diff --git a/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs b/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
index caefef3d9e..426ebc0a31 100644
--- a/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
+++ b/src/Core/Auth/UserFeatures/TwoFactorAuth/Implementations/DeleteTwoFactorWebAuthnCredentialCommand.cs
@@ -27,6 +27,9 @@ public class DeleteTwoFactorWebAuthnCredentialCommand : IDeleteTwoFactorWebAuthn
             return false;
         }
 
+        // Do not delete the last registered key credential.
+        // This prevents accidental account lockout (factor enabled, no credentials registered).
+        // To remove the last (or single) registered credential, disable the WebAuthn 2fa provider.
         if (provider.MetaData.Count(k => k.Key.StartsWith("Key")) < 2)
         {
             return false;