Sessions are terminated after three failed logins. Users must start a new session to make additional attempts to authenticate. Sessions will also timeout after 60 seconds if not attempt is made to authenticate. Lastly, when prompted to change a password, a user has 3 attempts to successfully change it before the session is terminated.
References: AC-12