Handling too many failed login attempts

Currently it looks like a user can provide a wrong password really often (unlimited). I also saw that there is a short (random) delay after a user provided a wrong password. We would rather like to have an increasing time before a new attempt or alternatively the user should be locked. Is there a way to add such a feature? Kind Regards, Thomas.