2FA and session theft concern different stages
2FA is not useless. The attacker may avoid the sign-in flow entirely by stealing the authenticated state created after it.
What 2FA protects
An additional check during a new sign-in. It reduces the damage of password theft by requiring another factor.
What a stolen session changes
Instead of signing in again, an attacker reuses an existing authenticated identifier. It may remain usable until the service invalidates it.
Required response
- Disconnect the potentially infected device
- Change the password from another trusted device
- Log out all sessions to invalidate existing authenticated states
- Review 2FA, backup codes, passkeys, and recovery methods
Important distinction
A token does not universally grant every action. Capabilities vary by implementation, permission, re-authentication requirements, and revocation behavior. Document only what has been verified.