This work rolls the 2fa code attempts into the total count of failed attempts for brute force protection. Previously the ajax call to test the code could be made any number of times, potentially allowing a brute force attack on the 2fa code if an attacker had gained the correct username/password for an account.
This work rolls the 2fa code attempts into the total count of failed attempts for brute force protection. Previously the ajax call to test the code could be made any number of times, potentially allowing a brute force attack on the 2fa code if an attacker had gained the correct username/password for an account.