- I reject obscurity
- Using two authentication systems instead of one is overkill
- The artificial pause between attempts should be done for users too
- Blocking IPs of failed attempts should be done for users too
- Strong passwords should be used by users too
- If you consider captchas ok, guess what, you could use them for users too
Yes, after writing it, I realize that this answer could be summarized as a "nothing special for the admin login, they are all security features that should be used for any login".
