diff --git a/README.md b/README.md
index 1f7c6d0..2a6e9e0 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ Nuxt 4 app with:
 - Redis-backed sessions and WebAuthn challenge storage
 - Seeded `xiaomai` super-admin account
 - Super-admin user creation and password reset flow
-- First-login enforcement: temporary password change plus passkey enrollment
+- First-login enforcement: temporary password change
 
 ## Environment
 
@@ -47,7 +47,7 @@ The backend bootstraps its schema automatically on startup and seeds this initia
 - Username: `xiaomai`
 - Temporary password: `123456`
 
-On first login, the user is forced to change that temporary password and register a passkey before accessing the protected area.
+On first login, the user is forced to change that temporary password before accessing the protected area. Passkey enrollment is available from Security, but optional.
 
 ## Production
 
@@ -136,7 +136,8 @@ docker compose -f docker-compose.yml -f docker-compose.dev.yml restart app
 - Password login with Redis-backed session cookie
 - Passkey login using WebAuthn discoverable credentials
 - Super admin creates users with default password `123456`
-- Users must change password and set a passkey after first login
+- Users must change password after first login
+- Users can optionally register a passkey from Security
 - Users can change their own password from Security
 - Super admin can reset a user's password back to `123456`
 
diff --git a/app/pages/management/users/index.vue b/app/pages/management/users/index.vue
index 9dfbde6..009838f 100644
--- a/app/pages/management/users/index.vue
+++ b/app/pages/management/users/index.vue
@@ -93,8 +93,8 @@
                     size="sm"
                   />
                   <UBadge
-                    :label="row.original.needsPasskeySetup ? 'Passkey pending' : 'Passkey ready'"
-                    :color="row.original.needsPasskeySetup ? 'warning' : 'success'"
+                    :label="row.original.passkeyCount > 0 ? 'Passkey ready' : 'No passkey'"
+                    :color="row.original.passkeyCount > 0 ? 'success' : 'neutral'"
                     variant="soft"
                     size="sm"
                   />
diff --git a/app/pages/security/index.vue b/app/pages/security/index.vue
index a2c80df..f94c7b1 100644
--- a/app/pages/security/index.vue
+++ b/app/pages/security/index.vue
@@ -59,8 +59,8 @@
                 </div>
 
                 <UBadge
-                  :label="passkeys.length > 0 ? 'Ready' : 'Required'"
-                  :color="passkeys.length > 0 ? 'success' : 'warning'"
+                  :label="passkeys.length > 0 ? 'Ready' : 'Optional'"
+                  :color="passkeys.length > 0 ? 'success' : 'neutral'"
                   variant="soft"
                 />
               </div>
diff --git a/shared/auth.ts b/shared/auth.ts
index 04b17e5..58b7fb3 100644
--- a/shared/auth.ts
+++ b/shared/auth.ts
@@ -93,13 +93,13 @@ export interface PasskeySummary {
 }
 
 export function needsUserOnboarding(
-  user: Pick<AuthUser, 'mustChangePassword' | 'needsPasskeySetup'> | null | undefined
+  user: Pick<AuthUser, 'mustChangePassword'> | null | undefined
 ) {
-  return Boolean(user && (user.mustChangePassword || user.needsPasskeySetup))
+  return Boolean(user?.mustChangePassword)
 }
 
 export function getDefaultAuthenticatedPath(
-  user: Pick<AuthUser, 'role' | 'mustChangePassword' | 'needsPasskeySetup'>
+  user: Pick<AuthUser, 'role' | 'mustChangePassword'>
 ) {
   if (needsUserOnboarding(user)) {
     return '/security'