Microsoft’s latest Windows updates are changing how security keys work, requiring users to set up a Personal Identification Number (PIN) even if they didn’t need one initially.
The change stems from a Windows preview update released in September 2025 and affects how authentication works across Windows 11 devices.
What’s Changing
Starting with the September 29, 2025, Windows preview update (KB5065789, OS Builds 26200.6725 and 26100.6725), users may be prompted to create a PIN when signing in with a FIDO2 security key, regardless of their initial setup preferences.
This requirement applies when a website or service requests “User Verification = Preferred” during the authentication process even if users previously didn’t set a PIN on their security key.
The rollout began gradually after the September update and was completed on Windows 11 devices following the November 11, 2025, security update (KB5068861, OS Builds 26200.7171 and 26100.7171).
Microsoft confirmed this is intended behavior designed to align with WebAuthn technical specifications established by the World Wide Web Consortium (W3C).
Understanding User Verification
The technical backbone of this change involves User Verification (UV), which confirms that the person using a security key is actually authorized to do so.
User Verification typically relies on two methods: a PIN or biometric authentication, such as a fingerprint.
Microsoft supports three User Verification settings. “Discouraged” means a website doesn’t want user verification and won’t require a PIN if none exists.
“Preferred” indicates that the website wants verification of whether the security key can provide it, meaning the system should set up a PIN if needed. “Required” mandates that user verification must happen for authentication to succeed.
The new Windows behavior specifically addresses “Preferred” requests.
When a Relying Party (RP) the website or service you’re signing into or an Identity Provider (IDP) sets User Verification to “Preferred,” Windows now prompts users to create a PIN if their FIDO2 security key doesn’t already have one.
Why This Matters
This change enhances security by ensuring consistency between registration and authentication flows.
Previously, users could register a security key without a PIN, but websites requesting verification had limited options. Now, the system proactively sets up PIN protection to meet security best practices.
Microsoft’s decision reflects the industry’s growing focus on the WebAuthn standard, which defines secure authentication protocols.
FIDO2 (Fast Identity Online 2) is the current standard for passwordless authentication, and these updates push Windows closer to industry compliance.
Users won’t need to take any action the PIN is set automatically during the authentication process.
However, users should note that any security key without a PIN previously set will prompt for PIN creation during sign-in attempts if the service requests User Verification.
Affected Devices
The full rollout reached Windows 11 devices after installing the November security update.
The change affects any user authenticating with FIDO2 security keys when connecting to services that require or prefer user verification.
For IT departments managing enterprise environments, this represents an essential change in authentication behavior.
Security teams should communicate this change to users to prevent confusion during login attempts and ensure smooth adoption across their organizations.
 even){kind=link}