this is not done with validation show if.
Set the failed redirect in the security assist authenticate user server behavior to go back to the login page with a query string variable:
login.php?failed=true.
then on the login page add an if statement to show the error:
[php]
<?php if(isset($_GET['falied']) && $_GET['falied'] == "true") { ?>
Incorrrect user name or password
<?php } ?>