User App 3.5, eDirectory, IDM 3.5

Client wants to limit the number of consecutive unsuccessful attempts to
answer the challenge questions in the forgot my password portlet. If the
user exceeds N attempts (N is TBD), an action would be taken, such as
intruder detection would be tripped, or possibly the user would get a link
on the "sorry" page which would allow them to request a random password be
sent to their eMail address.

Is this something I could customize in UA? If so, which developer kit
would point me in the general direction on how to do this? Or do I need to
file an enhancement request and tell them to bide their time?