Full Report
Microsoft warned users on Tuesday that FIDO2 security keys may prompt them to enter a PIN when signing in after installing Windows updates released since the September 2025 preview update. [...]
Analysis Summary
# Vulnerability: FIDO2 Security Keys Prompt for PIN After Windows Updates
## CVE Details
- CVE ID: N/A (Described as a change in intended behavior following updates, not a traditional vulnerability report.)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Windows 11
- Versions: Version 24H2 or 25H2
- Configurations: Devices that have installed the Windows updates released since the September 2025 preview update (starting with KB5065789). Affects authentications using FIDO2 security keys where the Identity Provider (IDP) or Relying Party (RP) requests `User Verification = Preferred`.
## Vulnerability Description
This situation is described by Microsoft as an intentional change implemented in recent Windows updates (since September 2025 KB5065789 preview). The change aligns Windows behavior with the WebAuthn specifications. Specifically, if an IDP/RP requests User Verification to be "Preferred" during authentication using a FIDO2 security key that *does not* have a PIN set, the platform (Windows) is now required by specification to prompt the user to *create* a PIN to proceed with sign-in.
## Exploitation
- Status: Not exploited (This is a change in enforcement logic, not a flaw enabling unauthorized access.)
- Complexity: Low (If the goal is to force a PIN creation/entry, the prerequisite is simply using a security key against a service requesting `UV=Preferred` post-update.)
- Attack Vector: Adjacent (Relies on the authentication path during sign-in.)
## Impact
- Confidentiality: None (This forces a required security step.)
- Integrity: None (This enforces a required security step.)
- Availability: Low (Users unable or unwilling to set a PIN might be temporarily blocked from signing into services that mandate `UV=Preferred`.)
## Remediation
### Patches
- The behavior itself results from the installation of:
- September 29, 2025—KB5065789 Preview (OS Builds 26200.6725 and 26100.6725) or later updates.
- November KB5068861 security update.
### Workarounds
- **Configure Identity Provider/Relying Party (RP/IDP):** Organizations can configure their WebAuthn settings to set user verification to `"discouraged"` instead of `"preferred"`. This will prevent the prompt for PIN creation/entry when using security keys without existing PINs.
## Detection
- Indicators of compromise: N/A (No compromise is implied, only operational change.)
- Detection methods and tools: Monitoring authentication logs for new requests requiring user verification (`User Verification = Preferred`) for passwordless logins involving FIDO2 keys.
## References
- Vendor Advisory: hxxps://support.microsoft.com/en-us/topic/security-keys-might-require-a-pin-after-installing-the-september-2025-windows-preview-update-3847c751-d40f-46e8-9e1f-69933842d858
- Specification: hxxps://www.w3.org/TR/webauthn/#sctn-uvm-extension
- Affected Updates: hxxps://support.microsoft.com/help/5065789, hxxps://support.microsoft.com/help/5068861