Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.
They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.
This is my biggest gripe with email auth or any kind of security code via sms/mms. I pray for the day I can fully move to a passwordless setup and break free the mess of email addresses spaghetti and phone numbers.
Thanks - I hadn't realised there isn't even some minimal form you can submit and get generic responses on. I just tested the recovery process (https://accounts.google.com/signin/recovery).
If you don't have enough information for them to reset, Google just provide links to instructions to not be locked out in future, and to create a new account.
The problem is I have the phone number, recovery keys and recovery email, I can provide more info if needed, this is not enough for Google to return my Gmail.
Right now I am using mail that is on my domian name, so I can back up my stuff and go at any time.
Reddit's subreddits can sometimes create echo chambers(all the big sub reddit are like that), and depending on the moderators' viewpoints, you might find opposite opinions in different communities.
you should add zen browser[1] too, i tried some from your list, librewolf breaks some websites (online banking doesn't work) floorp is a good one, but in my experience zen is better.
