For the OTP SASL mechanism, we need to protect against race attacks, as described in RFC 2289. The approach OTPSaslServer currently takes to defend against such attacks is the one suggested in RFC 2289, i.e., we prevent multiple simultaneous authentication sessions for a user. This means that once a legitimate user has started the authentication process, an attacker would be blocked until that first authentication process finishes. With this approach, a timeout is needed in order to prevent a denial of service attack. We could store the timeout info for a user via a RealmIdentity attribute as in PR #277. We could then add support for a new event that indicates a timeout attribute change for a realm identity and then handle a TimeoutUpdateCallback by handling this new event.