• Test if there is rate limiting on sending 2FA (Refer to the Rate Limiting methodology)
• Test if the code can be brute forced
• Check if there is 2FA protection when disabling 2FA, password change
• Check if the session is already created before 2FA (after inputting password)
• 2FA can be reused
• Put no 2FA code