re: "mitigating the chances of a full bruit force attack by a limit of 30 lookups a minute."
Not really - the attacker could do 100 requests. Each request might take 2 seconds but it doesn't stop the number of requests done. You need to stop processing more than one request every 2 seconds rather than delay it by 2 seconds on each execution.