Hi @john.gateley , thanks for your help
You’re right, what I said doesn’t sound like a very solid solution.
Preventing account enumeration is being mandated on us by external processes. As you say, preventing bots from using sign-up too much would hinder automated account enumeration, which is a really good idea. I’m just not sure that this would tick all the boxes.
And there’s also the fact that using the bot detection feature would require us to upgrade to the next plan, multiplying our costs by about 10x 
at which point it may become cheaper to just build our own authentication server.