You know, captchas are usually only used as a gateway to prevent bots from automated sign up, not to prevent *signing in*. The passwords are too ridiculously long to ever be cracked while relevant, so brute forcing isn't an issue. Why not just do away with it on the provider login?
I agree. If bruteforcing is a concern add some throttling - a small delay, limit of 5 login attempts per minute, something like that.