diff --git a/authentik/stages/authenticator_validate/stage.py b/authentik/stages/authenticator_validate/stage.py
index 72f6e587e..62e39fafc 100644
--- a/authentik/stages/authenticator_validate/stage.py
+++ b/authentik/stages/authenticator_validate/stage.py
@@ -374,9 +374,9 @@ class AuthenticatorValidateStageView(ChallengeStageView):
         # All validation is done by the serializer
         user = self.executor.plan.context.get(PLAN_CONTEXT_PENDING_USER)
         if not user:
-            webauthn_device: WebAuthnDevice = response.data.get("webauthn", None)
-            if not webauthn_device:
-                return self.executor.stage_ok()
+            if not "webauthn" not in response.data:
+                return self.executor.stage_invalid()
+            webauthn_device: WebAuthnDevice = response.device
             self.logger.debug("Set user from user-less flow", user=webauthn_device.user)
             self.executor.plan.context[PLAN_CONTEXT_PENDING_USER] = webauthn_device.user
             self.executor.plan.context[PLAN_CONTEXT_METHOD] = "auth_webauthn_pwl"