As a security measure, users' passwords need to be protected against brute-force attacks from malicious actors who are trying to guess the passwords. The traditional password lockout implementation uses a counter to track the consecutive incorrect passwords that are entered for a given account. Once the counter is above a certain threshold, the algorithm assumes that a bad actor is attempting to guess the password via brute force. The account is then locked for protection against unauthorized access. However, the traditional counter-based method (i.e., the account is locked after some number of consecutive incorrect password attempts) has shortcomings that lead to a high false-positive rate in brute-force detection, resulting in user friction. There are several major shortcomings with this traditional approach.
Because the account is online, a malicious actor can conduct a brute-force attack on a user's account from any Internet-connected device from anywhere in the world. After the specified number of incorrect password attempts, the account would be locked out either temporarily or permanently and secured until a support team intervenes to provide access. Once the specified number of incorrect password attempts occurs, the account would be just as inaccessible to the account owner as to the malicious actor. The malicious actor may do this expressly for the purpose of keeping users out of their accounts, or it may happen in the process of attempting to gain access to the account.
Due to the way modern cloud-connected devices work, users can accidentally lock themselves out of their own account. Many users have devices that periodically log into their account on their behalf with a stored password to fetch their mail or get updates. If a user changes their password but forgets to update the password stored on the device (or simply configures the device with an incorrect password in the first place), the device will then repeatedly try to log in on the user's behalf unsuccessfully, resulting in the user's account being locked. In some systems, the counter for tracking failed login attempts is not incremented when a previous password or last-tried password is used.
Typically, successful logins reset incorrect password counters to zero, so a client device that periodically synchronizes with an account having a stored password creates an opportunity for malicious actors to have increased numbers of attempts to guess a password.
Some sites allow a locked-out user to send a code to a device known by the system via email, text, or otherwise, then enter that code at login to reset the password. This allows a user to recover from the locked-out state but adds additional friction to the login process.