We have a web application where when the user gets locked (from consecutive invalid passwords), the unlock account flow would be like this...
1. Click unlock account link
2. Next page will ask for username and email
3. If combination in #2 is valid, it will proceed to page where app ask user to trigger sending a token through SMS
4. In the next page users enters token and successfully unlocks
Is this setup susceptible to DoS attacks like bots? do we still have to use CAPTCHAs here?
No, you don't need a captcha because the user has authenticated. You can still have a DoS in that a bad guy locks out all of your user accounts though. And for that matter hammers you with traffic as the bad guy submits millions of requests to your site to try to do the lockouts. Which means you should load test. And if you are a website on which a DoS is likely, you should add another mechanism to avoid the lockouts. For example on this site, we use increasing delays between attempts after the first few to prevent the denial of service from happening in the first place.
I would use an email rather than a SMS message though. If someone gets ahold of your username/email combinations, they can SMS spam your users. Which is more intrusive than email spam.