Whenever there is talk of hackers compromising services, be that in the form of Gmail lockout attacks, those that use infostealer malware, for ransomware threat actors brute-forcing passwords to firewalls and VPNs, you can bet your bottom dollar that the mitigation advice will include enabling two-factor authentication for all your accounts. But what if the hackers had a way around that? What if the hackers could bypass the 2FA code requirement and compromise your account anyway? Well, about that…
The Threat To 2FA Code Security Explained
Two-factor authentication is, without a shadow of a doubt, a necessity given the current threat landscape where infostealers rule supreme. If you are not using passkeys already, then your passwords are the weak spot that hackers will attack. Heck, most of the time, the hard work has already been done for them with infostealer logs compiled and sold on criminal marketplaces and dark web forums. All they then have to do is feed those passwords into a brute-force attack against accounts, and if, like 50% of users, you use the same credentials for multiple sites and services, well, you’re screwed. Unless that is, you have 2FA enabled, which acts as a nightclub doorman protecting the entrance to your account: if your 2FA code isn’t on the list, then you are not coming in. So far, so good. Now comes the bad news.
2FA bypass is a reality. Attackers don’t need your 2FA code to gain access to your account; what they use instead is a cookie. Yes, those things that we always think of in a privacy-related context as containing information about us that is fed back to the evil giants of technology. But not all cookies are the same, beyond counting important data. The important data contained within a session cookie already includes a flag that says 2FA has been completed, and all is fine and dandy. Threat actors will employ attacker-in-the-middle techniques to capture a session cookie after a victim has completed the initial password login and 2FA verification. That cookie is proof to your account that the session is authorized correctly. Critically, once a hacker has hold of such a session cookie, that authorized session can be re-run at their leisure without the need for your 2FA code at all.
Now that you understand how it works, you might not want to read SpyCloud’s newly published 2025 identity exposure report. According to the SpyCloud analysts, 17.3 billion session cookies were stolen across 2024 from malware-infected devices. As well as being valid authentication cookies, these included target URL’s to enable session hijacking, the report warned. “In the intricate web of cybercrime, stolen session cookies have become a powerful tool for attackers,” SpyCloud said, “allowing them to bypass authentication measures and hijack accounts.”
Mitigating 2FA Code Bypass Attacks
There are myriad ways that you can mitigate 2FA code bypass attacks, including the use of passkeys, which Google told me that internal research had shown to “substantially reduce the impact of phishing and other social engineering attacks.” Of course, you should also be aware of all the advice that has been given many times over about mitigating phishing attacks, as these are also used alongside malware infections to steal session cookies. Indeed, phishing is often how the infostealer malware gets installed in the first place, so be sure to stay alert.