My phone died a few days ago, and the Cisco Duo app overwrote 2FA key backup after connecting my old phone to the internet.
Lemmy has no backup codes, nor can you disable 2FA even while logged in without a valid token.
Anyway, I noticed there's no rate limiting on 2FA attempts.
So following Lemmy API docs I wrote this exceptionally stupid script (look at my foolish way of parallelization and no auto-stop).
I got the JWT token from logged-in Firefox session, using cookies.txt extension to export it.
Anyway, just make sure your password is secure enough, It's obviously (potentially) better than 6 digits, probably with 3 valid combinations at each time (current 30s, past 30s, future 30s windows), if I am guessing how it works right.
My attempt also clearly involved a lot of luck with just 21,830 attempts (less than 5 minutes). But, if you're lucky enough, you may guess it on first attempt, or never if you aren't.
There's no rate limit? Astounding security.
There is one. It's by IP address.
Here's the rate limit config page. It's 999 calls every hour by default if the instance owners don't touch it (as of the current source code).
You can see the source code in the places below. It uses IP addresses to track rate limits.
There's the code that sets up the rate limiter based on the site config: https://github.com/LemmyNet/lemmy/blob/main/src/lib.rs#L139
Here is where the login endpoint is being rate limited: https://github.com/LemmyNet/lemmy/blob/c7210e39e725cb2d5353225310f7a2ed5ab40492/src/api_routes_http.rs#L297
The rate limit logic is here: https://github.com/LemmyNet/lemmy/blob/c7210e39e725cb2d5353225310f7a2ed5ab40492/crates/utils/src/rate_limit/mod.rs