You are looking at the wrong setting. Admin Tools does not disable the user account exactly because users can't self-activate their account if it gets blocked. What it does is temporarily block their IP address. You can change that under the Auto-ban tab. Remember that this setting affects all blocked requests for any reason and IP address.
You could alternatively set “Treat failed logins as a reason for blocking the request” to No so they don't get blocked for too many failed login attempts.
However, the really best solution is that your client's 3PD developers actually pay attention to what they do to log into the site. It's surely not that hard copying a URL, a username and a password? If your client provides these correctly and they can't do a simple copy & paste I would very strongly doubt these 3PD's ability to develop their way out of a wet paper bag. Speaking as someone who regularly gets frustrated at how difficult it is to copy information when the client just shoves it all together, occasionally adding periods after the password because they are ending a sentence in the form of "site login example.com word foobar login brad theman su brad dr@dst3r." (login info fictitious but not far off from some real world examples). So, yeah, I think clear communication is the best solution that doesn't have a security impact.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!