password + 2FA authentication
Two-factor authentication with multiple verification methods
user
browser
server
attacker
Select 2FA Method:
Steps 1-4: Same as Password-Only Flow
(navigate → enter credentials → submit → validate password)
5
password validation
Request 2FA verification
⚠️Timing attack possible
🪤Response timing reveals valid username
6
generate code
Send 6-digit code via SMS
⚠️Device theft
📱SIM swap attack
7
wait for code
Check phone for SMS message
⚠️30-60 second delay
⏱️Timing based attack
8
enter code
Type 6-digit verification code
⚠️Manual typing, time pressured
🎭Real-time phishing proxy
9
send code
POST 2FA to server
⚠️Code transmission window vulnerability
🕵️Man-In-The-Browser attack
10
validate code
Request 2FA verification
⚠️Codes expire in 5-10 minutes
🪜Backup code theft from storage
11
access granted
Logged into account
Total time: ~60-180 seconds
🍪Session hijacking via XSS
12+
pain points
More friction than password-only
6+
attack vectors
Reduced but still vulnerable
1+
protection layers
Better but not immune