diff --git a/libs/auth/src/common/services/pin/pin.service.implementation.ts b/libs/auth/src/common/services/pin/pin.service.implementation.ts
index 40a2410bed..57063dc2e1 100644
--- a/libs/auth/src/common/services/pin/pin.service.implementation.ts
+++ b/libs/auth/src/common/services/pin/pin.service.implementation.ts
@@ -38,7 +38,7 @@ const PIN_KEY_ENCRYPTED_USER_KEY = new UserKeyDefinition<EncryptedString>(
   "pinKeyEncryptedUserKey",
   {
     deserializer: (jsonValue) => jsonValue,
-    clearOn: [], // TODO-rr-bw: verify
+    clearOn: ["logout"], // TODO-rr-bw: verify
   },
 );
 
@@ -198,7 +198,7 @@ export class PinService implements PinServiceAbstraction {
 
     const pinKey = await this.makePinKey(
       pin,
-      (await firstValueFrom(this.accountService.activeAccount$))?.email, // TODO-rr-bw: verify (could this possibly be different from the UserId passed in?)
+      (await firstValueFrom(this.accountService.activeAccount$))?.email, // TODO-rr-bw: verify (could this user possibly be different from the UserId passed in?)
       await this.stateService.getKdfType({ userId }),
       await this.stateService.getKdfConfig({ userId }),
     );
@@ -351,7 +351,6 @@ export class PinService implements PinServiceAbstraction {
   ): Promise<UserKey> {
     this.validateUserId(userId, "Cannot decrypt and migrate oldPinKeyEncryptedMasterKey.");
 
-    // Decrypt
     const masterKey = await this.decryptMasterKeyWithPin(
       userId,
       pin,
@@ -368,21 +367,17 @@ export class PinService implements PinServiceAbstraction {
     );
 
     const pinKeyEncryptedUserKey = await this.createPinKeyEncryptedUserKey(pin, userKey, userId);
+    await this.storePinKeyEncryptedUserKey(
+      pinKeyEncryptedUserKey,
+      requireMasterPasswordOnClientRestart,
+      userId,
+    );
+
+    const protectedPin = await this.createProtectedPin(pin, userKey);
+    await this.setProtectedPin(protectedPin.encryptedString, userId);
 
     await this.clearOldPinKeyEncryptedMasterKey(userId);
 
-    if (requireMasterPasswordOnClientRestart) {
-      await this.setPinKeyEncryptedUserKeyEphemeral(pinKeyEncryptedUserKey, userId);
-    } else {
-      await this.setPinKeyEncryptedUserKey(pinKeyEncryptedUserKey, userId);
-
-      // We previously only set the protected pin if MP on Restart was enabled
-      // now we set it regardless
-      // TODO-rr-bw: based on this comment, shouldn't this code be placed outside the if/else block?
-      const protectedPin = await this.encryptService.encrypt(pin, userKey);
-      await this.setProtectedPin(protectedPin.encryptedString, userId);
-    }
-
     // This also clears the old Biometrics key since the new Biometrics key will
     // be created when the user key is set.
     await this.stateService.setCryptoMasterKeyBiometric(null);
diff --git a/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts b/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts
index 9409196321..29032cd587 100644
--- a/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts
+++ b/libs/common/src/auth/services/webauthn-login/webauthn-login-prf-crypto.service.ts
@@ -16,6 +16,7 @@ export class WebAuthnLoginPrfCryptoService implements WebAuthnLoginPrfCryptoServ
     return (await this.stretchKey(new Uint8Array(prf))) as PrfKey;
   }
 
+  // TODO: use keyGenerationService.stretchKey
   private async stretchKey(key: Uint8Array): Promise<SymmetricCryptoKey> {
     const newKey = new Uint8Array(64);
     const encKey = await this.cryptoFunctionService.hkdfExpand(key, "enc", 32, "sha256");
diff --git a/libs/common/src/platform/abstractions/key-generation.service.ts b/libs/common/src/platform/abstractions/key-generation.service.ts
index c5a29d2ffb..6fadcbf772 100644
--- a/libs/common/src/platform/abstractions/key-generation.service.ts
+++ b/libs/common/src/platform/abstractions/key-generation.service.ts
@@ -57,5 +57,10 @@ export abstract class KeyGenerationService {
     kdfConfig: KdfConfig,
   ): Promise<SymmetricCryptoKey>;
 
+  /**
+   * Derives a 64 byte key from a 32 byte key using a key derivation function.
+   * @param key 32 byte key.
+   * @returns 64 byte derived key.
+   */
   abstract stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey>;
 }
diff --git a/libs/common/src/platform/services/system.service.ts b/libs/common/src/platform/services/system.service.ts
index 848ec9b367..884f4b1eca 100644
--- a/libs/common/src/platform/services/system.service.ts
+++ b/libs/common/src/platform/services/system.service.ts
@@ -49,11 +49,13 @@ export class SystemService implements SystemServiceAbstraction {
       return;
     }
 
+    // If there is an active user, check if they have a pinKeyEncryptedUserKeyEphemeral. If so, prevent process reload upon lock.
     const userId = (await firstValueFrom(this.accountService.activeAccount$))?.id;
-    // User has set a PIN, with ask for master password on restart, to protect their vault
-    const ephemeralPin = await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId);
-    if (ephemeralPin != null) {
-      return;
+    if (userId != null) {
+      const ephemeralPin = await this.pinService.getPinKeyEncryptedUserKeyEphemeral(userId);
+      if (ephemeralPin != null) {
+        return;
+      }
     }
 
     this.cancelProcessReload();