security.riyo.me
TOKEN / SESSION

2FA and session theft concern different stages

2FA is not useless. The attacker may avoid the sign-in flow entirely by stealing the authenticated state created after it.

What 2FA protects

An additional check during a new sign-in. It reduces the damage of password theft by requiring another factor.

What a stolen session changes

Instead of signing in again, an attacker reuses an existing authenticated identifier. It may remain usable until the service invalidates it.

Required response

  • Disconnect the potentially infected device
  • Change the password from another trusted device
  • Log out all sessions to invalidate existing authenticated states
  • Review 2FA, backup codes, passkeys, and recovery methods
Important distinction

A token does not universally grant every action. Capabilities vary by implementation, permission, re-authentication requirements, and revocation behavior. Document only what has been verified.