diff --git a/initramfs-tools/fido2luks.conf b/initramfs-tools/fido2luks.conf
index fef423b..149758a 100644
--- a/initramfs-tools/fido2luks.conf
+++ b/initramfs-tools/fido2luks.conf
@@ -1,3 +1,5 @@
 FIDO2LUKS_SALT=Ask
 #FIDO2LUKS_PASSWORD_HELPER="/usr/bin/plymouth ask-for-password --prompt 'FIDO2 password salt'"
 FIDO2LUKS_CREDENTIAL_ID=
+FIDO2LUKS_USE_TOKEN=0
+FIDO2LUKS_PASSWORD_FALLBACK=1
diff --git a/initramfs-tools/keyscript.sh b/initramfs-tools/keyscript.sh
index d6c8a02..8b4c14b 100755
--- a/initramfs-tools/keyscript.sh
+++ b/initramfs-tools/keyscript.sh
@@ -2,6 +2,17 @@
 set -a
 . /etc/fido2luks.conf
 
+# Set Defaults
+if [ -z "$FIDO2LUKS_USE_TOKEN" ]; then
+    FIDO2LUKS_USE_TOKEN=0
+fi
+
+if [ -z "$FIDO2LUKS_PASSWORD_FALLBACK" ]; then
+    FIDO2LUKS_PASSWORD_FALLBACK=1
+fi
+
+
+
 if [ -z "$FIDO2LUKS_PASSWORD_HELPER" ]; then
 	MSG="FIDO2 password salt for $CRYPTTAB_NAME"
 	export FIDO2LUKS_PASSWORD_HELPER="plymouth ask-for-password --prompt '$MSG'"
@@ -12,3 +23,8 @@ if [ "$FIDO2LUKS_USE_TOKEN" -eq 1 ]; then
 fi
 
 fido2luks print-secret --bin
+
+# Fall back to passphrase-based unlock if fido2luks fails
+if [ "$?" -gt 0 ] && [ "$FIDO2LUKS_PASSWORD_FALLBACK" -eq 1 ]; then
+  plymouth ask-for-password --prompt "Password for $CRYPTTAB_SOURCE"
+fi