When an account owner sets 2FA on their panel login, you can no longer Impersonate that account or Hijack the session.
It prompts a 2FA login box as soon as you try to login as that user.
That’s expected behavior at this time. If you want to hijack a user guarded by 2FA, then 2FA must be disabled on the account or overrode administratively from command-line using cpcmd auth:set-extended-auth-flag SESSION-ID where SESSION-ID is the new ID guarded by 2FA.
2FA is intended as a security feature that may not be circumvented during typical authentication flow.
It is also worth noting that first logging in with an account guarded by 2FA allows SSO into other 2FA accounts. You cannot login into a 2FA account without first logging into one that has 2FA established… otherwise the 2FA feature is useless.