In order to mitigate attacks on public self-service flows, all failures of steps including an authentication factor (email, password, etc). are counted for the user. The user account is locked if the configured threshold is reached.
The threshold is defined in
Loginapp >> Public Self-Service Flows >> Max Failed Factor Attempts.
Note that the threshold and the counter are not defined per flow. Failed attempts on a factor in one flow, therefore, influence the usage of all flows.
The failed factor counters can be viewed and reset in the Adminapp's user management section by locking and then unlocking the user.