July 10, 2026
How I Bypassed a Mandatory 2FA Enforcement Just by Dropping One Request
So I was testing a platform that forces every new user to set up 2FA before they can even see the dashboard. No skip button, no later…

By NorthSideHacker
1 min read
So I was testing a platform that forces every new user to set up 2FA before they can even see the dashboard. No skip button, no later option. you sign up, and you're stuck on a 2FA setup screen until you complete it. Looks solid on paper.
But that kind of hard gate always makes me curious about how it's actually being enforced. Is the backend really blocking dashboard access at the session level, or is the frontend just… asking a question and reacting to the answer? Those are very different things, and only one of them is actually secure.
So I made a fresh account, logged in, and got hit with the expected 2FA setup prompt. Fired up Burp, turned on intercept, and started letting requests through one by one. just watching what was firing in the background.
One request stood out: something checking the user's 2FA status. Made sense, that's probably what decides whether you get shown the setup screen or the real dashboard.
So I tried the obvious thing — just drop that one request. Let everything else through normally.
And… it worked. No 2FA status check firing meant the frontend never got told "hey, this user isn't set up yet." It just moved on. Full dashboard access, account fully usable, 2FA never touched.
That's the whole bug, honestly. It's not some crazy chain, it's just — the enforcement lived entirely on a single client-side check that assumed it would always get an answer. It never accounted for what happens if it doesn't.
The impact is bigger than it first seems though. It's not just "you can skip a setup screen." The real problem is every downstream system on this platform is probably built assuming all active accounts have 2FA enabled — that's the whole point of making it mandatory. If that assumption is false and nobody knows it, you've basically got accounts sitting around with zero second factor while everyone's risk models think otherwise. A false sense of security is honestly worse than no security theater at all, because nobody's compensating for it.