Currently it is possible to lock out users with a script that automatically does 3 incorrect login tries every five minutes. To avoid this security problem, I would like to add that after 3 incorrect login tries a recaptcha is also needed before a full login attempt can be done.
I have a workaround to count the number of previous login attempts. link. With this I plan to make a non persistent login object which contains the Mendix recaptcha widget and in the background logs a user in using a java action. My alternative plan of adding the recaptcha javascript into the loginwidget of mendix will take me to much time.
Since this all feels like a bit of a hacky workaround to fix a security problem, I was wondering if anyone has any other suggestions for solving this.