Wow! You'd think they'd rate limit these! Once you've done it twice, go to once every 15 minutes, then hour, then 4 hours, than day, etc. Like bad logins.
Krebs notes that the recovery form does have some form of CAPTCHA on them, which mostly just goes to show that CAPTCHA systems are a poor and increasingly deficient rate limiter.
ETA: Also from a user experience even once a week between attempts is still enough to deeply annoy a user getting popups on their devices. This is one of those cases where rate limits probably still can't solve the user irritation.
ETA: Also from a user experience even once a week between attempts is still enough to deeply annoy a user getting popups on their devices. This is one of those cases where rate limits probably still can't solve the user irritation.