@joernchen reported an issue where we weren’t adequately rate limiting attempts at two-factor authentication. If an attacker already had obtained a user’s password, this could allow them to make unlimited guesses at two-factor codes. We addressed this by expanding our existing rate limiting to include two-factor authentication attempts.