diff --git a/src/ctap/config_command.rs b/src/ctap/config_command.rs
index b4c7cc0..c65fc56 100644
--- a/src/ctap/config_command.rs
+++ b/src/ctap/config_command.rs
@@ -18,7 +18,7 @@ use super::pin_protocol_v1::PinProtocolV1;
 use super::response::ResponseData;
 use super::status_code::Ctap2StatusCode;
 use super::storage::PersistentStore;
-use super::{check_pin_uv_auth_protocol, ENFORCE_ALWAYS_UV, ENTERPRISE_ATTESTATION_MODE};
+use super::{check_pin_uv_auth_protocol, ENTERPRISE_ATTESTATION_MODE};
 use alloc::vec;
 
 /// Processes the subcommand enableEnterpriseAttestation for AuthenticatorConfig.
@@ -37,9 +37,6 @@ fn process_enable_enterprise_attestation(
 fn process_toggle_always_uv(
     persistent_store: &mut PersistentStore,
 ) -> Result<ResponseData, Ctap2StatusCode> {
-    if ENFORCE_ALWAYS_UV {
-        return Err(Ctap2StatusCode::CTAP2_ERR_OPERATION_DENIED);
-    }
     persistent_store.toggle_always_uv()?;
     Ok(ResponseData::AuthenticatorConfig)
 }
@@ -130,6 +127,7 @@ pub fn process_config(
 #[cfg(test)]
 mod test {
     use super::*;
+    use crate::ctap::ENFORCE_ALWAYS_UV;
     use crypto::rng256::ThreadRng256;
 
     #[test]
diff --git a/src/ctap/mod.rs b/src/ctap/mod.rs
index 85deafe..18b0345 100644
--- a/src/ctap/mod.rs
+++ b/src/ctap/mod.rs
@@ -148,7 +148,7 @@ const DEFAULT_CRED_PROTECT: Option<CredentialProtectionPolicy> = None;
 // Maximum size stored with the credBlob extension. Must be at least 32.
 const MAX_CRED_BLOB_LENGTH: usize = 32;
 // Enforce the alwaysUv option. With this constant set to true, commands require
-// a PIN to be set up. The command toggleAlwaysUv will fail to disable alwaysUv.
+// a PIN to be set up. alwaysUv can not be disabled by commands.
 pub const ENFORCE_ALWAYS_UV: bool = false;
 
 // Checks the PIN protocol parameter against all supported versions.
diff --git a/src/ctap/storage.rs b/src/ctap/storage.rs
index a8be6f1..b1aa4ec 100644
--- a/src/ctap/storage.rs
+++ b/src/ctap/storage.rs
@@ -649,7 +649,7 @@ impl PersistentStore {
     /// Enables alwaysUv, when disabled, and vice versa.
     pub fn toggle_always_uv(&mut self) -> Result<(), Ctap2StatusCode> {
         if ENFORCE_ALWAYS_UV {
-            return Ok(());
+            return Err(Ctap2StatusCode::CTAP2_ERR_OPERATION_DENIED);
         }
         if self.has_always_uv()? {
             Ok(self.store.remove(key::ALWAYS_UV)?)
@@ -1375,6 +1375,10 @@ mod test {
 
         if ENFORCE_ALWAYS_UV {
             assert!(persistent_store.has_always_uv().unwrap());
+            assert_eq!(
+                persistent_store.toggle_always_uv(),
+                Err(Ctap2StatusCode::CTAP2_ERR_OPERATION_DENIED)
+            );
         } else {
             assert!(!persistent_store.has_always_uv().unwrap());
             assert_eq!(persistent_store.toggle_always_uv(), Ok(()));