What is the maximum number of VIP failures before a user is locked?

A user will be locked in VIP Manager if the User and Credential Lockout policy is enabled, set to USER, and the user reaches the threshold. If this policy is not enabled and first-factor (LDAP) is enabled, that user account will be locked in AD when the maximum bad password limit is reached in the policy in force for that user. 

The VIP credential assigned to the user will lock after 10 (default) invalid security codes are used. That value can be adjusted under the Credential Security Settings in VIP Manager. 

The fail counter for that token will reset after a successful authentication. The counter will not reset automatically. 

If the credential locks, the user must contact your help desk and request that an administrator unlock the credential.