TL;DR: Waiting in the 2FA page could allow you to log in without knowing the current password in many major websites.
This is a logic flaw vulnerability I initially found in Google, and then tested in other top companies (such as Microsoft, Instagram, Cloudflare, etc) to find out they were vulnerable as well.
It all started with the idea that, being 2FA newer than most login flows, it would have to be implemented by different teams at different times (in some cases, probably years apart).
As any project involving multiple teams, communication is hindered and coordination can be impacted.
So… what happens if you try to change something in the process, like changing your password, while being in the process of logging in, let’s say in the 2FA login page? …