Should auth be subject to quota?
That's actually a strange question. The routers and network cables can only handle so much. There is therefore an absolute limit at layer one regarding traffic, and if there is no traffic on your network but auth when that limit is hit, auth WILL be limited. (In practice, other service limits are almost certain to kick in first...)
Quota is a way of limiting traffic just a tad higher in the stack--and earlier in the call. Everything, and I mean absolutely EVERYTHING needs to be quota'ed if you want to avoid catastrophic degradation.
While at Google, I worked on modifying the quota system used for Hangouts. Got a real close view of what was going on, and formed some opinions about what needed fixing. On day, I had a flash of insight. If my quota system is returning 100% 500s to protect my back end, that's a good thing. We can bring traffic back in a controlled fashion. Then, I found myself hearing, "My job is to keep the network up. It is only my good nature that allows users to be on it at all." Just so.
Having said that, the quota system that I had available at Google struck me as very naive. It appears that they are still working that one out. You will recall that it was also implicated in their previous major outage.