How HackerOne Disproved an MFA Bypass With a Spot Check

HackerOne investigated an unverified claim of an MFA bypass by launching a Spot Check (a focused bug-hunting engagement). Selected researchers tested MFA and authentication flows, producing detailed writeups that increased confidence in the implementation and leading to the discovery and remediation of a medium-severity race condition in the 2FA reset process; no active exploitation or confirmed bypass was identified.