I implemented 2FA at a previous job and I was responsible for the production implementation working as expected. My thoughts were that uncompleted 2FA attempts are common for a number of reasons: typos, someone gets distracted, didn't have access to phone at the time, SMS sucks (either our sending side or the receiving side), etc. I didn't put much thought into it beyond that. (Should I?)
I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.
I implemented rate limiting/lockouts for too many 2FA failures. I added the ability to clear the failed attempt count in our customer support portal. If we had any problems after those were implemented, I never heard about them.