diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 14d112334ca..4a428feb7d2 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -30,8 +30,6 @@ def new
     end
 
     def create
-      track_authentication_attempt(auth_params[:email])
-
       return process_locked_out_session if session_bad_password_count_max_exceeded?
       return process_locked_out_user if current_user && user_locked_out?(current_user)
 
@@ -40,6 +38,7 @@ def create
       handle_valid_authentication
     ensure
       increment_session_bad_password_count if throttle_password_failure && !current_user
+      track_authentication_attempt(auth_params[:email])
     end
 
     def destroy
@@ -175,6 +174,7 @@ def track_authentication_attempt(email)
         success: success,
         user_id: user.uuid,
         user_locked_out: user_locked_out?(user),
+        bad_password_count: session[:bad_password_count].to_i,
         stored_location: session['user_return_to'],
         sp_request_url_present: sp_session[:request_url].present?,
         remember_device: remember_device_cookie.present?,
diff --git a/app/services/analytics_events.rb b/app/services/analytics_events.rb
index 571df55a675..9681d93bdce 100644
--- a/app/services/analytics_events.rb
+++ b/app/services/analytics_events.rb
@@ -240,6 +240,7 @@ def doc_auth_warning(message: nil, **extra)
   # @param [Boolean] success
   # @param [String] user_id
   # @param [Boolean] user_locked_out if the user is currently locked out of their second factor
+  # @param [String] bad_password_count represents number of prior login failures
   # @param [String] stored_location the URL to return to after signing in
   # @param [Boolean] sp_request_url_present if was an SP request URL in the session
   # @param [Boolean] remember_device if the remember device cookie was present
@@ -248,6 +249,7 @@ def email_and_password_auth(
     success:,
     user_id:,
     user_locked_out:,
+    bad_password_count:,
     stored_location:,
     sp_request_url_present:,
     remember_device:,
@@ -258,6 +260,7 @@ def email_and_password_auth(
       success: success,
       user_id: user_id,
       user_locked_out: user_locked_out,
+      bad_password_count: bad_password_count,
       stored_location: stored_location,
       sp_request_url_present: sp_request_url_present,
       remember_device: remember_device,
diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
index 90c9523a959..bc04f027ab1 100644
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -199,6 +199,7 @@
 
   describe 'POST /' do
     include AccountResetHelper
+
     it 'tracks the successful authentication for existing user' do
       user = create(:user, :signed_up)
       subject.session['user_return_to'] = mock_valid_site
@@ -209,6 +210,7 @@
         success: true,
         user_id: user.uuid,
         user_locked_out: false,
+        bad_password_count: 0,
         stored_location: mock_valid_site,
         sp_request_url_present: false,
         remember_device: false,
@@ -231,6 +233,7 @@
         success: false,
         user_id: user.uuid,
         user_locked_out: false,
+        bad_password_count: 1,
         stored_location: nil,
         sp_request_url_present: false,
         remember_device: false,
@@ -249,6 +252,7 @@
         success: false,
         user_id: 'anonymous-uuid',
         user_locked_out: false,
+        bad_password_count: 1,
         stored_location: nil,
         sp_request_url_present: false,
         remember_device: false,
@@ -287,6 +291,7 @@
         success: false,
         user_id: user.uuid,
         user_locked_out: true,
+        bad_password_count: 0,
         stored_location: nil,
         sp_request_url_present: false,
         remember_device: false,
@@ -298,6 +303,30 @@
       post :create, params: { user: { email: user.email.upcase, password: user.password } }
     end
 
+    it 'tracks count of multiple unsuccessful authentication attempts' do
+      user = create(
+        :user,
+        :signed_up,
+      )
+
+      stub_analytics
+
+      analytics_hash = {
+        success: false,
+        user_id: user.uuid,
+        user_locked_out: false,
+        bad_password_count: 2,
+        stored_location: nil,
+        sp_request_url_present: false,
+        remember_device: false,
+      }
+
+      post :create, params: { user: { email: user.email.upcase, password: 'invalid' } }
+      expect(@analytics).to receive(:track_event).
+        with('Email and Password Authentication', analytics_hash)
+      post :create, params: { user: { email: user.email.upcase, password: 'invalid' } }
+    end
+
     it 'tracks the presence of SP request_url in session' do
       subject.session[:sp] = { request_url: mock_valid_site }
       stub_analytics
@@ -305,6 +334,7 @@
         success: false,
         user_id: 'anonymous-uuid',
         user_locked_out: false,
+        bad_password_count: 1,
         stored_location: nil,
         sp_request_url_present: true,
         remember_device: false,
@@ -374,6 +404,7 @@
           success: true,
           user_id: user.uuid,
           user_locked_out: false,
+          bad_password_count: 0,
           stored_location: nil,
           sp_request_url_present: false,
           remember_device: false,
@@ -446,6 +477,7 @@
           success: true,
           user_id: user.uuid,
           user_locked_out: false,
+          bad_password_count: 0,
           stored_location: nil,
           sp_request_url_present: false,
           remember_device: true,
@@ -471,6 +503,7 @@
           success: true,
           user_id: user.uuid,
           user_locked_out: false,
+          bad_password_count: 0,
           stored_location: nil,
           sp_request_url_present: false,
           remember_device: true,