Security News > 2022 > January > Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft
Details of how the crooks pulled off the attack aren't given in the report, which says simply that "Transactions were being approved without the 2FA authentication control being inputted by the user."
What the report doesn't explain, or even mention, is whether 2FA codes were entered by someone - albeit not by customers themselves - in order to authorise the fraudulent withdrawals, or whether the 2FA part of the authentication process was somehow bypassed entirely.
Access control system sometimes need to fail closed, for example so that no one can sneak in if the system breaks, and sometimes need to fail open, for example so that no one gets locked in during an evacuation emergency.
If the root cause of your 2FA failure was reason above - an intrinsic shortcoming in the 2FA system itself - then making a root-and-branch change by swapping it for a whole new 2FA technology seems appropriate.
If the root cause was reason above - support staff too easily able to authorise account resets - then changing the underlying 2FA technology might make little or no difference.
If you're looking at adding 2FA to your own online services, don't just test the obvious parts of the system.