Currently our apps are vulnerable to brute force attacks on passwords since an unlimited number of login attempts are allowed. This goes against best practices established in ISO 270001, FFIEC (banking) and NIST guidelines. This would be particularly important if eCommerce features are added.
It would be great if we could limit the number of attempts and then allow users to reset their passwords. Bonus points if the password reset can be via email or SMS. Double bonus if the number of attempts can be set based on a value in a table.