How many times can you fat finger the Bitlocker recovery key?

JasonO 21 Reputation points
2022-09-19T14:36:52.663+00:00

We are rolling out bitlocker to our enterprise and was asked this question: "How many times can a person mistype the recovery key?" I was not able to find a definite answer and was hoping someone from Microsoft could clear this up. Not to be confused with PIN, I am asking about the Bitlocker Recovery Key and how many times a person can mistype the key before something happens, if anything.

Thanks

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,894 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,221 Reputation points
    2022-09-21T15:17:40.457+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having query related to How many times Bitlocker wrong key can be entered.

    Nothing. Bitlocker cannot shut anything out because it is launched before Windows starts and before networking is operational.

    --------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Dillon Silzer 57,316 Reputation points
    2022-09-19T15:11:21.88+00:00

    Hi @JasonO

    Please see:

    TPM 2.0 anti-hammering

    https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals#tpm20-anti-hammering

    For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.

    Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.

    In short, you can fat finger the Bitlocker recovery key as many times as you want as long as you are willing to wait.


    If this is helpful please accept answer.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.