On the login page, add the account_email as a session that is created when they login.
double click the Authenticate user server behavior. On the third page, you can select columns to store in session variables.
No recreate the recordset using the account_email session variable instead of the post value on the login success page.
add a set session value server behavior to capture the count that is returned.
For the trigger use Session Variable is not set.
For the value, click the lightning bolt and select the count column from the recordset.
You will need to manually rearrange the code so the set session value behavior is after the recordset.
In the security assist access rules manager, create a new rule to check that the count session is less than or equal to 10. then apply that rule to the login success page and send them to the update your account page if it fails.
Again, you may have to rearrange the code so the the rule is after the session value code.