Allow auth plugins to declare not being able to be locked out

Came across a small edge case bug, where a manual self registered user A attempted to login and failed a few times and inadvertently locked out another account which was an SSO user B. The settings on this site meant that usernames were protected so that user A didn't get any feedback, but user B got the lock out email out of the blue and had a small panic.

Currently a SSO plugin could workaround this by setting the login_lockout_ignored preference on every user they manage but I think it would be better if auth plugins simply had a new method like ignore_user_lockout().

It would probably be even better if each auth plugin declares whether it is an sso plugin or not, and ignore_user_lockout has a default implementation which leverages of that.