Microsoft has confirmed that FIDO2 security keys on Windows 11 may now prompt users to set up a PIN during authentication following specific recent updates, aligning with WebAuthn standards for enhanced user verification.
The change began with the September 29, 2025, preview update KB5065789 for OS Builds 26200.6725 and 26100.6725, rolling out gradually to Windows 11 devices.
Deployment completed after the November 11, 2025, security update KB5068861 for OS Builds 26200.7171 and 26100.7171, or subsequent patches.
| Update ID | Release Date | OS Builds Affected |
|---|---|---|
| KB5065789 | Sept 29, 2025 | 26200.6725, 26100.6725 |
| KB5068861 | Nov 11, 2025 | 26200.7171, 26100.7171 |
This affects sign-ins where a Relying Party (RP) or Identity Provider (IDP) requests User Verification set to “Preferred” for keys lacking a PIN.
The requirement enforces WebAuthn specifications, where User Verification (UV) proves user presence via PIN or biometrics. UV levels include Discouraged (no PIN needed), Preferred (prompts setup if capable), and Required. Previously, PIN setup occurred only during registration; updates extend this to authentication flows for consistency.
FIDO2 keys enable passwordless authentication via USB, NFC, or Bluetooth, gaining traction against phishing and credential theft. The shift surprises users with unregistered PINs, as platforms must now comply by auto-configuring when “preferred” is specified.
Mitigations
RPs or IDPs can avoid PIN prompts by setting “userVerification” to “discouraged” in PublicKeyCredentialRequestOptions. Microsoft emphasizes this as deliberate compliance, not a bug. Users should check Settings > Accounts > Sign-in options > Security Key to manage PINs after the update.
Enterprises relying on FIDO2 for MFA face workflow disruptions if unprepared, especially in passwordless setups. Security vendors like Yubico note similar unexpected prompts in prior patches.
While improving adherence to standards, the change requires config reviews for seamless adoption. No rollback exists, but “discouraged” UV restores prior behavior.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
