Account locking should happen after 3 to 5 INCORRECT password attempts, and be unlockable by sending an email. This is how most account locking works.

Currently it locks after correct attempts, and there is no way to email to unlock.

The purpose of an account system is to stop unauthorised use... not prevent authorised use. InvalidCredentialsException should not be triggered for correct password. And unlock account should not rely on it maybe working after lots of waiting.