A lot of these decisions come down to how much friction can you afford introduce in order to enforce good security, relative to what you product is and how much value it delivers.
The rest of the UX outside of the locking itself comes into play, such as how do you unlock the account once locked, do you offer 2fa, what other details about a person to do you have to authenticate if they loose access to their registered email account, how much personalised support can the business afford to deliver, etc...
Its never a 1-size-fits-all answer and depends on the service, what it offers and what it's user expect.
The rest of the UX outside of the locking itself comes into play, such as how do you unlock the account once locked
This is exactly my thought. I've also been confronted with systems that lock but don't tell you when. There should always be a warning that the account is about to lock which could probably be coupled with a prompt to reset your password.
I had this happen again today actually. I wanted to change my password on ring.com, as somehow the one in my password manager was out of sync. I tried 2 or 3 times first using the incorrect password manager stored credentials, then did a password reset via email, after which I was still locked out. Surely once a password reset has been confirmed the lock should be lifted automatically? Instead I need to wait an undefined period of time before trying again.
I'm not sure "good or bad ux" is the right way to frame it. This is a security issue first and foremost.
I think it's more about locking the account after 4 failed tries, and is this a good and effective security practice?
And if so, what industries and applications should embrace this approach, are there any possible affordances, and in what industries and applications is this overkill?
And, if not, what is a better or smarter approach for user authentication that is secure, more tolerant of user mistakes, and user friendly?
Further, it might depend on the platform. So, for example, there may be authentication methods that are better suited for mobile, which aren't possible on web and vice versa.
Passwords are bad UX. We need to move beyond an internet that requires them, or at the very least an internet that requires an account for every little thing. Password managers are only a band-aid, as are single sign-in services. I refuse to let Google and Facebook manage my online presence any more than they already do. Sites need to test, test, test, and test again any sign-on/-up process against ALL browsers and their built-in password managers as well. I can't tell you how many times I've had to rely on one of my standard "memorabloe" passwords because a site couldn't be botherd to ensure the password is saved in my password manager since Safari doesn't share the strong password option so I can't copy/paste it later. Mobile apps are equally as spotty, even more so when you rely on a third-party password manager as I used to with 1Password.
Mobile apps are the worst offenders in this area. So little native compatibility with password managers and when you do it through the keyboard it doesn't always work.
What's the alternative? If we don't use passwords what replaces them to ensure security? I keep seeing this argument in various places, but no one suggests what else we might use.
I'd imagine some standard similar to the encrypted hardware chip Apple uses might be a good building block to create an SSO system not tied to any particular service. It would generate a unique hash for each person that could be tied to accounts across the internet. The data would need to be sharable across devices and sync to let sites know you signed onto their system using your phone but now want access using a tablet.
All I know is I have 600+ accounts saved in 1Password and many share the same password because they are old and did I mention there were 600+? Since password managers don't function well enough to rely on them fully, it's a pain to have to generate unique passwords for each service and look them up when the site or app won't properly access your password manager.