Ethical Hacking News
Microsoft has announced that users may be required to enter a Personal Identification Number (PIN) when using FIDO2 security keys for authentication on Windows 11 devices following recent updates. This change is part of the ongoing rollout of WebAuthn standards, which dictate how authentication methods such as PINs and hardware security keys should handle user verification requests.
Microsoft may require users of Windows 11 devices to enter a Personal Identification Number (PIN) when using FIDO2 security keys for authentication, starting with the November 2025 security update.The PIN prompt is triggered by identity providers requesting user verification during authentication processes.Organizations can set user verification to "discouraged" in their WebAuthn configuration settings to exclude users from being prompted for PINs.FIDO2 security keys offer passwordless authentication through physical possession of a USB, NFC, or Bluetooth token.The update aims to enhance the user experience and security provided by Windows 11 devices using FIDO2 security keys.
Microsoft has recently announced that users of Windows 11 devices may be required to enter a Personal Identification Number (PIN) when using FIDO2 security keys for authentication, in accordance with the WebAuthn standards. This change is part of a gradual rollout of this feature, which began after the release of the KB5065789 preview update and was completed with the November 2025 security update.
The prompt for PIN entry is triggered by identity providers that request user verification during authentication processes. In these cases, even if no PIN was set during initial registration, users may be required to enter a PIN when using FIDO2 security keys. Microsoft emphasizes that this change is in line with the WebAuthn standards and aims to provide consistent support for both registration and authentication flows.
To comply with these specifications, organizations and services have the option of setting user verification to "discouraged" in their WebAuthn configuration settings. This allows them to exclude users from being prompted for PINs when using FIDO2 security keys for authentication purposes.
The use of FIDO2 security keys offers passwordless authentication by requiring physical possession of a USB, NFC, or Bluetooth token. Organizations have increasingly adopted this technology as an alternative to traditional passwords to counter phishing, credential theft, and other password-based attacks.
Microsoft further explained that the support for PIN setup in the authentication flow was added to maintain consistency across both registration and authentication flows. This move is aimed at enhancing the overall user experience and security provided by Windows 11 devices using FIDO2 security keys.
This change highlights Microsoft's ongoing efforts to implement WebAuthn standards for enhanced security features on its operating system platforms. As cybersecurity threats continue to evolve, organizations are looking for ways to bolster their systems' defenses. This new feature represents a step forward in protecting users' identities through more secure authentication processes.
The 2026 CISO Budget Benchmark has provided valuable insights into how top leaders are planning and spending on security initiatives this year. While Microsoft's recent update on PIN prompts for FIDO2 security key authentication is just one aspect of the broader cybersecurity landscape, it underscores the importance of staying updated with the latest security standards and technologies to ensure organizations remain secure in an ever-evolving threat environment.
Related Information:
https://www.ethicalhackingnews.com/articles/Microsoft-to-Prompt-PIN-for-FIDO2-Security-Key-Authentication-After-Recent-Windows-Updates-ehn.shtml
https://www.bleepingcomputer.com/news/microsoft/microsoft-fido2-security-keys-may-prompt-for-pin-after-recent-windows-updates/
Published: Wed Nov 26 09:00:34 2025 by llama3.2 3B Q4_K_M
