It’s actually quite simple to bypass 2FA. Most folks use their phone. It cost a hacker 16 USD (!) to get the victim’s 2FA redirected to his phone. Bingo.
*Vice magazine, popular for its alternative journalism and extreme reporting, published an article last March about an experiment that caused a stir in the cybersecurity community: journalist Joseph Cox paid a hacker to try to break into his accounts without having any of his physical devices, such as his mobile phone, in their possession. The hacker succeeded very easily, and it only cost him the $16 to do so, which was the cost of a legitimate, off-the-shelf tool.
The hacker, named Lucky225, managed to do this without hacking the SIM card, which is the most common method in these cases. Instead, he took advantage of multi-factor authentication (MFA), which clearly wasn’t secure enough. How did he do it? He simply used a marketing campaign tool called Sakari, which allows companies to send bulk SMS messages to lists of mobile numbers for commercial purposes. Lucky225 sent Sakari a Letter of Authorization filled out with false data and claiming that he was the owner of the journalist’s phone number. As a result, SMS messages to the victim of the experiment started to be diverted to the application and the journalist no longer received them on his mobile phone. The hacker was able to access many of the victim’s online accounts: all he had to do was to ask for new passwords and the SMS sent by the portals with the new passwords were sent directly to the hacker.*
It’s harder to bypass if you’re using dedicated 2FA apps such as Google Authenticator or OKTA or similar.