MFA can be circumvented, it's done about every 30 seconds, somewhere.

Previously, social engineering was the go-to work-around (ie convincing the victim to give you the code from the text) but there are now other technical means around MFA which are becoming more common, which don't require active engagement with the victim.