What I would suggest to keep both the security and user friendliness in entering passwords would be to add a certain number of no-delay attempts (e.g. 3).
This way humans would get a certain number of quick retype attempts in case of typos or different keyboard layouts (often the case with me, as I switch between US and Croatian, depending on what I'm doing).
After this initial number, let the exponential delay kick in (2 s, 4 s, ... or whatever it currently is) to prevent any bot-attacks.
For a brute force attack, a couple of extra attempts isn't a significant advantage and for humans that makes all the difference in making the system more responsive.
What I would suggest to keep both the security and user friendliness in entering passwords would be to add a certain number of no-delay attempts (e.g. 3).
This way humans would get a certain number of quick retype attempts in case of typos or different keyboard layouts (often the case with me, as I switch between US and Croatian, depending on what I'm doing).
After this initial number, let the exponential delay kick in (2 s, 4 s, ... or whatever it currently is) to prevent any bot-attacks.
For a brute force attack, a couple of extra attempts isn't a significant advantage and for humans that makes all the difference in making the system more responsive.