I was more thinking of malware / some otherwise rogue process. This seems like something that's worth having in the world of fake support remote desktop scams.
1. Wait for user to sign in.
2. Intercept their sign in.
3. User: "Oh, it didn't work. I'll just try again."
4. User tries again and it works. Attacker is also logged in now.
Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything.
1. Wait for user to sign in. 2. Intercept their sign in. 3. User: "Oh, it didn't work. I'll just try again." 4. User tries again and it works. Attacker is also logged in now.
Alternatively, at that point you could just inject JS into whatever website needed 2FA and do everything without the user noticing anything.