Android 17 locks down retries with a 20-fail cap

Android 17 introduces stricter lock screen rate limits, dropping the allowed failed PIN/password guesses dramatically and imposing longer lockouts after fewer attempts. Google has also added a hard cap of 20 failed tries, duplicate-guess detection for legitima
The moment you start tapping in your PIN wrong, Android 17 is now keeping a much tighter tally than before. The lock screen doesn’t just take longer to unlock after repeated mistakes—it stops accepting guesses far earlier, with a hard cap of 20 failed attempts built into the default protections.
Google previewed the direction for Android 17’s stronger lock screen protections during The Android Show: I/O Edition in May. The goal is straightforward: make PIN and password guessing “much more difficult” by sharply reducing how many incorrect attempts are allowed before longer lockouts begin.
In earlier Android versions, the system gave attackers far more room to brute-force. Android 16. for example. allowed up to 10 guesses in the first minute. 20 within six minutes. 50 within 25 minutes. 110 over 24 hours. and as many as 1. 800 guesses across five years. In Android 17, that overall tolerance collapses—from 1,800 over five years down to just 20.
The stricter approach is already laid out in the newer policy that started with Android 16 QPR2 and now carries forward into Android 17. Devices running Android 17 allow only six guesses in the first minute. seven within six minutes. eight within 25 minutes. 12 over 24 hours. and just 19 guesses across five years. After 20 incorrect attempts, no further guesses are permitted.
Google’s reasoning is that the old limits were too forgiving, especially because many people lean on personal patterns. Someone trying to break in could benefit from the way humans choose lock codes—not random ones. but ones tied to real life. Google points to cases like birthdays or anniversaries. where an attacker who knows personal information can improve their odds by trying commonly used combinations first.
Android 17 doesn’t ignore the other side of the problem: what happens when you’re the legitimate user who genuinely forgets your PIN or password. For those moments. Google includes a “duplication exemption.” If you accidentally repeat the same wrong PIN multiple times. duplicate incorrect entries won’t count toward the failed-attempt limit. Android 17 recognizes the repeated mistake, ignores it, and shows a dedicated message explaining why the attempt wasn’t counted.
Even when the lockout lasts a while, Android 17 aims to make the wait feel clearer. Instead of showing large countdowns measured in seconds, it switches to more readable time units—for example, “Try again in 30 minutes” instead of “Try again in 1800 seconds.”
And when you do hit a longer lockout, Android 17 adds a recovery shortcut right on the lock screen. The idea is to help you quickly find account recovery options from another device, without hunting through settings or menus while you’re locked out.
The sequence is hard to miss: Android 17 reduces the number of guesses drastically, sets a firm ceiling at 20 failed attempts, and then pairs that tighter enforcement with small usability changes meant to keep genuine users from getting stuck in confusing countdowns or repeated-entry penalties.
Android 17 lock screen PIN password attempts rate limiting security account recovery duplicate guesses
So now if you forget your PIN you’re just screwed, right?
Not sure why they call it security when people will just reset and go through account recovery. Also 20 tries seems low, my phone would be done in like one weekend of stress.
Wait it says duplicate-guess detection for legitima… whatever that means. Does that mean it flags you for typing the same wrong number twice? Like I guess that’s good but seems like it could mess up if someone’s just dumb and keeps hitting the same wrong PIN.
Android 17 dropping from like 1,800 guesses to 20 is wild. But honestly, I’ve seen people get hacked way easier than guessing PINs… so are they just scared of brute force or what. If my kid watches me type it once, they’ll still be able to do the rest lol.