New text message requests

I've been asked to review a system where a user can request a new login by having an access code sent to a mobile.

The business is wondering how many requests a user can have so that:

costs paying for excessive amounts of text messages are kept to a minimum
hacking/brute force attacks are minimised
user experience is kept as pleasant as possible.

They have two options:

as many requests as one likes as long as one doesn't exceed 2 per minute
10 requests in one day, but as frequently as one likes until the 10 requests are reached

Which is the better option? Is there another option the industry uses?

Tags: UX Stack Exchange