try this, the order of the pam_tally2.so have to be first above all else, If you google around you should have found this
but if you haven't, there you go
auth required pam_tally2.so deny=3
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
#auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so