diff --git a/package.json b/package.json
index 56bf2e37..d9f7be12 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "meshcentral",
-  "version": "0.4.9-j",
+  "version": "0.4.9-l",
   "keywords": [
     "Remote Management",
     "Intel AMT",
diff --git a/views/login-mobile.handlebars b/views/login-mobile.handlebars
index 3ae96860..dd453949 100644
--- a/views/login-mobile.handlebars
+++ b/views/login-mobile.handlebars
@@ -338,7 +338,7 @@
                     publicKeyCredentialRequestOptions = { challenge: hardwareKeyChallenge.challenge, allowCredentials: [], timeout: hardwareKeyChallenge.timeout }
                     for (var i = 0; i < hardwareKeyChallenge.keyIds.length; i++) {
                         publicKeyCredentialRequestOptions.allowCredentials.push(
-                            { id: Uint8Array.from(atob(hardwareKeyChallenge.keyIds[i]), function (c) { return c.charCodeAt(0) }), type: 'public-key', transports: ['usb', 'ble', 'nfc'], }
+                            { id: Uint8Array.from(atob(hardwareKeyChallenge.keyIds[i]), function (c) { return c.charCodeAt(0) }), type: 'public-key', transports: ['usb', 'ble', 'nfc', 'internal'], }
                         );
                     }
 
diff --git a/webserver.js b/webserver.js
index 66019b35..3a8c1f90 100644
--- a/webserver.js
+++ b/webserver.js
@@ -3650,6 +3650,8 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             obj.app.use(function (req, res, next) {
                 parent.debug('web', '404 Error ' + req.url);
                 var domain = getDomain(req);
+                if ((domain == null) || (domain.auth == 'sspi')) { res.sendStatus(404); return; }
+                if ((domain.loginkey != null) && (domain.loginkey.indexOf(req.query.key) == -1)) { res.sendStatus(404); return; } // Check 3FA URL key
                 res.status(404).render(getRenderPage('error404', req), getRenderArgs({}, domain));
             });
         }