That falls under session token creation though.
I mean bar of entry as requirement after first failure, usually by IP and ID. It might be expensive, but with a use-after-fail it might make more sense.
I say this knowing that I'm simultaneously recommending two practises that are non-similar... it made a lot more sense in my head, anyway.
The tl;dr is that only put it in if you have some need not to, keep tokens that allow bypassing any other requirements or so on.
Ah, okay. That makes more sense.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.