The mecanism is the following : lidsadm reads the current capabilities/flags, updates them according to your command line, asks you a password, and feeds LIDS with all that. If the password is OK, the capabilities/flags are updated, a security alert is raised to log the changes.
To make LIDS recognize your password, you must give it its RipeMD-160 fingerprint. It can be computed by lidsadm (See chapter 4). This fingerprint is considered as very difficult to break, and it is likely that even if someone gets access to your kernel binary, he won't get your password.
you can configure the number of attempts that will be allowed before the switching capability is disabled, and the time it will be disabled. Each missed attempt to give the password is logged, whatever value you specified for the number of attempt.
The lower the number of attempts is and the higher the timeout is, the more secure the system will be.