diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 584122867e96e7b585440b610a81db33d9268edb..c7f2769b092fed6dd67329eb9ddb41bfa7ba8c91 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -58,11 +58,12 @@ resource "keycloak_realm" "archlinux" {
   verify_email = true
   login_with_email_allowed = true
   password_policy = "length(8) and notUsername"
-  // TODO: WebAuthn policy
-  // https://github.com/mrparkers/terraform-provider-keycloak/issues/355
-  // "Relying Party Entity Name": "Arch Linux SSO"
-  // "Relying Party ID": "accounts.archlinux.org"
-  // "Signature Algorithms": "ES256, ES384, ES512"
+
+  web_authn_policy {
+    relying_party_entity_name = "Arch Linux SSO"
+    relying_party_id          = "accounts.archlinux.org"
+    signature_algorithms      = ["ES256", "RS256", "ES512"]
+  }
 
   login_theme = "archlinux"
   account_theme = "archlinux"