It seems like a good idea to me, maybe just set a default time between log-in attempts of 10-30 seconds. That will at least slow directed BF attacks down considerably. However, there is nothing to stop the attacker attacking multiple accounts simultaneously, switching between targets as it gets locked out.
This won't help. They do not brute-force it like this.
What matters is the amount of entropy in the passphrase.
is.
It's even in principle possible to make a system where single word passwords like 'apple12' are safe, but key generation would be way too long.