Microsoft: Security keys may prompt for PIN after recent updates

[harlan4096]

Microsoft warned users on Tuesday that FIDO2 security keys may prompt them to enter a PIN when signing in after installing Windows updates released since the September 2025 preview update.

This behavior can be observed on devices running Windows 11 version 24H2 or 25H2 when an identity provider requests user verification during authentication.

Microsoft says this is an intentional change to comply with WebAuthn specifications, which dictate how authentication methods such as PINs, biometrics, and hardware security keys should handle user verification requests.

User verification confirms that the user is present and authorized to use a security key, typically through a PIN or biometric scan. Under WebAuthn standards, verification can be discouraged, preferred, or required. When set to "preferred," the standard requires platforms to set up a PIN if the authenticator supports user verification.

Support for this feature began gradually rolling out to all Windows 11 devices after the KB5065789 preview update, and the deployment completed with the November KB5068861security update.

"After installing the Windows update, September 29, 2025—KB5065789 (OS Builds 26200.6725 and 26100.6725) Preview, or later updates, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration," Microsoft said in a Tuesday support document.

"This behavior will occur when a Relying Party (RP) or Identity Provider (IDP) requests User Verification = Preferred during authentication with a Fast IDentity Online 2 (FIDO2) security key that does not have a PIN set."

Continue Reading...