Google has announced a broad set of updates to Android’s theft protection capabilities, targeting device security before, during, and after a theft attempt. The changes span authentication hardening, recovery tooling, and proactive default configurations for new markets.

Stronger Authentication Controls

The most significant authentication changes apply to devices running Android 16 and later.

  • Failed Authentication Lock toggle: First introduced in Android 15, the Failed Authentication Lock feature, which locks the screen after excessive failed login attempts, now has a dedicated enable/disable toggle in settings for finer user control.
  • Expanded Identity Check coverage: Identity Check, which enforces biometric authentication for sensitive actions performed outside trusted locations, has been extended to cover all features and apps using the Android Biometric Prompt. This means third-party banking apps and Google Password Manager now automatically inherit the additional biometric requirement.
  • Longer lockout intervals for PIN/pattern guessing: Android will now impose increased lockout durations after failed screen lock attempts. As a usability concession, repeated identical incorrect guesses no longer count toward the retry limit, reducing accidental lockouts.

Improved Remote Lock and Recovery

Recovery tool updates are available on Android 10 and later. The Remote Lock feature, accessible at android.com/lock from any web browser, now supports an optional security question or challenge during the lock initiation process. The addition is intended to prevent unauthorized parties from remotely locking a device they do not own.

Default-On Protections in Brazil

Google is enabling two theft protection features by default on new Android devices activated in Brazil.

  • Theft Detection Lock: Uses on-device AI to analyze motion and contextual signals consistent with a snatch-and-run theft, locking the screen automatically if a theft attempt is detected.
  • Remote Lock: Activated out of the box so that users do not need to configure the feature before they can invoke it from android.com/lock.

The move is notable because it removes the requirement for users to opt in before a theft occurs, a gap that previously left newly activated devices without a critical recovery layer.

Implications for Security Professionals

The extension of Identity Check to all Biometric Prompt-integrated apps is the change most relevant to enterprise and financial application developers. Apps that already rely on the Android Biometric Prompt API will inherit the stricter location-aware biometric enforcement without requiring code changes. Organizations deploying Android devices should verify that managed device policies remain compatible with the new lockout behavior introduced in Android 16.