Discord is an example of using CAPTCHAs during sign in process. So is Riot.
Password hashing functions are expensive operations. Which you must take the password input, hash it, then compare it with the stored hash.
That falls under session token creation though.
I mean bar of entry as requirement after first failure, usually by IP and ID. It might be expensive, but with a use-after-fail it might make more sense.
I say this knowing that I'm simultaneously recommending two practises that are non-similar... it made a lot more sense in my head, anyway.
The tl;dr is that only put it in if you have some need not to, keep tokens that allow bypassing any other requirements or so on.
Ah, okay. That makes more sense.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.