By default we lock out users after 10 failed attempts for 10 minutes. It can be configured on on-premise server.