If a user is tricked into revealing login credentials to a false landing page, 2-factor authentication will only limit the time the hacker has access to the account. Attackers would need to collect the 2nd factor of authentication, but the underlying tactics would remain the same. Even if a session cookie expires every few hours (which for Twitter would be days – not hours or minutes), then the attackers would still be able to cause the kind of mayhem we saw today. As we saw, it only took minutes for a tweet to make stock trading algorithms go bonkers. The following graphic provides a visual of the process a hacker would follow to get past 2-factor authentication (note that this isn’t how the AP was hacked, it’s how a hacker would attack Twitter if it had 2-factor authentication):