Android 17's new lock screen trick could frustrate anyone trying to break into your phone

498 words

www.androidauthority.com

Android biometric prompt dialog with PIN fallback

Mishaal Rahman / Android Authority

Google Discover 1Follow us on Google DiscoverGoogle Symbol 0Add us as preferred source

TL;DR

Google first announced stronger lock screen protections for Android 17 during The Android Show: I/O Edition in May. These new protections make it significantly harder for anyone to force their way into your phone by guessing your lock screen PIN or password. Now, Google’s Mishaal Rahman has shared exactly how the new security feature works in Android 17, and the changes are more aggressive than you might expect.

According to Rahman, Android 17 introduces much stricter default rate limiting for PIN and password attempts on supported devices. Instead of allowing hundreds of guesses over time, the system now sharply reduces the number of incorrect attempts before longer lockouts kick in.

Previous versions of Android were considerably lenient when it came to PIN and password guesses. Android 16 allowed up to 10 guesses in the first minute, 20 within six minutes, 50 within 25 minutes, 110 over 24 hours, and as many as 1,800 guesses across five years.

Android's hard limit for failed PIN attempts has dropped from 1,800 over five years to just 20.

Starting with Android 16 QPR2, Google made a change that carries forward into Android 17. The policy has now become much stricter, with devices now allowing only six guesses in the first minute, seven within six minutes, eight within 25 minutes, 12 over 24 hours, and just 19 guesses across five years. After 20 incorrect attempts, no further guesses are permitted.

Google explains that the old limits left room for attackers to exploit the fact that many people choose common PINs or passwords rather than random ones. Someone who knows your personal information, like your birthday or anniversary, could improve their odds of guessing your PIN or password even further by trying commonly used combinations first.

That said, there are times you, as a legitimate user, might genuinely forget your PIN or password. For those times, Android 17 includes a duplication exemption. So if you accidentally repeat the same wrong PIN multiple times, duplicate incorrect entries will no longer count toward the failed-attempt limit. Instead, the system recognizes the repeated mistake, ignores it, and displays a dedicated message explaining why the attempt wasn’t counted.

Google is also improving the lock screen experience during lengthy lockouts. Rather than showing large countdowns in seconds, Android 17 displays more readable time units. For example, “Try again in 30 minutes” instead of “Try again in 1800 seconds.”

Finally, Android 17 also displays a recovery shortcut on the lock screen to help you quickly find account recovery options from another device.

Thank you for being part of our community. Read our Comment Policy before posting.

Android 17's new lock screen trick could frustrate anyone trying to break into your phone | Readon News