Microsoft has announced an update regarding the use of FIDO2 security keys on Windows 11, introducing a new prompt for users to set up a PIN during authentication. This change aligns with the WebAuthn standards aimed at enhancing user verification processes.
The rollout commenced with the preview update KB5065789 on September 29, 2025, specifically targeting OS Builds 26200.6725 and 26100.6725. Following this, the deployment was completed with the security update KB5068861 on November 11, 2025, affecting OS Builds 26200.7171 and 26100.7171.
| Update ID | Release Date | OS Builds Affected |
|---|---|---|
| KB5065789 | Sept 29, 2025 | 26200.6725, 26100.6725 |
| KB5068861 | Nov 11, 2025 | 26200.7171, 26100.7171 |
This update impacts sign-ins where a Relying Party (RP) or Identity Provider (IDP) requests User Verification set to “Preferred” for keys that do not have a PIN. The requirement is in line with WebAuthn specifications, which dictate that User Verification (UV) must confirm user presence through either a PIN or biometric authentication. The UV levels include:
- Discouraged: No PIN needed.
- Preferred: Prompts setup if capable.
- Required: PIN or biometric verification is mandatory.
Previously, users were only prompted to set up a PIN during the registration phase; however, these updates now extend this requirement to authentication flows, ensuring consistency across the board.
FIDO2 keys facilitate passwordless authentication through USB, NFC, or Bluetooth, making them increasingly popular in the fight against phishing and credential theft. This shift may catch some users off guard, particularly those who have not registered a PIN, as platforms are now required to auto-configure when “preferred” is specified.
Mitigations
To avoid PIN prompts, RPs or IDPs can adjust their settings by setting “userVerification” to “discouraged” in PublicKeyCredentialRequestOptions. Microsoft has clarified that this change is a deliberate compliance measure rather than a bug. Users are encouraged to navigate to Settings > Accounts > Sign-in options > Security Key to manage their PINs following the update.
For enterprises that rely on FIDO2 for multi-factor authentication (MFA), this change could disrupt workflows if they are not adequately prepared, particularly in passwordless environments. Security vendors such as Yubico have noted similar unexpected prompts in previous patches.
While this update enhances adherence to security standards, it necessitates configuration reviews to ensure seamless adoption. There is no option to roll back the changes, but setting the UV to “discouraged” will restore the previous behavior.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
