If you are planning to rely on OOTB Apache Sling, Brilliant Framework! Then you need to listen on the org.apache.sling.auth.core.AuthConstants.TOPIC_LOGIN_FAILED event and implement a failed login throttling solution, as per your needs, e.g. count number of failures in an hour and if more then x lock the account.
API's as per Sling Exist, it just needs your tailoring to make it fit for your requirements.
"The login failure events would be useful for the implementation of a failed login throttling solution to prevent brute force dictionary attacks against sling to guess user passwords. An unlimited number of failed logins should not be allowed, but we need some way to gather the information to thwart it."
I would recommend you to use a proper Identity Management tool, which should be a able to handle such requirements with ease. AEM has authentication features, but blocking accounts after a number of unsuccesfull tries... it's doable, but you get it for free on other tools. And there is good documentation how SSO can be enabled on AEM.