Security Keys May Prompt for PIN Following KB5065789 Update, Microsoft Confirms

Microsoft has updated the way FIDO2 security keys work on Windows 11 following the September 29, 2025, preview update (KB5065789) and subsequent updates. You may now be prompted to create a PIN when signing in with a security key. This is applicable even if no PIN was required or previously set.

Microsoft says that this can happen when a Relying Party (RP) or Identity Provider (IDP) requests User Verification = Preferred during authentication. Putting it simply, Windows will now prompt for a PIN if the security key doesn’t already have one, ensuring compliance with WebAuthn specifications.

The company has confirmed that the rollout has kicked off with the September preview update and was completed after the November 11, 2025, security update (KB5068861). The updates standardize the process, letting you set a PIN during authentication if one was not created during registration.

Not to forget, Microsoft has also shed some light on User Verification (UV), which confirms that the person using the security key is authorized. Do note that verification can be set to Discouraged, Preferred, or Required. Microsoft notes:

User Verification = Preferred means the RP wants user verification if the authenticator is capable of doing so. That means that if a PIN needs to be setup, the platform should do so.

User Verification = Discouraged means the RP does not want user verification. If a PIN has not been set up, there is no need to do so (unless required by the authenticator configuration).

Support for PIN setup in the authentication flow was added to be consistent across both registration and authentication flows.

Moreover, organizations that don’t want users to create or enter a PIN should ensure userVerification is set to Discouraged in PublicKeyCredentialRequestOptions.

via: Bleeping Computer