Hi, I would like continue discussion started at Keystone meeting from today (http://eavesdrop.openstack.org/meetings/openstack-meeting/2012/openstack-meeting.2012-05-15-18.02.html), about bug 963098 (Keystone isn't acting on consecutive failed logins) and related blueprint (Improve keystone security). At meeting there was serious concerns about using a middleware and the current approach audit&report mechanism that could be done elsewhere. So after thinking again about this I've got a new approach: acting on consecutive failed logins might be managed by identity backends authenticate method. This approach would make all needed work specific to the backend and thus a write/read backend will be able to do some actions that a read only won't e.g.: storing login attempts on user extra data, temporarily disable user, ... If we look at current SQL identity backend after an authentication failure Keystone just raises an exception, this approach will replace/extend it doing the consecutive failed logins handling there. I still think adding an optionally rate limiting middleware would help a lot. https://github.com/openstack/keystone/blob/master/keystone/identity/backends/sql.py#L146 https://bugs.launchpad.net/keystone/+bug/963098 https://blueprints.launchpad.net/keystone/+spec/improve-keystone-security Thanks, Rafael