diff --git a/apps/authentication/api/confirm.py b/apps/authentication/api/confirm.py
index 4bd8d2c72..2bb371e48 100644
--- a/apps/authentication/api/confirm.py
+++ b/apps/authentication/api/confirm.py
@@ -4,10 +4,12 @@ import time
 
 from django.utils.translation import gettext_lazy as _
 from rest_framework import status
-from rest_framework.generics import RetrieveAPIView, CreateAPIView
+from rest_framework.decorators import action
+from rest_framework.generics import RetrieveAPIView
 from rest_framework.response import Response
 
 from authentication.permissions import UserConfirmation
+from common.api import JMSGenericViewSet
 from common.permissions import IsValidUser
 from ..const import ConfirmType
 from ..serializers import ConfirmSerializer
@@ -20,10 +22,17 @@ class ConfirmBindORUNBindOAuth(RetrieveAPIView):
         return Response('ok')
 
 
-class ConfirmApi(RetrieveAPIView, CreateAPIView):
+class UserConfirmationViewSet(JMSGenericViewSet):
     permission_classes = (IsValidUser,)
     serializer_class = ConfirmSerializer
 
+    @action(methods=['get'], detail=False)
+    def check(self, request):
+        confirm_type = request.query_params.get('confirm_type', 'password')
+        permission = UserConfirmation.require(confirm_type)()
+        permission.has_permission(request, self)
+        return Response('ok')
+
     def get_confirm_backend(self, confirm_type):
         backend_classes = ConfirmType.get_prop_backends(confirm_type)
         if not backend_classes:
@@ -34,12 +43,12 @@ class ConfirmApi(RetrieveAPIView, CreateAPIView):
                 continue
             return backend
 
-    def retrieve(self, request, *args, **kwargs):
+    def list(self, request, *args, **kwargs):
         confirm_type = request.query_params.get('confirm_type', 'password')
         backend = self.get_confirm_backend(confirm_type)
         if backend is None:
             msg = _('This action require verify your MFA')
-            return Response(data={'error': msg}, status=status.HTTP_404_NOT_FOUND)
+            return Response(data={'error': msg}, status=status.HTTP_400_BAD_REQUEST)
 
         data = {
             'confirm_type': backend.name,
diff --git a/apps/authentication/backends/passkey/api.py b/apps/authentication/backends/passkey/api.py
index 644636dd2..ace882a92 100644
--- a/apps/authentication/backends/passkey/api.py
+++ b/apps/authentication/backends/passkey/api.py
@@ -4,19 +4,30 @@ from django.shortcuts import render
 from django.utils.translation import gettext as _
 from rest_framework.decorators import action
 from rest_framework.permissions import IsAuthenticated, AllowAny
-from rest_framework.viewsets import ModelViewSet
 
 from authentication.mixins import AuthMixin
+from common.api import JMSModelViewSet
 from .fido import register_begin, register_complete, auth_begin, auth_complete
 from .models import Passkey
 from .serializer import PasskeySerializer
+from ...const import ConfirmType
+from ...permissions import UserConfirmation
 from ...views import FlashMessageMixin
 
 
-class PasskeyViewSet(AuthMixin, FlashMessageMixin, ModelViewSet):
+class PasskeyViewSet(AuthMixin, FlashMessageMixin, JMSModelViewSet):
     serializer_class = PasskeySerializer
     permission_classes = (IsAuthenticated,)
 
+    def get_permissions(self):
+        if self.is_swagger_request():
+            return super().get_permissions()
+        if self.action == 'register':
+            self.permission_classes = [
+                IsAuthenticated, UserConfirmation.require(ConfirmType.PASSWORD)
+            ]
+        return super().get_permissions()
+
     def get_queryset(self):
         return Passkey.objects.filter(user=self.request.user)
 
diff --git a/apps/authentication/confirm/relogin.py b/apps/authentication/confirm/relogin.py
index 2b27ef5fe..51e5d33c6 100644
--- a/apps/authentication/confirm/relogin.py
+++ b/apps/authentication/confirm/relogin.py
@@ -15,6 +15,7 @@ class ConfirmReLogin(BaseConfirm):
     display_name = 'Re-Login'
 
     def check(self):
+        return True
         return not self.user.is_password_authenticate()
 
     def authenticate(self, secret_key, mfa_type):
diff --git a/apps/authentication/const.py b/apps/authentication/const.py
index 1e06a4d35..bef4841b6 100644
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@@ -19,6 +19,7 @@ class ConfirmType(TextChoices):
     def get_can_confirm_types(cls, confirm_type):
         start = cls.values.index(confirm_type)
         types = cls.values[start:]
+        types = [tp for tp in types if tp != 'password']
         types.reverse()
         return types
 
diff --git a/apps/authentication/serializers/confirm.py b/apps/authentication/serializers/confirm.py
index 5d747c656..dc7c997a6 100644
--- a/apps/authentication/serializers/confirm.py
+++ b/apps/authentication/serializers/confirm.py
@@ -7,4 +7,4 @@ from ..const import ConfirmType, MFAType
 class ConfirmSerializer(serializers.Serializer):
     confirm_type = serializers.ChoiceField(required=True, allow_blank=True, choices=ConfirmType.choices)
     mfa_type = serializers.ChoiceField(required=False, allow_blank=True, choices=MFAType.choices)
-    secret_key = EncryptedField(allow_blank=True)
+    secret_key = EncryptedField(allow_blank=True, required=False)
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 6d40f68e8..e7e561ffd 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -13,6 +13,7 @@ router.register('sso', api.SSOViewSet, 'sso')
 router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
 router.register('connection-token', api.ConnectionTokenViewSet, 'connection-token')
 router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'super-connection-token')
+router.register('confirm', api.UserConfirmationViewSet, 'confirm')
 
 urlpatterns = [
     path('wecom/qr/unbind/', api.WeComQRUnBindForUserApi.as_view(), name='wecom-qr-unbind'),
@@ -29,7 +30,6 @@ urlpatterns = [
          name='feishu-event-subscription-callback'),
 
     path('auth/', api.TokenCreateApi.as_view(), name='user-auth'),
-    path('confirm/', api.ConfirmApi.as_view(), name='user-confirm'),
     path('confirm-oauth/', api.ConfirmBindORUNBindOAuth.as_view(), name='confirm-oauth'),
     path('tokens/', api.TokenCreateApi.as_view(), name='auth-token'),
     path('mfa/verify/', api.MFAChallengeVerifyApi.as_view(), name='mfa-verify'),
diff --git a/apps/common/exceptions.py b/apps/common/exceptions.py
index a8dfcafbd..0c22d6723 100644
--- a/apps/common/exceptions.py
+++ b/apps/common/exceptions.py
@@ -42,8 +42,11 @@ class ReferencedByOthers(JMSException):
 
 
 class UserConfirmRequired(JMSException):
+    status_code = status.HTTP_412_PRECONDITION_FAILED
+
     def __init__(self, code=None):
         detail = {
+            'type': 'user_confirm_required',
             'code': code,
             'detail': _('This action require confirm current user')
         }