In order to accomplish the goals of scalable and secure I propose logins be handled by a single server and session keys be used for client identification. The login query would be made over an HTTPS connection for security and ideally use a salted hash.
string login(string username,string password)
- string ServiceType
- string mirrorURL