Reduce `config.max_attempts` for devise logins to 6
Problem to solve
To meet our compliance control for account lockout, the maximum attempts before lockout should be 6 or less: https://about.gitlab.com/handbook/engineering/security/guidance/IAM.2.08_account_lockout.html#context
If this change can't be made for all users, it should be configurable by group so that it can be applied to gitlab-com
and gitlab-org
on GitLab.com.
Intended users
Proposal
The current maximum of 10 is currently configured here: https://gitlab.com/gitlab-org/gitlab/blob/9c52b1df26275a481bb9b21737cbd717d303e54f/config/initializers/8_devise.rb#L146.
Permissions and Security
If controlled by a group level configuration, it should be viewable and editable by Maintainers and Owners, similar to how enforcement of 2FA for group members is configured.
Documentation
If there is documentation that lists the defaults, it will need to be updated.
Testing
The existing tests for account lock out will probably need to be adjusted for the new maximum.
What does success look like, and how can we measure that?
Meeting requirements from potential large users of GitLab.com.
What is the type of buyer?
If implemented as a configurable value, this is probably most useful to larger organizations like GitLab itself with similar compliance requirements.