diff --git a/README-config.md b/README-config.md
index a57c7399..2ba92b17 100644
--- a/README-config.md
+++ b/README-config.md
@@ -145,7 +145,7 @@ Variable | Description | Required
 `selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
 `selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | no
 `pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
-`user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
+`user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `passkey`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
 `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index c80da429..8cd6854d 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -161,7 +161,7 @@ options:
         type: list
         elements: str
         choices: ["password", "radius", "otp", "pkinit", "hardened", "idp",
-                  "disabled", ""]
+                  "passkey", "disabled", ""]
         aliases: ["ipauserauthtype"]
     ca_renewal_master_server:
         description: Renewal master for IPA certificate authority.
@@ -426,7 +426,7 @@ def main():
             user_auth_type=dict(type="list", elements="str", required=False,
                                 choices=["password", "radius", "otp",
                                          "pkinit", "hardened", "idp",
-                                         "disabled", ""],
+                                         "passkey", "disabled", ""],
                                 aliases=["ipauserauthtype"]),
             ca_renewal_master_server=dict(type="str", required=False),
             domain_resolution_order=dict(type="list", elements="str",
diff --git a/tests/config/test_config_empty_string_params.yml b/tests/config/test_config_empty_string_params.yml
index 5329c203..09e0e200 100644
--- a/tests/config/test_config_empty_string_params.yml
+++ b/tests/config/test_config_empty_string_params.yml
@@ -5,6 +5,8 @@
   gather_facts: no
 
   tasks:
+  - name: Include tasks ../env_freeipa_facts.yml
+    ansible.builtin.include_tasks: ../env_freeipa_facts.yml
 
   # GET CURRENT CONFIG
 
@@ -80,6 +82,36 @@
     register: result
     failed_when: result.changed or result.failed
 
+  - name: Ensure config with user_auth_type passkey
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - passkey
+    register: result
+    failed_when: not result.changed or result.failed
+    when: passkey_is_supported
+
+  - name: Ensure config with user_auth_type passkey, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - passkey
+    register: result
+    failed_when: result.changed or result.failed
+    when: passkey_is_supported
+
+  - name: Check if correct message is given if passkey is not supported.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      user_auth_type:
+      - passkey
+    register: result
+    failed_when: not result.failed or "'passkey' is not supported" not in result.msg
+    when: not passkey_is_supported
+
   - name: Ensure config with empty user_auth_type
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
@@ -138,6 +170,6 @@
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: "{{ ipa_context | default(omit) }}"
-      pac_type: '{{ previousconfig.config.pac_type }}'
-      user_auth_type: '{{ previousconfig.config.user_auth_type }}'
-      configstring: '{{ previousconfig.config.configstring }}'
+      pac_type: '{{ previousconfig.config.pac_type | default("") }}'
+      user_auth_type: '{{ previousconfig.config.user_auth_type | default("") }}'
+      configstring: '{{ previousconfig.config.configstring | default("") }}'