Two-factor authentication doesn't help if someone has already stolen your phone number.

Those tweets have since been deleted and Twitter has restored account access to Mckesson.

Even though Mckesson said in a tweet that he has two-factor authentication 2FA enabled on all his accounts, Twitter included, once someone has your password and can receive texts sent to your phone number, they ve obtained two factors: someone you know your password and something you have your phone .

By calling @verizon and successfully changing my phone's SIM, the hacker bypassed two-factor verification which I have on all accounts.

T-Mobile requires that you call customer service or visit one of its retail stores.

That works as long as it s assumed that the phone itself, a physical item, has to be stolen, not the phone number, which is effectively an end point handled by the public switched telephone network s call routing system.

The text above is a summary, you can read full article here.