Please explain to me, TheRedDevil, why you do NOT think it is a "conflict of interest" to allow someone to circumvent my "Lock Out" feature by simply clicking on the "Reset Password" link??
Sure, though first to avoid any confusion since you mentioned that you have a "change password" and a "reset password" feature. If both of those are available before the user log in then that does not really make sense. Before a user successfully log in, it is normal to have a feature that allow them to reset their password, if it is called Lost Password, Reset Password etc. does not matter.
Now, the key here is not that your system should allow me to successfully reset my password (+ locked out status) and by that get access again if I am locked out. This is as you say not a desired functionality.
At the same time I do not see why this is a problem, as from a programming side, this is a very simple problem to solve.
There is two ways to sort this:
1. On the reset/lost password page, you first check if the account is locked down, if it is then you do not allow them to initiate a reset password chance, but instead show an error letting them know the account has been locked down.
2. When an account is locked down you change the account status, so even if the user reset his password, he/she will still not be able to login before you lift their lock down. I.e. you check vs. this status on the login page.
If I break that cycle and require an Admin's (i.e. "my") intervention, then I can do some research and look for any suspicious patterns before I send out a Password Reset. For example, maybe I notice this is a regular issue. Or that something else looks suspicious, like the failures keep coming from an IP in China, and yet this User is in Des Moines, IA?
This is something that you can just as easily do automatically by using a geo location database/service and validate the person logging in or asking for a password reset. Or for example if they try to do a specific thing within the member area from a new country. A good example on the last one is Paypal, if you try to initiate a transfer from your Paypal from a new country (if your on vacation for example), they will lock down your account. In this case, it is a security feature I believe is well placed, since the risk of damage is pretty high if the account was high jacked.
Let's say you have an ex-lover who is still pissed at you for breaking their heart, and since they know your Username/Email, this crazed ex-lover just keep trying and trying and trying until he/she finally get in?!
If this is a problem, then it means the site in question is in a specific niche, and if this is the case then added security features like this might be a valid option (Other than that, this problem is actually also a brute force issue, only that it is done manual instead of automatic).
The problem is that unless you change the username as the same time you unlock the account, the person can just come back again and try again. Which just delay the problem.
An idea to try here would be to implement a sms service, and if an account is locked down you send a sms to the user, letting them know (you should also send them an email). As that will let them know right away if someone else try to login to their account, in addition you can allow them to re-enable their account themselves, by enter a code delivered by SMS for example. This is actually a "commonly" used solution by larger companies, since it does add a more secure lockdown, but at the same time keep the "manual support work" at a minimum. Today implementing a sms service is much simpler than it was a decade ago, and unless you need a lot of messages there is a lot of providers that has a free "entry package".
Some of the methods mentioned above does require a higher programming knowledge, so I am not sure if they all are viable options for you. Please note that there is free geoip databases and servies as well, so you can implement all of these with the only cost being the time it take to program it.