This is a very popular question among newbies & in the field of Cybersecurity it's always important to have a complete concept of the basics.
In two step authentication you not only need your username & password but also the code that will be send by the site to the registered mobile number.
The code is sent by the site only to the registered mobile number, & there’s no way to hack a SIM Card because it contains cryptokeys called KI. In this case the hacker will have to use social engineering.
Social engineering basically usage of manipulation, deception & influence to trick a target to do something by requesting him/her to do so. He will have to trick the phone company for a SIM swap to the one which the hacker has in his possession. When the hacker successfully tricks the phone company & activates the cloned sim card, the text send by the site will no longer be received by the original account owner instead it is received by the hacker as he have the cloned SIM card.
There is also another method to bypass this 2 factor authentication which is called phishing. In this process the hacker will trick you by sending you a text message or an email claiming himself to be Instagram, google or whichever site you are dealing with to reply back the code which is send by the original site. Then the hacker will use it to gain access to your account.
Please watch the video embedded below to understand how hackers bypass this kind of authentication.
Thanks for reading! Have a nice day.