Add separate config item for failed login count

It’s confusing that changing `MAX_VERIFY_CODE_COUNT` also limits the
number of failed login attempts that a user of text messages 2FA can
make.

This makes the parameters independent, and adds a test to make sure any
future changes which affect the limit of failed login attempts are
covered.

tests/app/user/test_rest_verify.py

@@ -71,6 +71,31 @@ def test_user_verify_code_bad_code_and_increments_failed_login_count(client,
     assert User.query.get(sample_sms_code.user.id).failed_login_count == 1
 
 
+@pytest.mark.parametrize('failed_login_count, expected_status', (
+    (9, 204),
+    (10, 404),
+))
+def test_user_verify_code_rejects_good_code_if_too_many_failed_logins(
+    client,
+    sample_sms_code,
+    failed_login_count,
+    expected_status,
+):
+    sample_sms_code.user.failed_login_count = failed_login_count
+    resp = client.post(
+        url_for('user.verify_user_code', user_id=sample_sms_code.user.id),
+        data=json.dumps({
+            'code_type': sample_sms_code.code_type,
+            'code': sample_sms_code.txt_code,
+        }),
+        headers=[
+            ('Content-Type', 'application/json'),
+            create_admin_authorization_header(),
+        ],
+    )
+    assert resp.status_code == expected_status
+
+
 @freeze_time('2020-04-01 12:00')
 @pytest.mark.parametrize('code_type', [EMAIL_TYPE, SMS_TYPE])
 def test_user_verify_code_expired_code_and_increments_failed_login_count(code_type, admin_request, sample_user):