Two-Step Verification Bypass
Techniques that circumvent two-factor or multi-factor authentication to gain unauthorised account access, most commonly real-time phishing and SIM-swap attacks.
Also known as: MFA bypass, 2FA bypass, OTP interception, authentication bypass
Last reviewed: 1 June 2026
Two-step verification (2SV) and multi-factor authentication (MFA) add a second checkpoint beyond a password, dramatically raising the bar for account hijacking. However, several bypass techniques are widely used by fraudsters: real-time phishing (a phishing site proxies credentials and OTPs live to the attacker's session), SIM-swap attacks (the attacker takes over the victim's phone number to receive SMS codes), SS7 exploitation (telecoms-protocol attacks that intercept SMS), and social engineering of call-centre staff to reset MFA.
Authentication apps and hardware security keys are far more resistant to bypass than SMS-based codes because they are bound to the device and cannot be easily intercepted or redirected. Despite their limitations, SMS OTPs are still far better than no second factor.
Awareness of real-time phishing is particularly important: if you are prompted to enter an OTP you did not initiate on a website you clicked through to from an unexpected message, stop immediately — you are likely inside a live attack.
Examples
- A real-time phishing proxy prompts the victim to enter their bank OTP, instantly forwarding it to the attacker who completes a fraudulent transaction.
- After SIM-swapping the victim's mobile number, the attacker receives the bank's SMS authentication code and resets the account password.