Comment by dlcarrier
3 hours ago
In that case, the median would still be just over a month, if the PINs were entered in order of how commonly they are used. Even the worst case of two years is still soon enough for a lot of data still be useful.
Also, how is the time limit enforced? With hardware access, it would be easy to change time or increase the clock rate, as well as many other side-channel attacks that could eliminate the wait altogether.
Most enterprises require a 12 digit code, to meet a specific security standard. Bruteforcing that, with hardware access restricted by TPM, would take a very, very long time.
You're also not restricted to 4 digits. A full passphrase is an option.
Which I wish was more heavily advertised because a passphrase is a lot easier to remember.
The time limit is enforced by the TPM itself which defends against tampering.