Run_modes are like the public interface to your App - they dont need to account for everything your app does. Id be more likely to have just 1 runmode - login - that calls private methods depending on whether the appropriate username/password combo was coming in on the CGI params.

sub login
{
    my $self = shift;
    my $q    = $self->query(); # ?
    if($q->param("username") && $q->param("password"))
    {
        $self->_verify_login() ;
    }
    else
    {
        $self->_generate_form();
    }

    # ... do template stuff here
}

For login_retry - id probably just put a <TMPL_IF> in my original form template, and reuse it for the retry.

<tmpl_if name="BAD_LOGIN"> 
     Sorry please try again...  
</tmpl_if>
    <form>...</form>

Hope that helps