SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

<@!333329962188800000> as per your question about adding a lockout functionality, here is how you can implement it:
https://gist.github.com/rishabhpoddar/6fe2b98ac1e09aafcba4a7307027097e

- You will need to implement `isLockedOut`, `clearLoginAttemptCount`, `getLoginAttemptCount`, `lockOutEmail` and `setLoginAttemptCount` to talk to your own db.
- The `isLockedOut` function will return `true` if the email is locked and it's been <= 10 mins since the email was locked (as per your requirement).
- Sending `WRONG_CREDENTIALS_ERROR` if `isLockedOut`, will display that the entered credentials are incorrect on the frontend. This might be the best thing to do from a security point of view, but you can also throw an error and catch it in your own app error handler and then send a custom response to the frontend. 
- You can even override other functions like `createResetPasswordToken` to check if the email is locked out and if it is, then prevent the user from doing a password reset flow.