How many incorrect attempts should be allowed before invalidating a password?
I am trying to prevent brute force attacks on a user's account by invalidating a password when too many attempts are made in the same minute, hour, day or something similar. The credentials in this scenario are for company employees on the road, and are used on an Android app.
At the same time, I do not want the user to have their password needlessly invalidated because they made a few mistakes.
How many attempts are enough? Or, alternatively, how do I determine how many are enough?
Asking in another way, what is the maximum number of mistakes a human should be allowed to make before contacting the helpdesk?
Edit: The authentication mechanism is done through the network. The app gets updated information from a company server after the user logs in successfully.