Applies To
Windows 11 version 24H2, all editions Windows 11 version 25H2, all editions

Original publish date: November 25, 2025

KB ID: 5073129

Updated experience

After installing the Windows update, September 29, 2025—KB5065789 (OS Builds 26200.6725 and 26100.6725) Preview, or later updates, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration.

This behavior will occur when a Relying Party (RP) or Identity Provider (IDP) requests User Verification = Preferred during authentication with a Fast IDentity Online 2 (FIDO2) security key that does not have a PIN set.

Cause

This is intended behavior, implemented to remain compliant with WebAuthn specifications.

Support for this behavior began gradually rolling out to Windows 11 devices after installing the September 29, 2025, preview update (KB5065789). The rollout was completed on Windows 11 clients after installing the Windows security update, November 11, 2025—KB5068861 (OS Builds 26200.7171 and 26100.7171), or later updates.

These updates added support for setting up a PIN for security keys if it was not already setup, when Relying Parties (RP) set "userVerification" to "preferred" in PublicKeyCredentialRequestOptions in WebAuthn authentication flow.

Background

User Verification (UV) confirms the user is present and authorized to use a security key, typically via a PIN or biometric. User Verification can be set to Discouraged, Preferred, or Required. 

User Verification = Preferred means the RP wants user verification if the authenticator is capable of doing so. That means that if a PIN needs to be setup, the platform should do so.

User Verification = Discouraged means the RP does not want user verification. If a PIN has not been set up, there is no need to do so (unless required by the authenticator configuration).

Support for PIN setup in the authentication flow was added to be consistent across both registration and authentication flows.

New steps

If the Relying Party does not want user verification, and does not want users to create or enter a PIN for security keys, they should set "userVerification" to "discouraged" in PublicKeyCredentialRequestOptions.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center