Simple, there isn't any inbuilt security. If you think of Ajax as just a different way of doing HTTP Request and getting a HTTP Response. In, say , a php application, there's no inherent, in-built security. You would have to implement it with the PHP Auth package, or simple HTTP authentication, and this holds true for Ajax. I'm dealing with precisely the problem you describe at the moment, and the way I intend to deal with it is through timeouts - e.g. first request for login is instant, then there's a 1 second delay, then 2 seconds, then 4, then 8, then 16, then 32, and we cap the delay at this level. A brute force attack is much less likely to succeed given that a authentication request can only be made every 32 seconds.
Another way would be through lockouts - e.g. three tries and then the username is locked. But this all goes back to what I said initially, securing an Ajax app is similar to securing a php or asp.net app - they provide tools to help you do it, but it is still up to you to implement a security architecture