Yeah, but now that I think about it, what service would let one user at two different IP addresses log in with the same 2FA code seconds apart? OTP codes are single use.
They would have to ALSO both be in the same session, so if the attacker already has a session stealer going, why bother with a highly sophisticated 2FA snooping attack? Session stealers defeat 2FA and Passkeys anyway, so the attacker doesn’t need to bother with any of this.