Microsoft warned users on Tuesday that FIDO2 security keys may prompt them to enter a PIN when signing in after installing Windows updates released since the September 2025 preview update.
This behavior can be observed on devices running Windows 11 version 24H2 or 25H2 when an identity provider requests user verification during authentication.
Microsoft says this is an intentional change to comply with WebAuthn specifications, which dictate how authentication methods such as PINs, biometrics, and hardware security keys should handle user verification requests.
User verification confirms that the user is present and authorized to use a security key, typically through a PIN or biometric scan. Under WebAuthn standards, verification can be discouraged, preferred, or required. When set to “preferred,” the standard requires platforms to set up a PIN if the authenticator supports user verification.
Support for this feature began gradually rolling out to all Windows 11 devices after the KB5065789 preview update, and the deployment completed with the November KB5068861security update.
“After installing the Windows update, September 29, 2025—KB5065789 (OS Builds 26200.6725 and 26100.6725) Preview, or later updates, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration,” Microsoft said in a Tuesday support document.
“This behavior will occur when a Relying Party (RP) or Identity Provider (IDP) requests User Verification = Preferred during authentication with a Fast IDentity Online 2 (FIDO2) security key that does not have a PIN set.”
Organizations and services that don’t want users creating or entering PINs for security keys can set user verification to “discouraged” in their WebAuthn configuration settings.
“Support for PIN setup in the authentication flow was added to be consistent across both registration and authentication flows,” Microsoft added.
FIDO2 security keys provide passwordless authentication by requiring physical possession of a USB, NFC, or Bluetooth token. This technology has been increasingly adopted as organizations seek alternatives to traditional passwords to block phishing, credential theft, and other password-based attacks.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.