We have implemented authentication requirement (from page properties -> advanced -> Authentication Requirement) for some of our sites and added Custom User Group so that only users part of that group can access the site after successful authentication.
The solution does not prevent users from trying as many attempts as they want. This may lead to brute force attack where attacker can try as many combinations for a user and get access to the secured site.
Is there any OOTB feature for locking out users based upon some number of unsuccessful authentication attempts? We can reproduce the same in author environment (though author is accessible by company network only) as well which requires login before updating any content.
If you want to have more sophisticated ways for authentication (that means including things like 2FA, password expiration, rate limits on log on etc) I would recommend you to connect AEM with a dedicated IDP service. AEM supports SAML which should be supported today by every IDP solution. AEM does not want to copy the features of these systems, because it's not an IDP by itself (and never wanted to be).