With web login, we save logged in state as a session token. As a
result only one login is needed for access to multiple pages as long
as it is in the same session.

Since APIs are stateless, every access is a login. We have existing
mechanisms to rate limit calls to the API with valid credentials. So
this method should be invoked only with invalid credentials.

I should be able to pass an argument to verifyLogin that indicates
that I am looking for a stateful login (from the LoginAction). In this
case, calculate the rate limit and reject if exceeded.

If it is a non-stateful login, check the rate limiter and return
reject if exceeded.  if not exceeded, verify the password. If it
verifies, do not update the state of the limiter, otherwise increment
the rate limiter and save the state to the otks db. This should limit
incorrect guesses to a predefined rate and allow correct guesses
through.

Given good and bad passwords for the user U.

  t=0  bad
  t=5  bad
  t=10 bad
  t=15 bad
  
all further attempts up to t=60 are rejected.

  t=0  bad
  t=5  bad
  t=10 good
  t=15 good
  t=20 good

only 2 of the 4 have been used and all good attempts pass through.

I think this works. However the otks database will get even more
activity and it can't sustain a high rate of activity. Since most hits
for API's should not result in writes, maybe this will work. Will have
to test.