diff --git a/src/handlers/accounts.ts b/src/handlers/accounts.ts
index 5635c5e..44e027f 100644
--- a/src/handlers/accounts.ts
+++ b/src/handlers/accounts.ts
@@ -731,7 +731,7 @@ export async function handleRecoverTwoFactor(request: Request, env: Env): Promis
   if (!clientIdentifier) {
     return errorResponse('Client IP is required', 403);
   }
-  const recoverLimitKey = `${clientIdentifier}:recover-2fa:${email || 'unknown'}`;
+  const recoverLimitKey = `${clientIdentifier}:recover-2fa`;
 
   const recoverAttemptCheck = await rateLimit.checkLoginAttempt(recoverLimitKey);
   if (!recoverAttemptCheck.allowed) {
diff --git a/src/handlers/identity.ts b/src/handlers/identity.ts
index bea684f..bee9e34 100644
--- a/src/handlers/identity.ts
+++ b/src/handlers/identity.ts
@@ -430,7 +430,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
     const scope = body.scope;
     const deviceInfo = readAuthRequestDeviceInfo(body, request);
 
-    const loginIdentifier = `${clientIdentifier}:${clientId}`;
+    const loginIdentifier = clientIdentifier;
     const parmValid = checkClientCredentialsParam(clientId, clientSecret, scope);
     if (!parmValid) {
       return identityErrorResponse('Parameter error', 'invalid_request', 400);