No account lock out on repeated attempts with the wrong password wasn't an option
Tracking it by IP/DeviceID easily defeatable.
No other option really, encrypted bio maybe fingerprint or iris, has a cost that especially to get round this issue.
All you need is an other email, not that big a deal.