I should change the semantics of the authsrv to just disable accounts for
5 seconds or so after 3 failed attempts instead of disabling them altogether.