As current 2.2.1 requires work, and should have a clear anti-automation goal, it makes sense to separate the lockout part from this.
First question is - do we need this requirement? What NIST says about it? How it can fire back?
In practice - I have seen "enough times" solutions that via some web application authentication form you can lock out an entire organization or company user base with incorrect credentials.
Spin-off from https://github.com/OWASP/ASVS/issues/1763#issuecomment-2401626104
As current 2.2.1 requires work, and should have a clear anti-automation goal, it makes sense to separate the lockout part from this.
First question is - do we need this requirement? What NIST says about it? How it can fire back?
In practice - I have seen "enough times" solutions that via some web application authentication form you can lock out an entire organization or company user base with incorrect credentials.
Idea proposal from @tghosth
This serves to goal to explain the idea, but should be written as positive requirement.