diff --git a/data/web/json_api.php b/data/web/json_api.php
index 2b257119..c3f8d9fc 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -437,7 +437,7 @@ if (isset($_GET['query'])) {
           if (isset($_SESSION["mailcow_cc_role"])) {
               // Exclude existing CredentialIds, if any
               $excludeCredentialIds = fido2(array("action" => "get_user_cids"));
-              $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], $excludeCredentialIds);
+              $createArgs = $WebAuthn->getCreateArgs($_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], $_SESSION["mailcow_cc_username"], 30, true, $GLOBALS['FIDO2_UV_FLAG_REGISTER'], null, $excludeCredentialIds);
               print(json_encode($createArgs));
               $_SESSION['challenge'] = $WebAuthn->getChallenge();
               return;
@@ -465,8 +465,6 @@ if (isset($_GET['query'])) {
         // webauthn two factor authentication
         case "webauthn-tfa-registration":
           if (isset($_SESSION["mailcow_cc_role"])) {
-              $excludeCredentialIds = null;
-
               // getCreateArgs($userId, $userName, $userDisplayName, $timeout=20, $requireResidentKey=false, $requireUserVerification=false, $crossPlatformAttachment=null, $excludeCredentialIds=array())
               // cross-platform: true, if type internal is not allowed
               //        false, if only internal is allowed