There is no limit on the number of unsuccessful guesses made when submitting a 2FA code, this increases the chance for a user to correctly guess a voucher code using scripting or automation.
It is possible that users of the site may successfully discover valid code through brute force guessing. The application offers no mechanism to restrict the number of code attempts to mitigate this attack.
We should add a limit for the unsuccessful guesses in the 2FA module.