diff --git a/app/controllers/users/backup_code_setup_controller.rb b/app/controllers/users/backup_code_setup_controller.rb
index d23288b7cb4..67c2f4d2391 100644
--- a/app/controllers/users/backup_code_setup_controller.rb
+++ b/app/controllers/users/backup_code_setup_controller.rb
@@ -112,6 +112,7 @@ def user_opted_remember_device_cookie
     end
 
     def mark_user_as_fully_authenticated
+      user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::BACKUP_CODE
       user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
       user_session[:authn_at] = Time.zone.now
     end
diff --git a/app/controllers/users/piv_cac_authentication_setup_controller.rb b/app/controllers/users/piv_cac_authentication_setup_controller.rb
index 46097f97fe2..be6e8bc5263 100644
--- a/app/controllers/users/piv_cac_authentication_setup_controller.rb
+++ b/app/controllers/users/piv_cac_authentication_setup_controller.rb
@@ -118,6 +118,7 @@ def user_piv_cac_form
     end
 
     def process_valid_submission
+      mark_user_as_fully_authenticated
       flash[:success] = t('notices.piv_cac_configured')
       save_piv_cac_information(
         subject: user_piv_cac_form.x509_dn,
@@ -131,6 +132,13 @@ def process_valid_submission
       redirect_to next_setup_path || final_path
     end
 
+    def mark_user_as_fully_authenticated
+      user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::PIV_CAC
+
+      user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
+      user_session[:authn_at] = Time.zone.now
+    end
+
     def track_mfa_method_added
       mfa_user = MfaContext.new(current_user)
       analytics.multi_factor_auth_added_piv_cac(
diff --git a/app/controllers/users/webauthn_setup_controller.rb b/app/controllers/users/webauthn_setup_controller.rb
index ff6b34e64f0..dba77f9450f 100644
--- a/app/controllers/users/webauthn_setup_controller.rb
+++ b/app/controllers/users/webauthn_setup_controller.rb
@@ -162,7 +162,7 @@ def process_valid_webauthn(form)
         platform_authenticator: form.platform_authenticator?,
         enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
       )
-      mark_user_as_fully_authenticated
+      mark_user_as_fully_authenticated(form)
       handle_remember_device
       if form.platform_authenticator?
         Funnel::Registration::AddMfa.call(current_user.id, 'webauthn_platform', analytics)
@@ -171,7 +171,6 @@ def process_valid_webauthn(form)
         Funnel::Registration::AddMfa.call(current_user.id, 'webauthn', analytics)
         flash[:success] = t('notices.webauthn_configured')
       end
-      user_session[:auth_method] = 'webauthn'
       redirect_to next_setup_path || after_mfa_setup_path
     end
 
@@ -202,7 +201,13 @@ def process_invalid_webauthn(form)
       render :new
     end
 
-    def mark_user_as_fully_authenticated
+    def mark_user_as_fully_authenticated(form)
+      if form.platform_authenticator?
+        user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
+      else
+        user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
+      end
+
       user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
       user_session[:authn_at] = Time.zone.now
     end
diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb
index fdb1ad2bf32..f6a55c43fe6 100644
--- a/spec/features/users/sign_up_spec.rb
+++ b/spec/features/users/sign_up_spec.rb
@@ -245,6 +245,18 @@ def clipboard_text
     expect(page).to have_current_path account_path
   end
 
+  it 'allows a user to sign up with PIV/CAC and only verifying once when HSPD12 is requested' do
+    visit_idp_from_oidc_sp_with_hspd12_and_require_piv_cac
+    sign_up_and_set_password
+    set_up_2fa_with_piv_cac
+    skip_second_mfa_prompt
+    click_agree_and_continue
+
+    redirect_uri = URI(current_url)
+
+    expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result')
+  end
+
   it 'does not allow PIV/CAC during setup on mobile' do
     allow(BrowserCache).to receive(:parse).and_return(mobile_device)
 
@@ -363,4 +375,14 @@ def clipboard_text
     select_2fa_option('piv_cac')
     expect(page).to_not have_content(t('two_factor_authentication.piv_cac_fallback.question'))
   end
+
+  it 'allows a user to sign up with backup codes and add methods after without reauthentication' do
+    sign_in_user
+    set_up_2fa_with_backup_codes
+    skip_second_mfa_prompt
+
+    expect(page).to have_current_path account_path
+    visit add_phone_path
+    expect(page).to have_current_path add_phone_path
+  end
 end
diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb
index b59b9cceae5..23fd8b0f3a9 100644
--- a/spec/support/features/session_helper.rb
+++ b/spec/support/features/session_helper.rb
@@ -567,6 +567,14 @@ def set_up_2fa_with_authenticator_app
       click_button 'Submit'
     end
 
+    def set_up_2fa_with_backup_codes
+      select_2fa_option('backup_code')
+
+      expect(page).to have_current_path backup_code_setup_path
+
+      click_button 'Continue'
+    end
+
     def register_user_with_piv_cac(email = 'test@test.com')
       confirm_email_and_password(email)
       expect(page).to have_current_path authentication_methods_setup_path