One could attempt to log in from multiple IPs over a long span of time, let's say weeks. This scenario is difficult to trace using timers. Alternatively, sending email alerts on each failed log in attempt may not very optimal and generate a lot of false positives - person A (not an intruder) randomly tries logging in by impersonating multiple github users.

IMO something similar to SSH security policies like allowing logging in from a set of IPs and/or without password i.e. using public key, may be a good idea.