The concerns about the denial of service attack, if an exponentially rising delay or similar lockout after a certain amount of login attempts are made, can be simply addressed by emailing an "unlock" email to the registered email address if a lockout takes place. That is, lock the account for 1/2 hours if there are a number of failed logins, but at the same time send an email that will allow logging in, by passing the lockout. Would this be a big security gap?