Modern web apps and services work this way nowadays. GitLab for example blocks your account for 10min, and sends this email:

Unlock instructions | [SITENAME] Hello USERNAME,

Your GitLab account has been locked due to an excessive number of unsuccessful sign in attempts. You can wait for your account to automatically unlock in 10 minutes or you can click the link below to unlock now.

Unlock account

If you did not initiate these sign-in attempts, please reach out to your administrator or enable two-factor authentication (2FA) on your account.

I find this workflow much better for both site admins and registered users: - less emails/phone calls for site admins to unlock user accounts -> less overhead - people don't have to raise tickets or email/call their site admin to unblock their user account, nor do they have to wait in line until this is actioned - they can self-serve

I propose that we: - Add a setting under admin/config/people/login to allow selecting between 2 possible actions if any of the flood thresholds is reached: - (current behaviour) permanently block account immediately - (new default behaviour) temporarily block account and send email with unblock link (link uses token for security) - Tweak the "Account blocked" email under admin/config/people/emails to account for this new feature, or create a new "Account temporarily blocked" email template.

To avoid flooding the legitimate user's mailbox with "Unblock account" emails, we could consider implementing some kind of logic like the following: The amount of time the account is blocked for starts at 10min and is increased each time. Second time is for 30min; third time is 1hr, at which point the account block becomes permanent and requires either an admin to unblock it, or the link sent in the last email to be clicked.

GitHub Link: 
https://github.com/backdrop/backdrop-issues/issues/5522
GitHub Issue #: 
5522