Yeah, it's pretty much the same issue Netflix faces. However, in this case 2FA would be too annoying for our users, and doesn't make enough sense I think.
Indeed WAF is a good idea, I've been looking at some solutions like AWS WAF, but seems pretty complex at first.
The ideal solution would be FA being able to handle this. I imagine it would store the device fingerprint (using fingerprint.js for example) in the user data / registration data, and then check the count against a limit set in the tenant/application settings on every login. Is this something FA can develop as a paid request?
Another solution would be allowing Lambdas to import external js libraries, or even make API calls would do the trick. Then anyone could implement the limitation by their own.
Let me know our thoughts about any of this options and/or new ideas!
And thank you for the amazing support job!