in case of 2fa if the field is not rate limited there is a possibility of brute force attacks using which the attacker can brute force the 2fa code sent to the device (Bullock, 2016). Usually the length of the 2fa code is 4 to 6 characters which often is numbers...