If I’ve forgotten my PIN and make an attempt, it fails and then starts timing before my next attempt.
If I unplug the TREZOR during this time-out, the next attempt shows the same time-out period.
SO - i should be able to have unlimited attempts for different PINS.
UNLESS - it doesn’t authenticate and fail until AFTER the timeout period. is that the case?
hi @bermuda
To prevent brute-force attacks, after every failed attempt, Trezor enforces a delay before it lets you try a different PIN again. This delay increases by the factor of two each time.
After 16 incorrect attempts, your device wipes itself, making it possible to access your funds only with the use of your recovery seed.
Thank you for your response MichalZ.
I completely understand your response, the delay, the reasons for it.
However my question was more based on others in this group (and other sites) that indicated that if your PIN didn’t work - you simply unplug it before it starts timing out for the next entry.
When you plug the TREZOR back in - you can try another password immediately (it doesn’t continue to time-out after a reboot).
SO - the question is - does it only try the next password after the time-out, or does it try the password and then time-out?
Do you see the subtle difference? Basically the question is, can you foil the time-out nuisance by unplugging the Trezor after each attempt (before it times-out).
hope that’s more clear.
Thanks!!
hi,
The device unlock after the verifying process (the timeout as you said) if the correct PIN is entered.
So even if you would enter the correct PIN and you’d unplug the device during the verification process you won’t unlock the device (so you wouldn’t actually know if the PIN was correct or not) that’s why the number of attempts remain the same.
If you would enter incorrect PIN and go through the verification process you would have 15 attempts left even after re-plugging the device.
Thank you MichalZ!
I appreciate your knowledge, time and effort to answer. Especially for a question that may seem a bit pedantic.
It makes sense there’s no gap in security on the Trezor.
Much appreciated.
you are very welcome, I’m happy to help 