diff --git a/Cargo.toml b/Cargo.toml
index 5df51f8..9469db4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,3 +1,9 @@
 [workspace]
 resolver = "3"
 members = ["idp"]
+
+[profile.dev.package.blake2]
+opt-level = 2
+
+[profile.dev.package.argon2]
+opt-level = 2
diff --git a/idp/src/main.rs b/idp/src/main.rs
index adaeb9d..1b02a85 100644
--- a/idp/src/main.rs
+++ b/idp/src/main.rs
@@ -435,6 +435,8 @@ async fn login_2fa_post(
 ) -> Result<impl IntoResponse, Response> {
     let now = jiff::Timestamp::now();
 
+    // TODO: limit age of locked session
+
     let Some(session_id) = jar.get(crate::SESSION_ID_COOKIE_NAME) else {
         return Err(Redirect::to("/").into_response());
     };