On Tuesday, Microsoft issued a notice to users regarding a new behavior associated with FIDO2 security keys following the installation of Windows updates released since the September 2025 preview update. This change particularly affects devices operating on Windows 11 versions 24H2 or 25H2, where an identity provider may prompt users to enter a PIN during the authentication process.
Understanding the Change
This adjustment is a deliberate move by Microsoft to align with WebAuthn specifications, which outline the protocols for various authentication methods, including PINs, biometrics, and hardware security keys. User verification serves as a crucial step in confirming the presence and authorization of a user attempting to access a security key, typically achieved through a PIN or biometric scan.
According to the standards set by WebAuthn, the requirement for user verification can be categorized as discouraged, preferred, or required. When designated as “preferred,” platforms are mandated to implement a PIN setup if the authenticator in use supports user verification.
Implementation Timeline
The rollout of support for this feature began gradually across all Windows 11 devices following the KB5065789 preview update, culminating with the deployment of the November KB5068861 security update. In a support document released on Tuesday, Microsoft clarified, “After installing the Windows update, September 29, 2025—KB5065789 (OS Builds 26200.6725 and 26100.6725) Preview, or later updates, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration.”
This behavior is triggered when a Relying Party (RP) or Identity Provider (IDP) requests User Verification = Preferred during the authentication process with a FIDO2 security key that lacks a PIN.
Options for Organizations
For organizations and services that prefer not to require users to create or enter PINs for their security keys, there is an option to adjust the user verification setting to “discouraged” within their WebAuthn configuration. Microsoft further elaborated, “Support for PIN setup in the authentication flow was added to be consistent across both registration and authentication flows.”
FIDO2 security keys facilitate passwordless authentication by necessitating the physical presence of a USB, NFC, or Bluetooth token. This technology is gaining traction as more organizations seek to replace traditional passwords, aiming to mitigate risks associated with phishing, credential theft, and other password-related vulnerabilities.
