bytebase · tianzhou · Nov 5, 2025 · Nov 5, 2025
@@ -4,6 +4,10 @@ title: Two-factor Authentication
 
 Two-factor authentication (2FA) provides an extra layer of security for member accounts. When signing in, you will be required to enter the security code generated by your Authenticator App.
 
+<Note>
+Bytebase implements rate limiting during MFA verification to protect against brute force attacks. Users are allowed a maximum of **5 failed MFA attempts within a 5-minute window**. The MFA temporary token expires after 5 minutes. See [Sign-in Restriction](/administration/sign-in-restriction#rate-limiting-for-login-attempts) for more details.
+</Note>
+
 ## Configuring 2FA using a TOTP mobile app
 
 ### Step 1: Download a TOTP app

@@ -2,6 +2,23 @@
 title: Sign-in Restriction
 ---
 
+## Rate Limiting for Login Attempts
+
+Bytebase implements rate limiting to protect against brute force attacks on user authentication. The system automatically tracks and limits failed login attempts:
+
+### Password Authentication Phase
+- **Maximum attempts**: 10 failed attempts
+- **Time window**: 10 minutes
+- After exceeding the limit, the account will be temporarily locked
+
+### Multi-Factor Authentication (MFA) Phase
+- **Maximum attempts**: 5 failed attempts
+- **Time window**: 5 minutes
+- After exceeding the limit, the MFA verification will be temporarily locked
+- MFA temporary token expires after 5 minutes
+
+These security measures help protect user accounts from unauthorized access attempts while ensuring legitimate users can still access their accounts.
+
 ## Sign-in Frequency
 
 **Sign-in Frequency** specifies the period that users are required to sign in again.