[ballenf]

I agree and it wasn't the intent of the question. More of a purely academic way of putting "one in a million" into more human terms. And it didn't work, since I can't picture a room of 1250 people doing this, like you rightly point out.

But I also don't think the "brother who already knows the phone PIN code" a real world attack vector of concern to most people. I get that it could be an issue in narrow situations: you share your pin code, lookalike sibling uses it to "train" your phone; you change passcode not realizing that phone will still unlock for now-untrusted sibling.

Even in that scenario, I would bet that after a few days of normal usage by the phone's rightful owner alone the attack wouldn't work anymore. But, it's too soon to know.