devise is vulnerable to time-of-check to time-of-use (TOCTOU) attacks. The vulnerability exists through a concurrency issue where using :lockable
could allow a user to perform an action multiple times while the backend counts these as 1 attempt only.