How can one mitigate both DOS attacks and online brute force attacks at the same time?

I was recently reading this question, where the accepted answer claims that it is easy for attackers to bypass rate limiting that is based on IP, which makes any sort of IP rate limiting to prevent a brute force attack much less useful. But, if it is based on the account that is a victim, then it becomes very easy for an attacker to block access to a victim’s account. What is the best way to defend against both DOS attacks and online brute force attacks (and anything else that is in this same category)?

Simply sleeping for, for example, 1 second isn’t sufficient because the attacker can simply put in more requests before the first one finishes (1 second latency, but unbounded throughput, and throughput is what matters for brute force). If subsequent requests are blocked until the first one finishes, then they must be blocked per-IP or per-user, which produces the same problem.

2FA isn’t always a good solution either, because, for worse, many people fail to use it.

Can you trigger a Finishing Blow off both Compromise AND Unmasking?

The dueling rules on P.159 of the core book states:

The first time their opponent becomes Compromised or unmasks during a duel, a character may immediately execute a finishing blow.

Does this mean you get to perform a finishing blow the first time each happens or one happens?

EG. Tonbo Testdummy gains enough strife to become compromised so Kitsu killhappy immediately performs a Finishing strike. Unfortunately they are forced to keep enough Strife Symbols to become compromised their self. Tonbo-san Unmasks to avoid the dice penalty for remaining compromised and potentially get a better roll. Does Kitsu-san get to attempt a second finishing blow?

Does proficiency in both simple and martial weapons mean my character is proficient in all weapons?

So I am building my first D&D character, it’s a Barbarian Mountain Dwarf, and I’m trying to figure out what weapons he is proficient with, but in the Barbarian section it says that he his proficient with Simple and Martial weapons. Does that mean he is proficient with all weapons? And if not, then what weapons does it mean?

Do creatures on both sides of Blade Barrier benefit from 3/4 cover?

I was looking at the Blade Barrier spell, and I was wondering does the spell have a ‘front’ and a ‘back’? The spell description states:

The wall provides three-quarters cover to creatures behind it

Does this refer to creatures who are behind the ‘back’ of the blade barrier, or does this apply to any creature shooting another creature on the other side of the wall?

If I have both advantage and disadvantage, and my target has the Elusive rogue class feature, do I have disadvantage on the attack?

At level 18, Rogues get the Elusive class feature, which says:

No attack roll has advantage against you while you aren’t incapacitated.

However, if you have both advantage and disadvantage, they cancel out, and you are considered to have neither.

That being the case, if you have both advantage and disadvantage, and you attack a level 18 Rogue, does Elusive steal the advantage entirely and leave you with disadvantage? Or do they cancel out before Elusive is applied, causing you to roll a single d20?

Why does Apple’s 2FA require both a prompt and a code?

When logging into iCloud via the web, a prompt is sent to your phone (with a map showing the origin of the web request). The user can then choose to allow or deny this request. After choosing to allow the request, a prompt is displayed on the phone which needs to be entered on the web client.

Does this exist just to prevent people from just reflexively pressing ‘allow’ on prompts, or does it actually improve security from a cryptographic point of view?