Android 17 slashes PIN guessing attempts to 20, enforces 14-year lockout

The twentieth attempt requires fourteen years of waiting
Google's new Android 17 lockscreen defense makes brute-force PIN attacks mathematically impractical.

In the quiet arithmetic of security, Google has drawn a new line between a stolen phone and the life it contains. Android 17 reduces the window for brute-force PIN attacks from 1,800 attempts to just 20, with escalating timeouts so severe that the final guess requires fourteen years of waiting — a mathematical wall designed not merely to slow thieves, but to render the attempt meaningless. It is a reminder that the most effective defenses are not those that fight back, but those that make the fight not worth having.

  • A stolen Android phone was never truly safe — 1,800 PIN attempts gave a patient thief a realistic path to everything inside.
  • Android 17 collapses that window to 20 attempts, with timeouts that grow so steep the twentieth guess cannot be entered for fourteen years after the nineteenth failure.
  • A duplicate guess detection system ensures that tired or distracted owners aren't punished for re-entering the same wrong PIN, keeping the experience humane for legitimate users.
  • The change is part of Google's wider campaign to drain the value from stolen devices by making their contents permanently inaccessible without the correct credentials.
  • The protection is real but not yet universal — manufacturers will spend months rolling out Android 17, meaning the defense will spread gradually across the installed base.

Google has fundamentally changed how Android phones resist the most direct attack on a stolen device: someone methodically guessing a PIN. With Android 17, brute-force attempts have moved from impractical to effectively impossible.

The contrast is stark. Android 16 allowed 1,800 failed attempts before permanently locking an attacker out — theoretically feasible with enough patience. Android 17 cuts that ceiling to 20. More importantly, the timeouts between failures grow exponentially. After just five wrong guesses, waiting periods begin escalating. By the twentieth attempt, a thief would need to wait fourteen years since their nineteenth failure before trying again. After that final guess, the device stops accepting PIN entries entirely.

Google's Mishaal Rahman noted that the system also includes duplicate guess detection — if a user enters the same wrong PIN more than once, it isn't counted against the limit, and a message appears confirming the repeated entry. Real owners benefit from this grace; attackers do not.

The feature is part of a broader effort to make stolen phones economically worthless. Physical theft cannot be prevented, but when a device's contents remain permanently locked, the underground market for stolen hardware loses its appeal.

Though the system was quietly introduced in December with Android 16 QPR2, it is now shipping broadly with Android 17. The rollout will take months as manufacturers integrate and test the update across both new and existing devices — meaning the protection will expand gradually, rather than arriving all at once.

Google has fundamentally reshaped how Android devices defend themselves against the most basic attack on a stolen phone: someone trying to guess your PIN. With Android 17, released last month, the company has tightened the screws so dramatically that brute-force attacks have moved from impractical to nearly impossible.

The numbers tell the story. Under Android 16, a thief had 1,800 attempts to crack a four-digit PIN before the device locked them out permanently. That sounds like a lot until you do the math—with enough time and patience, it was theoretically feasible. Android 17 cuts that ceiling to just 20 attempts. But the real shift is in the timeouts. Where the old system allowed ten wrong guesses in the first minute before penalties kicked in, the new version permits only five. After that, the waiting periods grow exponentially with each failed attempt. By the time someone reaches their twentieth and final guess, they will have waited fourteen years.

This is not a typo. The twentieth PIN attempt, according to Google's implementation, can only be entered after fourteen years have passed since the nineteenth failed attempt. After that twentieth failure, the device stops accepting PIN guesses entirely. The math is brutal by design: a thief with a stolen phone cannot realistically wait fourteen years for a single additional attempt.

Mishaal Rahman, Google's Community Engagement Manager for Android, explained that the system includes a feature called duplicate guess detection. If a user enters the same incorrect PIN multiple times—which happens in real life when someone is tired or distracted—they won't be penalized. The system recognizes the duplicate and doesn't count it against the limit. A unique message appears on screen to tell the user they've entered that same wrong code before. This preserves usability for legitimate owners while maintaining the fortress-like defense against attackers.

The feature is part of a broader Google initiative to make stolen phones worthless to thieves and the underground economy that buys and resells them. None of these protections will stop someone from physically stealing a device, but they make the stolen device itself nearly impossible to access. Without access, the data inside—photos, messages, financial information, authentication tokens—remains locked away. The economics of phone theft shift when the merchandise can't be unlocked or resold.

Google actually introduced this system in December as part of Android 16 QPR2, a quarterly platform release. But it's shipping broadly now with Android 17, which arrived last month. The rollout, however, will take time. Phone manufacturers typically spend months integrating new Android versions into their devices, testing them, and pushing updates to both new phones and older models already in users' hands. Anyone with a current device will eventually receive Android 17, but the protection won't be universal overnight. The gradual deployment means that over the coming months, the installed base of Android phones will slowly gain this new defense against one of the oldest and most direct attacks on mobile security.

When enabled, users aren't penalized for entering the same incorrect guess multiple times, and these rejections don't increase the incorrect guess count.
— Mishaal Rahman, Community Engagement Manager for Android at Google
The Hearth Conversation Another angle on the story
Inventor

Why reduce the attempts from 1,800 to just 20? That seems like an enormous swing.

Model

Because 1,800 attempts over five years is actually exploitable if you have the time and the right tools. Twenty attempts with exponential timeouts is not. The real genius is the timeout curve—it makes the math work against you so completely that waiting becomes the attack's enemy.

Inventor

But what about the user experience? If I forget my PIN, am I locked out for fourteen years?

Model

That's where duplicate guess detection comes in. If you enter the same wrong PIN twice, it doesn't count against you. The system knows you're just being forgetful, not an attacker. But if you're genuinely guessing wrong PINs—different ones each time—then yes, the timeouts escalate. It's a trade-off that assumes most users know their own PIN.

Inventor

This only works if the thief doesn't have other ways in. What if they have your fingerprint or face data?

Model

True. This is specifically about PIN and password guessing. Biometrics are a different layer. But for someone who steals a phone and has no biometric data, no password, nothing but time and determination, this makes that path nearly impossible.

Inventor

When does everyone get this?

Model

Gradually. Phone makers need months to integrate it, test it, and push it out. So the protection spreads across the installed base slowly. By the end of the year, most newer phones will have it. Older devices might take longer or never get it at all.

Contact Us FAQ