Currently, after several incorrect password attempts, users are locked out for a fixed duration of 30 minutes. It creates friction for legitimate users who may have simply forgotten their password. During this lockout period, users are unable to log in or effectively recover access