diff --git a/packages/backend/src/routers/auth/configure-2fa.js b/packages/backend/src/routers/auth/configure-2fa.js
index 62b26829..89237198 100644
--- a/packages/backend/src/routers/auth/configure-2fa.js
+++ b/packages/backend/src/routers/auth/configure-2fa.js
@@ -72,6 +72,11 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
     };
 
     actions.enable = async () => {
+        const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+        if ( ! svc_edgeRateLimit.check('enable-2fa') ) {
+            return res.status(429).send('Too many requests.');
+        }
+
         await db.write(
             `UPDATE user SET otp_enabled = 1 WHERE uuid = ?`,
             [user.uuid]
diff --git a/packages/backend/src/routers/login.js b/packages/backend/src/routers/login.js
index bcff2425..ba62725d 100644
--- a/packages/backend/src/routers/login.js
+++ b/packages/backend/src/routers/login.js
@@ -149,6 +149,11 @@ router.post('/login/otp', express.json(), body_parser_error_handler, async (req,
     if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
         next();
 
+    const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+    if ( ! svc_edgeRateLimit.check('login-otp') ) {
+        return res.status(429).send('Too many requests.');
+    }
+
     if ( ! req.body.token ) {
         return res.status(400).send('token is required.');
     }
@@ -200,6 +205,11 @@ router.post('/login/recovery-code', express.json(), body_parser_error_handler, a
     if(require('../helpers').subdomain(req) !== 'api' && require('../helpers').subdomain(req) !== '')
         next();
 
+    const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+    if ( ! svc_edgeRateLimit.check('login-recovery') ) {
+        return res.status(429).send('Too many requests.');
+    }
+
     if ( ! req.body.token ) {
         return res.status(400).send('token is required.');
     }
diff --git a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
index 347892aa..e3214a63 100644
--- a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
+++ b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
@@ -55,6 +55,19 @@ class EdgeRateLimitService extends BaseService {
                 limit: 10,
                 window: HOUR,
             },
+            ['login-otp']: {
+                limit: 15,
+                window: 30 * MINUTE,
+            },
+            ['login-recovery']: {
+                limit: 10,
+                window: HOUR,
+            },
+            ['enable-2fa']: {
+                limit: 10,
+                window: HOUR,
+            }
+            
         };
         this.requests = new Map();
     }