[SV_BubbleTime]

Throttling and/or an exponential back off would fix this though.

If I hit no, it better be 5 minutes before the next one is allowed through. And then 15min, then 2hr, etc.

Fatigue should have been considered in both the server and the client.

[SoftTalker]

Makes sense. Pretty much the only reason a user would hit "no" is that they aren't trying to log in, and because the prompt is only sent after the correct password has been provided, if there are more than a couple in a row the account should be disabled entirely or at least set to demand a password change after the next successful login.