diff --git a/lib/auth/grpcserver_test.go b/lib/auth/grpcserver_test.go
index 16be3978acd61..2cdbf936f153c 100644
--- a/lib/auth/grpcserver_test.go
+++ b/lib/auth/grpcserver_test.go
@@ -464,25 +464,6 @@ func TestDeletingLastPasswordlessDevice(t *testing.T) {
 				)
 			},
 		},
-		{
-			// TODO(Joerger): the user may already be locked out from login if a password
-			// is not set and passwordless is disabled. Prevent them from deleting
-			// their last passkey to prevent them from being locked out further,
-			// in the case of passwordless being re-enabled.
-			name: "succeeds when passwordless is off",
-			setup: func(t *testing.T, _ string, _ *authclient.Client, _ *TestDevice) {
-				authPref, err := authServer.GetAuthPreference(ctx)
-				require.NoError(t, err, "GetAuthPreference")
-
-				// Turn off passwordless authentication.
-				authPref.SetAllowPasswordless(false)
-				// Set second factor optional so that the user can delete their last MFA device.
-				authPref.SetSecondFactor(constants.SecondFactorOptional)
-				_, err = authServer.UpsertAuthPreference(ctx, authPref)
-				require.NoError(t, err, "UpsertAuthPreference")
-			},
-			checkErr: require.NoError,
-		},
 		{
 			name: "OK extra passwordless device",
 			setup: func(t *testing.T, username string, userClient *authclient.Client, pwdlessDev *TestDevice) {
@@ -535,7 +516,13 @@ func TestDeletingLastPasswordlessDevice(t *testing.T) {
 				err := authServer.UpsertPassword(username, []byte("living on the edge"))
 				require.NoError(t, err, "UpsertPassword")
 			},
-			checkErr: require.Error,
+			checkErr: func(t require.TestingT, err error, _ ...any) {
+				require.ErrorContains(t,
+					err,
+					"cannot delete last passwordless credential for user",
+					"Unexpected error deleting last passwordless device",
+				)
+			},
 		},
 		{
 			name: "NOK other MFAs, but no password set",
@@ -544,7 +531,40 @@ func TestDeletingLastPasswordlessDevice(t *testing.T) {
 					ctx, userClient, "another-dev", proto.DeviceType_DEVICE_TYPE_TOTP, pwdlessDev, WithTestDeviceClock(clock))
 				require.NoError(t, err, "RegisterTestDevice")
 			},
-			checkErr: require.Error,
+			checkErr: func(t require.TestingT, err error, _ ...any) {
+				require.ErrorContains(t,
+					err,
+					"cannot delete last passwordless credential for user",
+					"Unexpected error deleting last passwordless device",
+				)
+			},
+		},
+		{
+			// TODO(Joerger): the user may already be locked out from login if a password
+			// is not set and passwordless is disabled. Prevent them from deleting
+			// their last passkey to prevent them from being locked out further,
+			// in the case of passwordless being re-enabled.
+			name: "NOK other MFAs, but no password set, passwordless is off",
+			setup: func(t *testing.T, _ string, userClient *authclient.Client, pwdlessDev *TestDevice) {
+				// Register a non-passwordless device without adding a password.
+				_, err := RegisterTestDevice(ctx, userClient, "another-dev", proto.DeviceType_DEVICE_TYPE_TOTP, pwdlessDev, WithTestDeviceClock(clock))
+				require.NoError(t, err, "RegisterTestDevice")
+
+				authPref, err := authServer.GetAuthPreference(ctx)
+				require.NoError(t, err, "GetAuthPreference")
+
+				// Turn off passwordless authentication.
+				authPref.SetAllowPasswordless(false)
+				_, err = authServer.UpsertAuthPreference(ctx, authPref)
+				require.NoError(t, err, "UpsertAuthPreference")
+			},
+			checkErr: func(t require.TestingT, err error, _ ...any) {
+				require.ErrorContains(t,
+					err,
+					"cannot delete last passwordless credential for user",
+					"Unexpected error deleting last passwordless device",
+				)
+			},
 		},
 	}