You would only be able to DOS a individual accounts, rather than the whole website. Do it by IP address, sure at some point someone with a huge enough botnet will be able to crack an account. But is it likely that someone will use their entire botnet to crack a single user's password on some consumer service?
Depends on what you can do on that site. Around my part of the world:
* Phone/number that is redirecting a call pays for the redirected leg of the call
This leads to a lot of creative hacking on trying to program a phone to redirect calls to expensive service numbers or foreign numbers. And many operators lets you administer call redirection on their website
An alternative might be for the user to be able to request that the block is cleared, and for that process to send out an automated email; if the user clicks the link in the email, the block is cleared.
It's no less secure than a password reset and would mean that legitimate account owners can't be locked out of their accounts by attackers.
