Re: User to get locked after three wrong login attempts.

To elaborate, you should explain to the auditor that this introduces a huge denial-of-service vulnerability into your system. Anyone can start hammering on everyone else's accounts, and with a fairly trivial script, lock the entire company out of all accounts. This is a terrible idea.