And that "finite number" is tens of millions, or even hundred of millions, spread across providers, spread across almost any location. From 4G proxy farms, to botnets of residential IPs, to grey area apps that rewards user for sharing their connection.
And ok, let's assume it came from the same block of ips(which rarely happens) what do you do when those IP blocks are from IDK, Verizon or AT&T in the middle of New York?You block half the city?
+if the attacker is trying it on all accounts, what are you gonna do? rate limit all accounts? and now anytime a user forgot his password he have to contact support because he can't even do it himself so your support is overwhelmed by 1000s of request every day?
And ok, let's assume it came from the same block of ips(which rarely happens) what do you do when those IP blocks are from IDK, Verizon or AT&T in the middle of New York?You block half the city?
+if the attacker is trying it on all accounts, what are you gonna do? rate limit all accounts? and now anytime a user forgot his password he have to contact support because he can't even do it himself so your support is overwhelmed by 1000s of request every day?