Fast Facts

• Windows 11 updates since September 2025 now require PINs with some FIDO2 security keys.
• This change complies with global WebAuthn authentication standards.
• Users may be prompted to create or enter a PIN even if they never set one before.
• Organizations can avoid PIN prompts by changing their WebAuthn configuration.
• FIDO2 keys are widely used to fight phishing and password theft.

The Unexpected PIN Prompt: What Happened?

Picture this: you’re at your desk, USB security key in hand, ready for another passwordless login. But this time, Windows throws you a curveball - a prompt demanding a PIN you never set. This isn’t a bug. It’s a deliberate move by Microsoft, quietly rolled out via recent Windows 11 updates, and it’s catching even seasoned IT pros off guard.

Why the Sudden Change?

Microsoft’s update isn’t just about tightening screws; it’s about harmonizing with WebAuthn - the global standard for secure, passwordless authentication. WebAuthn, short for Web Authentication, sets the rules for how devices prove you are really you, whether via a PIN, a fingerprint, or a physical security key. The new rules say: if your security key can handle PINs, and a website or service “prefers” user verification, Windows must prompt you to set one up - even if you never needed to before.

This shift began with the September 2025 KB5065789 preview update and completed in November. The goal? Consistency and better security - requiring verification not just when you register a key, but every time you use it to log in, if the service asks for it.

Behind the Scenes: Standards and Security Risks

FIDO2 security keys - those small USB, NFC, or Bluetooth tokens - have become the gold standard in the fight against phishing and password theft. They work by making sure you physically possess the device, a bit like needing a key to open a safe. But for years, some organizations skipped PINs, relying on the device alone. Now, with cyberattacks growing more sophisticated and attackers targeting passwordless systems, requiring a PIN adds a second lock on the digital door.

Microsoft is following the letter of the WebAuthn law, but not all organizations are happy. Some fear user confusion, or that extra steps will slow down workflows. Others welcome the change as a necessary hardening against evolving threats. Reports from cybersecurity analysts suggest attacker interest in bypassing hardware keys is rising, especially as more critical infrastructure and high-value targets adopt passwordless logins.

Global Implications and What’s Next

As the tech world pushes toward a passwordless future, these small changes ripple outward. Microsoft’s update could set a precedent, nudging other operating systems and platforms to follow suit. For now, organizations that want to avoid PIN prompts can tweak their settings to “discourage” user verification - but at a potential cost to security.

WIKICROOK

• FIDO2 Security Key: A FIDO2 Security Key is a small device that lets you securely log in to accounts without passwords, using USB, NFC, or Bluetooth.
• PIN (Personal Identification Number): A PIN is a short numeric code used as a security measure to verify identity, often required for accessing bank cards, devices, or online accounts.
• WebAuthn: WebAuthn is a global standard that lets websites securely verify users without passwords, using biometrics, security keys, or device PINs.
• User Verification: User verification is the process of proving your identity - often with a PIN, password, or biometric - to access secure systems or information.
• Relying Party (RP): A Relying Party (RP) is a website or service that trusts an external identity provider to verify users before granting access.