diff --git a/app/forms/two_factor_options_form.rb b/app/forms/two_factor_options_form.rb
index 6328293f72f..8f0333fa1ab 100644
--- a/app/forms/two_factor_options_form.rb
+++ b/app/forms/two_factor_options_form.rb
@@ -27,7 +27,7 @@ def submit(params)
   private
 
   def validate_selection_present
-    return if !has_no_mfa_or_in_required_flow? || selection.present?
+    return if selection.present? || has_minimum_required_mfa_methods?
     errors.add(:selection, missing_selection_error_message, type: :missing_selection)
   end
 
@@ -43,10 +43,6 @@ def extra_analytics_attributes
     }
   end
 
-  def in_phishing_resistant_or_piv_cac_required_flow?
-    phishing_resistant_required || piv_cac_required
-  end
-
   def user_needs_updating?
     (%w[voice sms] & selection).present? &&
       !selection.include?(user.otp_delivery_preference)
@@ -62,8 +58,16 @@ def phone_selected?
     selection.include?('phone') || selection.include?('voice') || selection.include?('sms')
   end
 
-  def has_no_configured_mfa?
-    mfa_user.enabled_mfa_methods_count == 0
+  def has_minimum_required_mfa_methods?
+    if piv_cac_required
+      mfa_user.piv_cac_configurations.count > 0
+    elsif mfa_user.webauthn_platform_configurations.any?
+      !platform_auth_only_option?
+    elsif phishing_resistant_required
+      mfa_user.phishing_resistant_configurations.count > 0
+    else
+      mfa_user.enabled_mfa_methods_count > 0
+    end
   end
 
   def platform_auth_only_option?
@@ -71,17 +75,11 @@ def platform_auth_only_option?
       mfa_user.webauthn_platform_configurations.count == 1
   end
 
-  def has_no_mfa_or_in_required_flow?
-    has_no_configured_mfa? ||
-      in_phishing_resistant_or_piv_cac_required_flow? ||
-      platform_auth_only_option?
-  end
-
   def missing_selection_error_message
-    if has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow?
-      t('errors.two_factor_auth_setup.must_select_option')
-    elsif platform_auth_only_option?
+    if platform_auth_only_option?
       t('errors.two_factor_auth_setup.must_select_additional_option')
+    else
+      t('errors.two_factor_auth_setup.must_select_option')
     end
   end
 end
diff --git a/spec/forms/two_factor_options_form_spec.rb b/spec/forms/two_factor_options_form_spec.rb
index 237a6b67870..b2ea6f56876 100644
--- a/spec/forms/two_factor_options_form_spec.rb
+++ b/spec/forms/two_factor_options_form_spec.rb
@@ -133,5 +133,27 @@
         end
       end
     end
+
+    context 'when a user signs up with phishing resistant requirement' do
+      let(:user) { build(:user) }
+      let(:phishing_resistant_required) { true }
+
+      context 'when user did not select an mfa' do
+        let(:mfa_selection) { [] }
+
+        it 'is unsuccessful' do
+          submission = subject.submit(selection: mfa_selection)
+          expect(submission.success?).to eq(false)
+        end
+      end
+
+      context 'when user selects an mfa' do
+        let(:mfa_selection) { ['piv_cac'] }
+        it 'is successful' do
+          submission = subject.submit(selection: mfa_selection)
+          expect(submission.success?).to eq(true)
+        end
+      end
+    end
   end
 end