Reduce `config.max_attempts` for devise logins to 6

Problem to solve

To meet our compliance control for account lockout, the maximum attempts before lockout should be 6 or less: https://about.gitlab.com/handbook/engineering/security/guidance/IAM.2.08_account_lockout.html#context

If this change can't be made for all users, it should be configurable by group so that it can be applied to gitlab-com and gitlab-org on GitLab.com.

Intended users

• Sidney (Systems Administrator)
• Sam (Security Analyst)

Proposal

The current maximum of 10 is currently configured here: https://gitlab.com/gitlab-org/gitlab/blob/9c52b1df26275a481bb9b21737cbd717d303e54f/config/initializers/8_devise.rb#L146.

Permissions and Security

If controlled by a group level configuration, it should be viewable and editable by Maintainers and Owners, similar to how enforcement of 2FA for group members is configured.

Documentation

If there is documentation that lists the defaults, it will need to be updated.

Testing

The existing tests for account lock out will probably need to be adjusted for the new maximum.

What does success look like, and how can we measure that?

Meeting requirements from potential large users of GitLab.com.

What is the type of buyer?

If implemented as a configurable value, this is probably most useful to larger organizations like GitLab itself with similar compliance requirements.

Links / references