No argument given for why having a slower algorithm to generate random ids is more secure.
If the algorithm is too fast it means you can detect when some other part of the system is having a significant impact on how the key is returned. Eg checking a database to see if a user exists and returning their key versus getting null back and generating a new key. That difference can be used to determine if a user exists. You want your key gen process to be slow enough that it's a significant part of the process, which makes timing attacks hard.
This doesn’t make sense.
If you’re going to generate a new key if the user doesn’t exist then you’re creating a new user anyway, so there’s no hidden information.
Unless you mean that the system should return a bogus id instead of a status 40X when the user doesn’t exist, which makes even less sense.
ID generation should usually only happen when creating new assets, so it should be as fast as possible.
If the algorithm is too fast it means you can detect when some other part of the system is having a significant impact on how the key is returned. Eg checking a database to see if a user exists and returning their key versus getting null back and generating a new key. That difference can be used to determine if a user exists. You want your key gen process to be slow enough that it's a significant part of the process, which makes timing attacks hard.