diff --git a/app/Http/Controllers/Auth/WebAuthnManageController.php b/app/Http/Controllers/Auth/WebAuthnManageController.php
index 56901961..31ef7e3f 100644
--- a/app/Http/Controllers/Auth/WebAuthnManageController.php
+++ b/app/Http/Controllers/Auth/WebAuthnManageController.php
@@ -2,7 +2,6 @@
 
 namespace App\Http\Controllers\Auth;
 
-use App\Facades\Settings;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\WebauthnRenameRequest;
 use Illuminate\Http\Request;
@@ -58,8 +57,9 @@ public function delete(Request $request, $credential)
         // no more registered device exists.
         // See #110
         if (blank($user->webAuthnCredentials()->WhereEnabled()->get())) {
-            Settings::delete('useWebauthnOnly');
             Log::notice('No Webauthn credential enabled, Webauthn settings reset to default');
+            $request->user()->preferences['useWebauthnOnly'] = false;
+            $request->user()->save();
         }
 
         Log::info('Security device deleted');
diff --git a/app/Http/Controllers/Auth/WebAuthnRecoveryController.php b/app/Http/Controllers/Auth/WebAuthnRecoveryController.php
index 79f0eaa8..ba6f9e32 100644
--- a/app/Http/Controllers/Auth/WebAuthnRecoveryController.php
+++ b/app/Http/Controllers/Auth/WebAuthnRecoveryController.php
@@ -3,7 +3,6 @@
 namespace App\Http\Controllers\Auth;
 
 use App\Extensions\WebauthnCredentialBroker;
-use App\Facades\Settings;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\WebauthnRecoveryRequest;
 use Illuminate\Auth\AuthenticationException;
@@ -52,7 +51,8 @@ function ($user) use ($request) {
                     if ($this->shouldRevokeAllCredentials($request)) {
                         $user->flushCredentials();
                     }
-                    Settings::delete('useWebauthnOnly');
+                    $user->preferences['useWebauthnOnly'] = false;
+                    $user->save();
                 } else {
                     throw new AuthenticationException();
                 }
diff --git a/tests/Feature/Http/Auth/UserControllerTest.php b/tests/Feature/Http/Auth/UserControllerTest.php
index 5edf73ef..ba905cfc 100644
--- a/tests/Feature/Http/Auth/UserControllerTest.php
+++ b/tests/Feature/Http/Auth/UserControllerTest.php
@@ -68,7 +68,10 @@ public function test_update_user_returns_success()
      */
     public function test_update_user_in_demo_mode_returns_unchanged_user()
     {
-        Settings::set('isDemoApp', true);
+        Config::set('2fauth.config.isDemoApp', true);
+
+        $name = $this->user->name;
+        $email = $this->user->email;
 
         $response = $this->actingAs($this->user, 'web-guard')
             ->json('PUT', '/user', [
@@ -78,17 +81,16 @@ public function test_update_user_in_demo_mode_returns_unchanged_user()
             ])
             ->assertOk()
             ->assertExactJson([
-                'name'     => $this->user->name,
+                'name'     => $name,
                 'id'       => $this->user->id,
-                'email'    => $this->user->email,
+                'email'    => $email,
                 'is_admin' => $this->user->is_admin,
             ]);
 
         $this->assertDatabaseHas('users', [
-            'name'     => $this->user->name,
+            'name'     => $name,
             'id'       => $this->user->id,
-            'email'    => $this->user->email,
-            'is_admin' => $this->user->is_admin,
+            'email'    => $email,
         ]);
     }
 
@@ -170,7 +172,6 @@ public function test_delete_user_returns_success()
     public function test_delete_user_in_demo_mode_returns_unauthorized()
     {
         Config::set('2fauth.config.isDemoApp', true);
-        Settings::set('isDemoApp', true);
 
         $response = $this->actingAs($this->user, 'web-guard')
             ->json('DELETE', '/user', [