Search results for

All search results
Best daily deals

Affiliate links on Android Authority may earn us a commission. Learn more.

Android 17's new lock screen trick could frustrate anyone trying to break into your phone

PIN guess attempts have been slashed from 1,800 over five years to just 20, alongside several other new protections.
By

2 hours ago

Android biometric prompt dialog with PIN fallback
Mishaal Rahman / Android Authority
TL;DR
  • Android 17 includes stricter lock screen rate limits to make PIN and password guessing much more difficult than before.
  • Devices running Android 17 will allow far fewer incorrect attempts before imposing lengthy lockouts.
  • Google has also implemented a hard cap of 20 failed attempts and introduced duplicate-guess detection and clearer lockout messages for legitimate users.

Google first announced stronger lock screen protections for Android 17 during The Android Show: I/O Edition in May. These new protections make it significantly harder for anyone to force their way into your phone by guessing your lock screen PIN or password. Now, Google’s Mishaal Rahman has shared exactly how the new security feature works in Android 17, and the changes are more aggressive than you might expect.

Stronger unlock protections in Android 17

According to Rahman, Android 17 introduces much stricter default rate limiting for PIN and password attempts on supported devices. Instead of allowing hundreds of guesses over time, the system now sharply reduces the number of incorrect attempts before longer lockouts kick in.

Previous versions of Android were considerably lenient when it came to PIN and password guesses. Android 16 allowed up to 10 guesses in the first minute, 20 within six minutes, 50 within 25 minutes, 110 over 24 hours, and as many as 1,800 guesses across five years.

Android's hard limit for failed PIN attempts has dropped from 1,800 over five years to just 20.

Starting with Android 16 QPR2, Google made a change that carries forward into Android 17. The policy has now become much stricter, with devices now allowing only six guesses in the first minute, seven within six minutes, eight within 25 minutes, 12 over 24 hours, and just 19 guesses across five years. After 20 incorrect attempts, no further guesses are permitted.

Google explains that the old limits left room for attackers to exploit the fact that many people choose common PINs or passwords rather than random ones. Someone who knows your personal information, like your birthday or anniversary, could improve their odds of guessing your PIN or password even further by trying commonly used combinations first.

That said, there are times you, as a legitimate user, might genuinely forget your PIN or password. For those times, Android 17 includes a duplication exemption. So if you accidentally repeat the same wrong PIN multiple times, duplicate incorrect entries will no longer count toward the failed-attempt limit. Instead, the system recognizes the repeated mistake, ignores it, and displays a dedicated message explaining why the attempt wasn’t counted.

Google is also improving the lock screen experience during lengthy lockouts. Rather than showing large countdowns in seconds, Android 17 displays more readable time units. For example, “Try again in 30 minutes” instead of “Try again in 1800 seconds.”

Finally, Android 17 also displays a recovery shortcut on the lock screen to help you quickly find account recovery options from another device.

Follow

Thank you for being part of our community. Read our Comment Policy before posting.