WIP: Lock after failed logins
Locking the user out after consecutive failed logins. This adds a
AuthenticationProvider subclass which counts the number of failed logins for a user and sets their user to "locked" if the limit is exceeded. User can unlock their own account when they reset their password.
Related to #550