diff --git a/src/keycloak/chart/templates/secret-kc-realm.yaml b/src/keycloak/chart/templates/secret-kc-realm.yaml
index a8e5a20b3c..b52e6a018e 100644
--- a/src/keycloak/chart/templates/secret-kc-realm.yaml
+++ b/src/keycloak/chart/templates/secret-kc-realm.yaml
@@ -25,4 +25,10 @@ data:
   DENY_USERNAME_PASSWORD_ENABLED: {{ ternary "DISABLED" "REQUIRED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
   RESET_CREDENTIAL_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | b64enc }}
   REGISTRATION_FORM_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED .Values.realmAuthFlows.X509_AUTH_ENABLED) | b64enc }}
-  OTP_ENABLED: {{ (and .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.USERNAME_PASSWORD_AUTH_ENABLED) | toString | b64enc }}
+  OTP_ENABLED: {{ .Values.realmAuthFlows.OTP_ENABLED | toString | b64enc }}
+  OTP_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.OTP_ENABLED) | b64enc}}
+  WEBAUTHN_ENABLED: {{ .Values.realmAuthFlows.WEBAUTHN_ENABLED | toString | b64enc }}
+  WEBAUTHN_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
+  X509_MFA_ENABLED: {{ .Values.realmAuthFlows.X509_MFA_ENABLED | toString | b64enc }}
+  X509_MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (.Values.realmAuthFlows.X509_MFA_ENABLED) | b64enc }}
+  MFA_FLOW_ENABLED: {{ ternary "REQUIRED" "DISABLED" (or .Values.realmAuthFlows.OTP_ENABLED .Values.realmAuthFlows.WEBAUTHN_ENABLED) | b64enc }}
diff --git a/src/keycloak/chart/values.yaml b/src/keycloak/chart/values.yaml
index 137a7c7763..7a8927a8c0 100644
--- a/src/keycloak/chart/values.yaml
+++ b/src/keycloak/chart/values.yaml
@@ -51,6 +51,8 @@ realmAuthFlows:
   X509_AUTH_ENABLED: true
   SOCIAL_AUTH_ENABLED: true
   OTP_ENABLED: true
+  WEBAUTHN_ENABLED: false
+  X509_MFA_ENABLED: false
 
 # Generates an initial password for first admin user - only use if install is headless
 # (i.e. cannot hit keycloak UI with `zarf connect keycloak`), password should be changed after initial login