diff --git a/src/main/java/net/siegeln/cameleer/saas/config/LogtoStartupConfig.java b/src/main/java/net/siegeln/cameleer/saas/config/LogtoStartupConfig.java
index 5c6b221..88a04b3 100644
--- a/src/main/java/net/siegeln/cameleer/saas/config/LogtoStartupConfig.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/LogtoStartupConfig.java
@@ -40,14 +40,17 @@ public class LogtoStartupConfig {
             var policy = authPolicyRepository.getPolicy();
             String mfaMode = policy.getMfaMode();
             boolean mfaEnabled = !"off".equals(mfaMode);
+            boolean passkeyEnabled = policy.isPasskeyEnabled();
 
-            if (!mfaEnabled) {
-                logtoClient.updateSignInExperience(Map.of(
-                        "mfa", Map.of("factors", List.of(), "policy", "UserControlled")));
-                return;
+            List<String> factors = new ArrayList<>();
+            if (mfaEnabled) {
+                factors.add("Totp");
+            }
+            if (mfaEnabled || passkeyEnabled) {
+                factors.add("WebAuthn");
+                factors.add("BackupCode");
             }
 
-            List<String> factors = new ArrayList<>(List.of("Totp", "WebAuthn", "BackupCode"));
             String logtoPolicy = "required".equals(mfaMode) ? "Mandatory" : "UserControlled";
 
             logtoClient.updateSignInExperience(Map.of(
diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java
index 965c358..751c3dd 100644
--- a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorAuthPolicyController.java
@@ -73,14 +73,17 @@ public class VendorAuthPolicyController {
         try {
             String mfaMode = policy.getMfaMode();
             boolean mfaEnabled = !"off".equals(mfaMode);
+            boolean passkeyEnabled = policy.isPasskeyEnabled();
 
-            if (!mfaEnabled) {
-                logtoClient.updateSignInExperience(Map.of(
-                        "mfa", Map.of("factors", List.of(), "policy", "UserControlled")));
-                return;
+            List<String> factors = new ArrayList<>();
+            if (mfaEnabled) {
+                factors.add("Totp");
+            }
+            // Passkeys are always available when enabled, regardless of MFA mode
+            if (mfaEnabled || passkeyEnabled) {
+                factors.add("WebAuthn");
+                factors.add("BackupCode");
             }
-
-            List<String> factors = new ArrayList<>(List.of("Totp", "WebAuthn", "BackupCode"));
 
             String logtoPolicy = "required".equals(mfaMode) ? "Mandatory" : "UserControlled";