diff --git a/gitea/application.yaml b/gitea/application.yaml
index 08afc4f..92df9ac 100644
--- a/gitea/application.yaml
+++ b/gitea/application.yaml
@@ -171,8 +171,11 @@ spec:
               value: "false"
             - name: GITEA__SECURITY__INSTALL_LOCK
               value: "true"
+              # Disable bypassing (disabled) OIDC account. Password-based app tokens remain enabled.
             - name: GITEA__SERVICE__ENABLE_PASSWORD_SIGNIN_FORM
               value: "false"
+            - name: GITEA__SERVICE__ENABLE_PASSKEY_AUTHENTICATION
+              value: "false"
             - name: GITEA__SERVICE__REGISTER_EMAIL_CONFIRM
               value: "true"
             - name: GITEA__SERVICE__DISABLE_REGISTRATION