This scenario is maybe the most common one where we're talking about Basic Authentication. In this case the flaw arises from an effort to stop the attacker's activities via application controls. Usually is based on the idea of the maximum number of attempts allowed. After which, the user will be blocked for some time.
This scenario consists of a kind of wrong awareness perception, where even though the right thing has been done, it had been designed ignoring the context. This way, the system/application doesn't evaluate the flow of changes and ends up consolidating an attack unexpectedly.