Hiya,
I ran across this article about time based one time passwords (TOTP) brute forcing.
If you aren't familiar with TOTP, it is a common additional factor for IAM and CIAM systems. The way it works is that a system creates a secret and shares it with a user. (If you are being pedantic, you can also have a shared way to create a secret, instead of sharing it explicitly.)
The secret is then combined with the current Unix time (the number of seconds elapsed since midnight UTC on Jan 1, 1970) to generate a number. Well, again, if you are being pedantic, it is a truncation of a large number to six or seven digits, most commonly the former. The algorithm and other inputs are explained in much greater detail in RFC 6238, published in 2011, and RFC 4226, published in 2005
Both the user (or, honestly, their device or phone) and the system can generate the same number given the same algorithm and the same shared seed. So when a user is challenged, they provide the number and the system can validate that they are indeed in possession of the secret.
If you've ever used Authy, Google Authenticator, or taken a picture of a QR code to add a second factor of authentication to protect an account, you were using TOTP.
The article about brute forcing TOTP has some pretty sobering numbers. If an attacker has the primary credentials of a user (username and password), then an attacker can just plain guess the number. The most common length of the TOTP code is six digits. If an attacker can submit ten TOTP requests a second, after five hours they have an 80% chance of providing the right number.
The answer is to rate limit the TOTP submission, which is pretty straightforward and drastically increases the time to success for any attacker.
Multi-factor authentication is a key part of most CIAM systems, and TOTP is a free and easy way to offer MFA. This article does a good job of illustrating an attack vector on this factor.
Dan