Thread:Project:Support desk/LoginAuthenticateAudit hook return from invalid user/reply

It looks like a better choice would be the AbortLogin hook. This hook is called just before the password is checked.

But now that I've looked at the code, it looks like both hooks are called after the user's existance has been check and (if allowed) it has been auto-created.

I think you would need a new hook called after attemptAutoCreate returned. Let me know if you'd like to do this and we can try to get it added to core.