Maybe the user was blocked for at least five minutes after three incorrect tries? If you then use the correct credentials again, you still get the same error message (which is not user friendly, but security seems to dictate we can't give potential hackers more information).
The System.User entity has the Blocked and BlockedSince attributes. Every five minutes Mendix will check if users can be unblocked again. Which means users will be blocked between five and ten minutes, depending on the moment they were blocked compared to the unblocking interval.