Users can lock an arbitrary account with knowledge of email
If I know a person's edX email address, I can make multiple wrong login attempts and that will lock this person out of their account. There is no recourse for them to quickly gain back access (see #PLAT-2455).
Instead of locking accounts on failed login attempts, instead issue a challenge (e.g. reCaptcha v2) after X failed login attempts. This is more effective and doesn't allow people to abuse the feature.
Steps to Reproduce
Reason for Variance
User Impact Summary
case in point, you can find a person's email fairly easily, then lock them out.