The Following document say "All accounts include a lockout mechanism. If the system detects a quick succession of multiple failed login attempts, the user account is temporarily unavailable to prevent brute force attacks."
If your organization is using Federated IDs, the number of times would be dictated by the identity provider. I'm still checking with our engineers on the number of times for Adobe IDs and Enterprise IDs. Stay tuned...