You can set the number of wrong trials per timeout period (see below) before login gets blocked for the current IP and user (since v3.2.3). The default setting is 10.
return [ 'auth' => [ 'trials' => 10 ];
You can also set the timeout in seconds for the period of time against which the number of trials is counted. The default is 3600.
return [ 'auth' => [ 'timeout' => 3600 ] ];