On the device cookies idea: https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies

How would you store the lockout list entries?

The individual entries expire, no?

Plus you might want a quick reference to "device cookie" -> banned(bool), or "IP" -> limited(bool), or "username" -> limited(bool)

Is it meant to be stored as an in-memory KV? or stored in Redis for clustering?

What would an ideal table layout be?