I implemented something similar in a plugin ( http://svn.tranchitella.it/listing.php?
repname=public&path=/repoze.who.plugins.sqlalchemy/ ), with passing an optional
'user_audit' argument to the plugin maker in who.ini, then the authenticator will call
a method upon each failed login. It's up to the application to store it, i.e. in a
database, and after a certain number of failed logins, either refuse to authenticate,
or show a CAPTCHA.
This might, or might not be what you're looking for, though.