diff --git a/src/__phutil_library_map__.php b/src/__phutil_library_map__.php
--- a/src/__phutil_library_map__.php
+++ b/src/__phutil_library_map__.php
@@ -2296,6 +2296,7 @@
     'PhabricatorAuthNeedsApprovalController' => 'applications/auth/controller/PhabricatorAuthNeedsApprovalController.php',
     'PhabricatorAuthNeedsMultiFactorController' => 'applications/auth/controller/PhabricatorAuthNeedsMultiFactorController.php',
     'PhabricatorAuthNewController' => 'applications/auth/controller/config/PhabricatorAuthNewController.php',
+    'PhabricatorAuthNewFactorAction' => 'applications/auth/action/PhabricatorAuthNewFactorAction.php',
     'PhabricatorAuthOldOAuthRedirectController' => 'applications/auth/controller/PhabricatorAuthOldOAuthRedirectController.php',
     'PhabricatorAuthOneTimeLoginController' => 'applications/auth/controller/PhabricatorAuthOneTimeLoginController.php',
     'PhabricatorAuthOneTimeLoginTemporaryTokenType' => 'applications/auth/tokentype/PhabricatorAuthOneTimeLoginTemporaryTokenType.php',
@@ -8021,6 +8022,7 @@
     'PhabricatorAuthNeedsApprovalController' => 'PhabricatorAuthController',
     'PhabricatorAuthNeedsMultiFactorController' => 'PhabricatorAuthController',
     'PhabricatorAuthNewController' => 'PhabricatorAuthProviderConfigController',
+    'PhabricatorAuthNewFactorAction' => 'PhabricatorSystemAction',
     'PhabricatorAuthOldOAuthRedirectController' => 'PhabricatorAuthController',
     'PhabricatorAuthOneTimeLoginController' => 'PhabricatorAuthController',
     'PhabricatorAuthOneTimeLoginTemporaryTokenType' => 'PhabricatorAuthTemporaryTokenType',
diff --git a/src/applications/auth/action/PhabricatorAuthNewFactorAction.php b/src/applications/auth/action/PhabricatorAuthNewFactorAction.php
new file mode 100644
--- /dev/null
+++ b/src/applications/auth/action/PhabricatorAuthNewFactorAction.php
@@ -0,0 +1,21 @@
+<?php
+
+final class PhabricatorAuthNewFactorAction extends PhabricatorSystemAction {
+
+  const TYPECONST = 'auth.factor.new';
+
+  public function getActionConstant() {
+    return self::TYPECONST;
+  }
+
+  public function getScoreThreshold() {
+    return 60 / phutil_units('1 hour in seconds');
+  }
+
+  public function getLimitExplanation() {
+    return pht(
+      'You have failed too many attempts to synchronize new multi-factor '.
+      'authentication methods in a short period of time.');
+  }
+
+}
diff --git a/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php b/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
--- a/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
+++ b/src/applications/settings/panel/PhabricatorMultiFactorSettingsPanel.php
@@ -234,12 +234,36 @@
     $form = id(new AphrontFormView())
       ->setViewer($viewer);
 
+    if ($request->isFormPost()) {
+      // Subject users to rate limiting so that it's difficult to add factors
+      // by pure brute force. This is normally not much of an attack, but push
+      // factor types may have side effects.
+      PhabricatorSystemActionEngine::willTakeAction(
+        array($viewer->getPHID()),
+        new PhabricatorAuthNewFactorAction(),
+        1);
+    } else {
+      // Test the limit before showing the user a form, so we don't give them
+      // a form which can never possibly work because it will always hit rate
+      // limiting.
+      PhabricatorSystemActionEngine::willTakeAction(
+        array($viewer->getPHID()),
+        new PhabricatorAuthNewFactorAction(),
+        0);
+    }
+
     $config = $selected_provider->processAddFactorForm(
       $form,
       $request,
       $user);
 
     if ($config) {
+      // If the user added a factor, give them a rate limiting point back.
+      PhabricatorSystemActionEngine::willTakeAction(
+        array($viewer->getPHID()),
+        new PhabricatorAuthNewFactorAction(),
+        -1);
+
       $config->save();
 
       $log = PhabricatorUserLog::initializeNewLog(