diff --git a/src/bio.c b/src/bio.c
index 57db85f5..3d73bf00 100644
--- a/src/bio.c
+++ b/src/bio.c
@@ -57,6 +57,15 @@ bio_prepare_hmac(uint8_t cmd, cbor_item_t **argv, size_t argc,
 	return (ok);
 }
 
+static uint8_t
+bio_get_cmd(const fido_dev_t *dev)
+{
+	if (dev->flags & (FIDO_DEV_BIO_SET|FIDO_DEV_BIO_UNSET))
+		return (CTAP_CBOR_BIO_ENROLL);
+
+	return (CTAP_CBOR_BIO_ENROLL_PRE);
+}
+
 static int
 bio_tx(fido_dev_t *dev, uint8_t subcmd, cbor_item_t **sub_argv, size_t sub_argc,
     const char *pin, const fido_blob_t *token, int *ms)
@@ -66,7 +75,7 @@ bio_tx(fido_dev_t *dev, uint8_t subcmd, cbor_item_t **sub_argv, size_t sub_argc,
 	fido_blob_t	*ecdh = NULL;
 	fido_blob_t	 f;
 	fido_blob_t	 hmac;
-	const uint8_t	 cmd = CTAP_CBOR_BIO_ENROLL_PRE;
+	const uint8_t	 cmd = bio_get_cmd(dev);
 	int		 r = FIDO_ERR_INTERNAL;
 
 	memset(&f, 0, sizeof(f));
diff --git a/src/dev.c b/src/dev.c
index e6f00a65..e9e26e78 100644
--- a/src/dev.c
+++ b/src/dev.c
@@ -58,6 +58,9 @@ fido_dev_set_option_flags(fido_dev_t *dev, const fido_cbor_info_t *info)
 		} else if (strcmp(ptr[i], "pinUvAuthToken") == 0) {
 			if (val[i])
 				dev->flags |= FIDO_DEV_TOKEN_PERMS;
+		} else if (strcmp(ptr[i], "bioEnroll") == 0) {
+			dev->flags |= val[i] ?
+			    FIDO_DEV_BIO_SET : FIDO_DEV_BIO_UNSET;
 		}
 }
 
diff --git a/src/extern.h b/src/extern.h
index dda3267f..f743a516 100644
--- a/src/extern.h
+++ b/src/extern.h
@@ -249,17 +249,19 @@ uint32_t uniform_random(uint32_t);
 #endif
 
 /* internal device capability flags */
-#define FIDO_DEV_PIN_SET	0x001
-#define FIDO_DEV_PIN_UNSET	0x002
-#define FIDO_DEV_CRED_PROT	0x004
-#define FIDO_DEV_CREDMAN	0x008
-#define FIDO_DEV_PIN_PROTOCOL1	0x010
-#define FIDO_DEV_PIN_PROTOCOL2	0x020
-#define FIDO_DEV_UV_SET 	0x040
-#define FIDO_DEV_UV_UNSET	0x080
-#define FIDO_DEV_TOKEN_PERMS	0x100
-#define FIDO_DEV_WINHELLO	0x200
-#define FIDO_DEV_CREDMAN_PRE	0x400
+#define FIDO_DEV_PIN_SET	0x0001
+#define FIDO_DEV_PIN_UNSET	0x0002
+#define FIDO_DEV_CRED_PROT	0x0004
+#define FIDO_DEV_CREDMAN	0x0008
+#define FIDO_DEV_PIN_PROTOCOL1	0x0010
+#define FIDO_DEV_PIN_PROTOCOL2	0x0020
+#define FIDO_DEV_UV_SET 	0x0040
+#define FIDO_DEV_UV_UNSET	0x0080
+#define FIDO_DEV_TOKEN_PERMS	0x0100
+#define FIDO_DEV_WINHELLO	0x0200
+#define FIDO_DEV_CREDMAN_PRE	0x0400
+#define FIDO_DEV_BIO_SET	0x0800
+#define FIDO_DEV_BIO_UNSET	0x1000
 
 /* miscellanea */
 #define FIDO_DUMMY_CLIENTDATA	""
diff --git a/src/fido/param.h b/src/fido/param.h
index b7852bbb..fb66abfd 100644
--- a/src/fido/param.h
+++ b/src/fido/param.h
@@ -53,6 +53,7 @@
 #define CTAP_CBOR_CLIENT_PIN		0x06
 #define CTAP_CBOR_RESET			0x07
 #define CTAP_CBOR_NEXT_ASSERT		0x08
+#define CTAP_CBOR_BIO_ENROLL		0x09
 #define CTAP_CBOR_CRED_MGMT		0x0a
 #define CTAP_CBOR_LARGEBLOB		0x0c
 #define CTAP_CBOR_CONFIG		0x0d
diff --git a/src/pin.c b/src/pin.c
index c6ac6d68..7f7df007 100644
--- a/src/pin.c
+++ b/src/pin.c
@@ -131,6 +131,7 @@ encode_uv_permission(uint8_t cmd)
 	case CTAP_CBOR_ASSERT:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_ASSERT));
 	case CTAP_CBOR_BIO_ENROLL_PRE:
+	case CTAP_CBOR_BIO_ENROLL:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_BIO));
 	case CTAP_CBOR_CONFIG:
 		return (cbor_build_uint8(CTAP21_UV_TOKEN_PERM_CONFIG));