Portal site setting: Max failed Access attempts

Authentication/UserManager/MaxFailedAccessAttemptsBeforeLockout is the site parameter you need to configure the maximum failed access attempts before locking out a portal users' account. By default this parameter value is 5, that means that after 5 failed attempts the user access is locked for 24 hours (this can be unlocked directly in the contact authentification).