Hi! I was giving this whole authentication and undetermined number of calls to authenticator.authenticate() some thoughts and my workaround is that I'm using my own LoginHandler. This one is called from the LoginPage and acts as a regular JSF Bean, hence can determine the next rendered page by returning given outcomes. It uses the Identity component, so the rest of the nice features (like using identity.loggedIn,...) can still be used. Also here the authentication is performed only once, because the method is called only once per request. The actual authenticator.authenticate method just uses the results from the LoginHandler to return true or false. With this, the database is able count the actual login attempts and the authenticator.authenticate method can be called as often as it might get ... I'm still unclear, why and in which circumstances the authenticator.authenticate() method is called from Seam, but I guess it's a useable workaround for me. For example, the authenticator.authenticate() method is called even if the login page is calling some other method than identity.login - haven't had time to dig into this ... Best regards, Kurt View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4102170#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...