@kurtseifried There are surely different solutions for different use-cases. E.g. in the general case I'd personally prefer my bank to lock the hell out of my account in case of multiple login failures. I usually say that even if throttling is out of question putting some alerting in place (preferably towards the user and SOC) can have significant impact on attacks. My general point is that since you control the key verification process you can get very creative with mitigations.