As long as "a lot of attempts" take longer than the time it'll take the sun to expand and envelop the earth, that's not really a problem.

Every form of authentication is either subject to "a lot of attempts" or trivial DoS (for when you rate limit the login API so now admins can't log in either). The principles behind modern authentication are mostly "how do we make verification require even more attempts if the attacker doesn't know the password".