Microsoft has recently made significant adjustments to the way Windows manages FIDO2 security key authentication, a move that follows the latest system updates. With these changes, users may now find themselves prompted to create and configure a PIN for their security keys during the sign-in process, even if they did not set up a PIN during the initial registration phase.
This new requirement comes into effect for users who install the Windows preview update released on September 29, 2025 (KB5065789, OS Builds 26200.6725 and 26100.6725) or any updates that follow. The necessity to establish a PIN will be activated when a Relying Party (RP) or Identity Provider (IDP) requests User Verification set to “Preferred” during the authentication process with a FIDO2 security key that currently lacks a configured PIN.
Compliance with WebAuthn Standards
In its clarification, Microsoft stated that this change is an intentional adjustment aimed at ensuring compliance with WebAuthn specifications. The update is designed to align Windows authentication methods with recognized web authentication standards, thereby promoting consistent security practices across various platforms.
The rollout of this updated behavior commenced gradually on Windows 11 devices following the September 29, 2025, preview update (KB5065789). The full deployment across Windows 11 clients was completed with the release of the November 11, 2025, security update (KB5068861, OS Builds 26200.7171 and 26100.7171) or any subsequent updates.
User Verification (UV) serves to confirm that the authorized user is present and allowed to utilize the security key, typically through a PIN or biometric authentication. Windows now accommodates three verification settings: Discouraged, Preferred, and Required.
When User Verification is designated as “Preferred,” the Relying Party indicates that user verification should take place if the authenticator supports it. This means that if a PIN setup is necessary, the platform will facilitate the configuration process accordingly. In contrast, when set to “Discouraged,” the RP signals that user verification is not mandatory. If no PIN has been established, users are not required to create one unless the authenticator’s configuration explicitly demands it.
Microsoft’s introduction of PIN setup support during the authentication flow aims to create consistency between the registration and authentication processes. This enhancement ensures that security key management adheres to uniform procedures throughout both initial setup and ongoing authentication scenarios, thereby reinforcing the overall security posture for users who depend on FIDO2 authentication methods.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
