the given credentials matches. User will be asked to enter the 2FA. Server verifies whether the provided 2FA code is correct or not. User authenticated.
force token. Token not expires after usage. Request 2 tokens from account A and B. Use the A's token in B's account. Try to go directly to the dashboard URL without solving the 2FA. If not success try adding the referral header to the 2FA page url while going to dashboard.
disabling 2FA. Password can be reset via forgot password without 2FA. Enter 0's in the code. Login using OAuth to bypass 2FA. Backup code abuse using the above methods.