If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
Acknowledgements: Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.