Currently, we don't send you login alert email when a new session is established. At some point, we probably should ("You just logged in from computer X at address u.v.w.x., if you don't recognize this activity, panic.")

We could also send you alerts when you pass MFA, or the first time you fail MFA (say, the first failure since 00:00 of the current hour, so you get one email an hour if someone is brute forcing your account very slowly). Another variant of this might be "when challenges expire, send an email if the challenge received one or more failed response attempts".

See also D19890. TOTP only has a million possible codes, so even with very conservative windows there's a ~50% chance it can be brute forced in ~6 years if I did the math right (with the medium-paranoia values after D19898). One possible mitigation to this is perhaps to recommend actually adding multiple TOTP factors on the same phone. If you add a second factor and type in 12 numbers the resistance to brute force is improved by a factor of ~300,000, i.e. to ~2 million years, with a slight discount because we validate the factors independently so when you get lucky with one you can keep guessing it correctly for the remainder of that period.

(We can only strengthen TOTP by preventing attempts; changing the token doesn't matter since the attacker isn't trying to discover the token.)

A better solution against this class of attack is probably Yubikey/U2F (see also T8787).

A minor adjustment here is to give partial sessions which have not passed the MFA gate a short validity window (say, 30 minutes) and no key rotation. Currently, if you get a password once your session is a normal session from duration/key-rotation perspectives, but if you spend more than 30 minutes at the MFA gate we should probably terminate you.