Hi,

Can you confirm if this is expected behaviour and if so, can I change it?

I have a policy setup to allow the use of FIDO2 keys (YubiKeys).  When the user first logs into ADSS he is asked to register his key, he enters his PIN, touches the key and everything works as expected.

Next time he tries to login to ADSS he enters his username/password and is then prompted to use his key.  A Windows prompt is displayed and he picks Security Key, he is then asked to touch the key.  He is now logged in.

But why wasn't he asked to enter his PIN?  

Next, I enable passwordless authentication under application MFA settings for the policy this user is in.  Now when the user tries to login to ADSS he is asked to enter his username and to touch the key meaning that if he loses his key someone could use it to login without knowing his password or PIN.  I know most staff will attach the key to the same lanyard as their staff ID which contains their full name so it’s an easy guess as to what his username is!

I should mention that the key already contains another passkey for his Entra ID and when I look at the key using YubiKey Authenticator I see his Entra ID and his ADSS passkeys as expected.

Am I just missing a setting somewhere?

Thanks