I don't have a blog so I don't have some polished think piece on this, just an honest question to the HN crowd. Why isn't it standard practice to have a 'reset cool-down' or something similar on accounts? I want to be able to say have X + Y = primary auth but backup Z (which is presumably less secure) is allowed only a successful login means a 48 hour cool down before you can fully log in (and presumably fix your primary auth mechanism). I am thinking of doing this for a site but don't see it as a best practice and was wondering why.
Same reason we don't have IPv6 everywhere. It's too hard to for most devs to implement it into whatever they're already living with.
I think Google has a similar setup. You have to try to login correctly, wait like 1 or 2 weeks and login correctly again from the same computer.