's session is authenticated too.
- Stolen credentials were the top initial-access action in 22% of breaches (Verizon 2025 DBIR), and MFA fatigue and SIM swap target the human, not the math.
- MFA still works. CISA continues to recommend it, and phishing-resistant methods like FIDO2 and passkeys defeat AiTM and code-relay attacks.
Can hackers actually get past 2FA?
Yes, but the attack almost never targets the six-digit code. It targets the session that a successful login creates. Once you authenticate, the service issues a session cookie or token that says 'this browser is already signed in.' Steal that artifact and you skip the password and the second factor entirely. SpyCloud recaptured 17.3 billion stolen session cookies from malware-infected devices in 2024 (SpyCloud 2025).
That is why '2FA bypass' is mostly a post-authentication problem. Recorded Future found that roughly 31% of malware-sourced credentials in 2025 came bundled with a session cookie the buyer can replay (Recorded Future). The attacker doesn't need your phone. They need the cookie your phone already helped create.
What are the main ways attackers bypass MFA?
Attackers use a handful of repeatable techniques, and most steal or reuse a session rather than defeat the factor. The pattern that ties them together is simple: get the account to a signed-in state, then ride it. Stolen credentials remained the top initial-access action in 22% of breaches (Verizon 2025 DBIR).
- Real-time phishing (adversary-in-the-middle): a proxy page relays your password and code to the real site instantly, then captures the session cookie it returns.
- Session cookie theft: infostealer malware copies the cookie store from the browser, so the attacker replays an already-authenticated session.
- Refresh token theft: a stolen long-lived token silently mints new access tokens, so revoking the password alone does not stop it.
- MFA fatigue (push bombing): repeated approval prompts until a tired user taps 'approve' once.
- SIM swap: porting your number to the attacker's SIM to intercept SMS codes.
- Account recovery abuse: resetting access through a weaker recovery path instead of the MFA prompt.
How does adversary-in-the-middle phishing beat a valid code?
Stolen credentials led 22% of breaches, and AiTM is how many are captured live (Verizon 2025 DBIR). An adversary-in-the-middle (AiTM) kit sits between you and the real login, so your correct password and correct code both pass through to the genuine site in real time. The site authenticates and returns a session cookie, which the proxy steals. The victim sees a normal login; the attacker walks away with a live session. This is the mechanism behind most modern MFA-bypass phishing (Recorded Future).
The reason a code doesn't help here is timing. A one-time code proves you authenticated at that moment, but it does nothing to bind the session to your device. Phishing-resistant methods fix exactly that: a passkey or FIDO2 key checks the real site's origin, so a proxy page fails the cryptographic handshake before any code is ever entered.
Why doesn't changing my password stop the attacker?
Because the stolen session and the password are separate credentials. A password reset invalidates the password, but an already-issued session cookie or refresh token stays valid until it expires or is explicitly revoked. On Microsoft Entra, for example, access tokens stay valid for up to 1 hour and app-issued sessions must be revoked deliberately, not as a side effect of a reset (Microsoft).
So containment after a suspected bypass has two steps, not one: reset the password and revoke every active session and refresh token. If malware stole the cookie in the first place, clean the device too, or the next login gets captured again. This is where Ashetrace helps: it surfaces which corporate identities show up in infostealer logs with live session artifacts, so you revoke the right sessions instead of guessing.
Should I still use two-factor authentication?
MFA still blocks the vast majority of password-only attacks; the remaining gap is stolen sessions, and SpyCloud recaptured 17.3 billion cookies in 2024 (SpyCloud). Absolutely, and the data is not close. MFA blocks the overwhelming majority of password-only attacks, which is why CISA keeps it near the top of its guidance and pushes organizations toward phishing-resistant methods (CISA). Turning MFA off to avoid bypass is like removing seatbelts because crashes still happen.
- Move high-value accounts to passkeys or FIDO2 security keys, which resist AiTM and replay.
- Prefer app-based codes or number-matching over SMS, which is exposed to SIM swap.
- Shorten session lifetimes and enable continuous access evaluation so stolen tokens die faster.
- Alert on impossible-travel and new-device sign-ins to catch a replayed session early.
- Treat any infostealer hit as a session-revocation event, not just a password reset.
Can hackers really bypass two-factor authentication?
Yes, but usually by stealing the session created after login, not by cracking the code. SpyCloud recaptured 17.3 billion stolen session cookies from infected devices in 2024, and Recorded Future found about 31% of malware-stolen credentials shipped with a replayable cookie. Phishing-resistant MFA defeats most of these attacks.
What is an adversary-in-the-middle (AiTM) attack?
AiTM phishing places a proxy between you and the real login, relaying your password and one-time code in real time. The genuine site authenticates and returns a session cookie, which the proxy steals. Recorded Future documents this as the main mechanism behind modern MFA-bypass phishing, since a valid code cannot bind the session to your device.
Does a password reset stop an MFA bypass?
Not by itself. The stolen session cookie and refresh token are separate credentials that stay valid until revoked or expired. Microsoft notes app-issued sessions must be revoked deliberately. Effective containment resets the password and revokes every active session, and cleans the device if malware stole the cookie.
Which type of MFA is hardest to bypass?
Phishing-resistant MFA, meaning FIDO2 security keys and passkeys. These bind authentication to the real site's origin, so an AiTM proxy fails the cryptographic check before any code is entered. CISA recommends phishing-resistant MFA for high-value accounts, above SMS or push, which remain exposed to relay, SIM swap and fatigue.
Is SMS-based 2FA safe to use?
SMS is far better than no MFA, but it is the weakest common method. It can be intercepted through SIM swap, where an attacker ports your number, and it offers no protection against real-time AiTM phishing. Where a service supports it, an authenticator app or a passkey is a stronger choice for the same account.
- SpyCloud, 2025 Annual Identity Exposure Report (2025)
- Recorded Future, 2025 Identity Threat Landscape Report (2025)
- Recorded Future, Session Hijacking and MFA Bypass
- Verizon, 2025 Data Breach Investigations Report (DBIR) (2025)
- Microsoft, Revoke user access in an emergency in Microsoft Entra ID (2025)
- CISA, Multi-Factor Authentication (MFA) (2025)
Start here
See what is still exposed in your environment
Verify a corporate domain and get a scoped exposure assessment. No passwords, cookies or tokens handed over.
Request an exposure assessment