I was making the call to authenticate users this way
SignInManager.PasswordSignInAsync(model.Email, model.Password, false, true);
The last boolean parameter was set to true, causing the exception when the credentials were wrong. Changing to false stopped the exceptions, but it is frustrating that account lockout isn't implemented by default. I didn't see a way to override IncrementAccessFailedCountAsync in a derived UserManager or SignInManager class. What is the recommended way to implement account lockout?