diff --git a/app/controllers/identity_webauthn_credentials_controller.rb b/app/controllers/identity_webauthn_credentials_controller.rb
index af978ef..3bce81f 100644
--- a/app/controllers/identity_webauthn_credentials_controller.rb
+++ b/app/controllers/identity_webauthn_credentials_controller.rb
@@ -1,8 +1,6 @@
 class IdentityWebauthnCredentialsController < ApplicationController
   include WebauthnAuthenticatable
 
-  before_action :require_step_up_for_destroy, only: [ :destroy ]
-
   def index
     @webauthn_credentials = current_identity.webauthn_credentials.order(created_at: :desc)
     render layout: request.headers["HX-Request"] ? "htmx" : false
@@ -69,24 +67,7 @@ class IdentityWebauthnCredentialsController < ApplicationController
   end
 
   def destroy
-    credential = current_identity.webauthn_credentials.find(params[:id])
-    credential.destroy
-
-    consume_step_up!
-
-    flash[:success] = t(".successfully_removed")
-    redirect_to security_path
-  end
-
-  private
-
-  def require_step_up_for_destroy
-    return if current_session.recently_stepped_up?(for_action: "remove_passkey")
-
     session[:pending_destroy_credential_id] = params[:id]
-    redirect_to new_step_up_path(
-      action_type: "remove_passkey",
-      return_to: identity_webauthn_credential_path(params[:id])
-    )
+    redirect_to new_step_up_path(action_type: "remove_passkey")
   end
 end
diff --git a/app/controllers/step_up_controller.rb b/app/controllers/step_up_controller.rb
index 2becaf3..12715b1 100644
--- a/app/controllers/step_up_controller.rb
+++ b/app/controllers/step_up_controller.rb
@@ -174,8 +174,11 @@ class StepUpController < ApplicationController
 
     when "remove_passkey"
       credential_id = session.delete(:pending_destroy_credential_id)
-      if credential_id
-        redirect_to identity_webauthn_credential_path(credential_id), method: :delete
+      credential = current_identity.webauthn_credentials.find_by(id: credential_id) if credential_id
+      if credential
+        credential.destroy
+        consume_step_up!
+        redirect_to security_path, notice: t("identity_webauthn_credentials.successfully_removed")
       else
         redirect_to security_path
       end