Understanding the Technical Shift: Preferred vs. Discouraged
To correctly apply the fix, you must understand *why* the change happened. The WebAuthn specification outlines three primary values for the `userVerification` parameter when making an authentication request:
- `required`: User verification (PIN, biometric) must be performed. If the authenticator cannot satisfy this, the operation fails locally. The resulting credential should always have a UV flag of `true`.
- `preferred` (The Culprit): The RP prefers user verification if the authenticator can do it, but will accept the credential without it. The platform’s job is to try, and the response credential will indicate (via the UV flag) whether verification actually happened (see more on the UV flag below).
- `discouraged`: The RP explicitly signals that user verification is not desired. The authenticator may still verify the user at its discretion, but the platform is instructed to avoid surfacing prompts.
Before the November 2025 updates, Windows seemed to interpret `”preferred”` in a way that often resulted in a simple touch being sufficient, even on an unprovisioned key. Microsoft’s latest updates have tightened this interpretation to be much closer to the specification’s intent: if the platform *can* satisfy the preference (i.e., it has the capability, like a PIN mechanism, and the key hasn’t been provisioned), it now actively tries to do so by offering the setup dialog during authentication
Guidance for Organizations Utilizing Large-Scale FIDO Deployments. Find out more about Setting WebAuthn userVerification to Discouraged guide.
This isn’t just an issue for the small web developer; this is a massive wake-up call for enterprises that have made significant investments in large-scale passwordless infrastructure. For these organizations, the question shifts from “How do I fix this specific error?” to “How do I future-proof my entire authentication architecture?”
The Trade-Off: Frictionless Experience Versus Strong Assurance
The core tension highlighted by this update is the inherent conflict between perfect adherence to a security specification and the requirement for a frictionless, intuitive user experience. The platform vendor (Microsoft, in this case) chose to prioritize the former, interpreting the `”preferred”` flag in a manner that enforces credential provisioning when a service asks for it, aligning with the strictest reading of the underlying standard
Strategic Planning for FIDO Configuration. Find out more about Setting WebAuthn userVerification to Discouraged tips.
For organizations managing a diverse set of services, configuration management becomes paramount. You need a clear matrix mapping the risk profile of each Relying Party to its required `userVerification` setting. Here is a sample framework for decision-making:
| RP/Service Risk Profile | Desired User Experience | Recommended `userVerification` Setting | Implication for Unprovisioned Keys |
|---|---|---|---|
| High Risk (e.g., HR/Finance Systems, Admin Access) | Maximum Assurance | `required` | PIN/Biometric prompt is mandatory; operation fails if not met. |
| Medium Risk (e.g., Standard Employee Access, Email) | Balance of Security & Speed | `preferred` | Windows will now prompt to set/enter PIN if key lacks one (post-November 2025 updates). |
| Low Risk / High Throughput (e.g., Kiosk Access, Monitoring Dashboards) | Fastest Possible Login | `discouraged` | Authentication proceeds with a touch only; no provisioning prompt. |
This isn’t the time to dabble in low-level cryptographic concepts if you don’t have to, but understanding the underlying security implications is key to making the right policy call. For instance, using a security key without a PIN is still vastly superior to a password, as it resists phishing attacks entirely, which is the primary benefit of FIDO2 Security Key Adoption Trends
Forward Trajectory of Passwordless Security Architectures
This incident, while immediately disruptive to login flows, serves as a critical indicator of the industry’s trajectory: a continuous, iterative hardening of standards-based authentication. It signals a future where platform vendors will increasingly interpret ambiguous security requests in favor of *higher* assurance, not simply the path of least resistance.
The Long-Term Outlook for Multi-Factor Authentication Policy Enforcement. Find out more about Setting WebAuthn userVerification to Discouraged strategies.
Looking ahead from late 2025, this event signals that the era of passive security acceptance is over. As FIDO2 and similar technologies become ubiquitous, platform vendors will increasingly implement features that enforce higher levels of user verification, often by default, even if the service request is less than absolute
The Role of the UV Flag in Risk-Based Authentication
For services that choose to stick with `”preferred”`, or for RPs that need to dynamically adjust assurance levels, understanding the UV flag in the *response* is crucial. When an authentication request completes, the returned credential includes a flag indicating whether user verification was actually performed. * If you request `”preferred”` and the user uses a PIN, the flag is `true`. * If you request `”preferred”` and the user just touches the key (as was common before the November updates), the flag is `false`. For sophisticated Implementing Adaptive Authentication Workflows, this `false` flag is an invaluable signal. If a sign-in attempt looks risky based on IP, location, or time of day, but the UV flag returned `false` (meaning only a touch occurred), you have a clear trigger to challenge the user with a secondary factor immediately. If the flag is `true`, you can trust the assertion more heavily. This allows you to leverage the speed of `”preferred”` while still having a built-in, post-authentication risk check.
Actionable Takeaways and Next Steps. Find out more about Setting WebAuthn userVerification to Discouraged overview.
This is not a problem to leave for next quarter’s planning session. The change is live on Windows 11 as of mid-November 2025. Here is what you need to do now:
- Immediate Triage: Identify all services where the current “touch-only” experience is mandatory for user adoption or performance reasons. For these, immediately update the WebAuthn request options to set
userVerification: "discouraged"in the authentication ceremony - Strategic Review: Categorize all other services based on their risk profile using the matrix above. For high-security services, verify that userVerification: “required” is set. Do not leave critical services on the default “preferred” unless you are ready to manage the new PIN-prompting UX on Windows clients.. Find out more about How to stop security key PIN prompt after Microsoft update definition guide.
- Documentation Update: Your internal helpdesk and deployment guides are instantly obsolete. Update all documentation to reflect the new reality: FIDO key setup may happen during authentication on updated Windows clients if
"preferred"is used. - Cross-Platform Testing: Remember that this specific behavior is currently most pronounced on the newest Windows builds. Rigorously test your IdP/RP configurations across macOS and mobile platforms, as their interpretation of `”preferred”` may still differ, creating configuration fragmentation across your estate. For insight into platform differences, explore current WebAuthn Interoperability Challenges
A Note on Security Key Privacy
While we are focused on the usability headache, it’s worth a moment to recall the non-usability security risks. Researchers have previously shown that vulnerabilities exist in how some authenticators handle key handles, potentially allowing attackers to link accounts across services using timing attacks
Conclusion: Embracing Explicitness in Passwordless Security
The November 2025 Windows update didn’t break FIDO2; it forced honesty into the configuration layer. It illuminated the ambiguity of using the default setting (`”preferred”`) when you actually need one of the two extremes: absolute speed (`”discouraged”`) or absolute verification (`”required”`). The industry is moving toward an architecture that values explicit intent over implicit assumptions. If you want to avoid an in-flow PIN setup and prefer tap-only authentication for your lower-risk services, you must explicitly configure it. If you are serious about security, you must explicitly require it. The days of hoping the platform defaults align with your business needs are over. Now is the time to mandate configuration clarity for every passwordless interaction. Have you already switched your configurations? What impact are you seeing on user login times across different operating systems? Let us know your findings in the comments below.
