Can we also have an OnUserBeforeBeforeBeforeAuthenticate for even more security

I wonder if that couldn't be done with a regular authentication plugin. By replacing the regular Joomla core plugin you could do whatever you want security wise. It wouldn't need an additional plugin event.

You are right @Bakula. I agree with you. It is possible to be done replacing Joomla core authentication plugins.
However, my point is...

• If I do that, I will not be able to share that additional functionality with other people. No one will want to disable their core plugins and to use third-party authentication plugin.
• If I use several authentication plugins (gmail, ldap,...), I will have to replace all of them.
• I prefer to leave the core authentication plugins on you. So, if there is a patch for one of them, it will not be necessary to patch my ones. I just need to add some additional protection.
• I prefer to keep the authentication separate from additional functionality like those that I need.

I guess, this event can be useful for many developers. They will be able to find different ways to protect the login process.
In my case, I prefer to restrict front-end authentication only for my IP address. Additional, If someone is trying to attack the login process (trying SQL Injections, Brute Force Attacks,...), the plugin will send me an email. So, I will be able to add some rules to the firewall to protect my website in time.

That should become before the authentication (onUserAuthenticate). So, the event onUserBeforeAuthenticate will give us that power and we will be able to do extensions that will make Joomla more secure. :)

Rather than adding a new event, I think a better approach might be to allow an authentication plugin to abort the login process. I think that was the intention behind the STATUS_DENIED constant, but it was never implemented.

I guess, this event can be useful for many developers. They will be able to find different ways to protect the login process.
In my case, I prefer to restrict front-end authentication only for my IP address. Additional, If someone is trying to attack the login process (trying SQL Injections, Brute Force Attacks,...), the plugin will send me an email. So, I will be able to add some rules to the firewall to protect my website in time.

That should become before the authentication (onUserAuthenticate). So, the event onUserBeforeAuthenticate will give us that power and we will be able to do extensions that will make Joomla more secure. :)

Check this extension: http://extensions.joomla.org/extension/brute-force-stop, https://github.com/codeling/bfstop it already implements anti-brute-force protection very well, using a system plugin.

I am closing this. It is two years old with little interest