What is the maximum acceptable time a login should take?
Logging into our app takes 15 - 20 seconds, depending on how much the user has access to. Some of this time is purposeful - the login endpoint itself has a minimum time to response of 2 seconds to prevent automated password hacking/guessing, our password encryption uses a very robust algorithm with a very high cost, and the rest of the time is just gathering information from the API to build the app. Once the user is logged in, the app is very responsive.
So, what's the maximum acceptable time a login should take from the time the user hit's the "Login" button to the app being ready to use?