The brute-force protection Login Threshold is set to 10 attempts. However, the users are not allowed to enter the code more than 5 times. 

• Passwordless 
• Rate Limit
• Brute Force Protection

As per the rate limit documentation, the Universal Login Passwordless verify code endpoint has a rate limit of 5 attempts per minute.

The limit reached is a specific rate limit that applies to Passwordless (Email or SMS) connections. It will not allow the user to enter the incorrect code more than five times. When the limit is reached, a new code needs to be requested. 

Brute-force protection will also remain active if configured beyond this limit.