I'm part of the core team of Dotnetnuke, a popular opensource windows .net portal/cms solution. In the next release (3.0), we're integrating an asp.net 1.1 backport of the new whidbey membership providers. Hopefully, this will strengthen our user/role management, as well as allowing us to more easily integrate with others that implement this e.g. communityserver, and minimise the conversion effort once we move to asp.net 2.0.
However, one issue we've found, that isn't documented very well (at least not in the information we have to hand), is that two of the membership provider settings are mandatory. Most of them, such as enablePasswordRetrieval can be set to true or false, but both passwordAttemptThreshold and passwordAttemptWindow require postive, non-zero values. If you don't include these, they default to 5 and 10 respectively. Whilst I applaud Microsoft's efforts at encouraging users to code more secure applications, I would have preferred the option of disabling these i.e. setting them to 0. As it is it looks likely we'll simply have to set reasonable values for the items, and educate our users. Obviously, theres nothing to stop you writing your own alternative version of a membership provider, but it seems a lot of effort for a small return.
The two to watch out for are:
passwordAttemptThreshold="int" The number of failed password attempts, or failed password answer attempts that are allowed before locking out a user's account
passwordAttemptWindow="int" The time window, in minutes, during which failed password attempts and failed password answer attempts are tracked