Microsoft Security Keys May Require PIN After Recent Windows Updates

Microsoft Security Keys May Require PIN After Recent Windows Updates

Posted on By CWS

Microsoft has confirmed that FIDO2 safety keys on Home windows 11 could now immediate customers to arrange a PIN throughout authentication following particular latest updates, aligning with WebAuthn requirements for enhanced person verification.​

The change started with the September 29, 2025, preview replace KB5065789 for OS Builds 26200.6725 and 26100.6725, rolling out step by step to Home windows 11 units.

Deployment accomplished after the November 11, 2025, safety replace KB5068861 for OS Builds 26200.7171 and 26100.7171, or subsequent patches.​

Replace IDRelease DateOS Builds AffectedKB5065789Sept 29, 202526200.6725, 26100.6725 ​KB5068861Nov 11, 202526200.7171, 26100.7171 ​

This impacts sign-ins the place a Relying Social gathering (RP) or Id Supplier (IDP) requests Person Verification set to “Most well-liked” for keys missing a PIN.​

The requirement enforces WebAuthn specs, the place Person Verification (UV) proves person presence through PIN or biometrics. UV ranges embody Discouraged (no PIN wanted), Most well-liked (prompts setup if succesful), and Required. Beforehand, PIN setup occurred solely throughout registration; updates lengthen this to authentication flows for consistency.​

FIDO2 keys allow passwordless authentication through USB, NFC, or Bluetooth, gaining traction in opposition to phishing and credential theft. The shift surprises customers with unregistered PINs, as platforms should now comply by auto-configuring when “most well-liked” is specified.​

Mitigations

RPs or IDPs can keep away from PIN prompts by setting “userVerification” to “discouraged” in PublicKeyCredentialRequestOptions. Microsoft emphasizes this as deliberate compliance, not a bug. Customers ought to test Settings > Accounts > Signal-in choices > Safety Key to handle PINs after the replace.​

Enterprises counting on FIDO2 for MFA face workflow disruptions if unprepared, particularly in passwordless setups. Safety distributors like Yubico word comparable surprising prompts in prior patches.

Whereas bettering adherence to requirements, the change requires config critiques for seamless adoption. No rollback exists, however “discouraged” UV restores prior conduct.

Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , ,

Related Posts

Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials Cyber Security News
Serial Hacker Jailed for Hacking and Defacing Organizations’ Websites Serial Hacker Jailed for Hacking and Defacing Organizations’ Websites Cyber Security News
New Veeam Themed Phishing Attack Using Weaponized Wav File to Attack users New Veeam Themed Phishing Attack Using Weaponized Wav File to Attack users Cyber Security News
Stealthy WordPress Malware Deliver Windows Trojan via PHP Backdoor Stealthy WordPress Malware Deliver Windows Trojan via PHP Backdoor Cyber Security News
CISA Warns of Git Arbitrary File Write Vulnerability Exploited in Attacks CISA Warns of Git Arbitrary File Write Vulnerability Exploited in Attacks Cyber Security News
New Research Uncovers the Alliance Between Qilin, DragonForce and LockBit New Research Uncovers the Alliance Between Qilin, DragonForce and LockBit Cyber Security News