diff --git a/Authentification.md b/Authentification.md
index db86ebf..051bf9e 100644
--- a/Authentification.md
+++ b/Authentification.md
@@ -32,7 +32,7 @@ The xhash is valid for 24hours after the frontend must refresh the xhash, to opt
 
 For convenient purpose, a user can ask to a tribe (like smatchit) to store his credential that can be sent to a specific email only.
 
-Of course any request to backend is done with https (let's encrypt certificat)  to obfuscate the contain of http exchange
+Of course any request to backend is done with https (let's encrypt certificat)  to obfuscate the contain of http exchange. After 3 fails a time penalty is apply to avoid bruteforce.
 
 ## Profil and Accessright on data