We recommend you to upgrade to Pega 7.2.1 or Pega 7.2.2 (after GA) to get this feature, I remember working on the similar Hotfix requirement and I can say there are significant rule changes and class changes to have this feature working as expected without any repercussions.
Hence, I believe getting this feature as a hotfix in older versions isn't recommended.
You can enforce account lockouts after repeated failed attempts by an operator to thwart brute-force attacks. When an account is locked, the Pega 7 Platform does not allow any further login attempts until the account is unlocked. The account can be unlocked manually or automatically based on your preferences.
Activating account lockout policy
To configure your account lockout policy, do the following steps:
Set the Enable authentication lockout penalty policy to Disabled status. This step is required because you cannot enforce account lockout and lockout penalty policies at the same time.
Set the Failed login attempts before password lockout policy to the maximum number of allowed login attempts. When the number of failed attempts exceeds the number set in this policy, the account is locked.
Set the Password lockout duration policy to the time period (in minutes) for which you want the account to remain locked:
Set the policy to a non-zero value if you want the account to be unlocked automatically after the specified time is over.
Set the policy to zero value if you want the account to be unlocked manually.