diff --git a/internal/api/grpc/admin/org.go b/internal/api/grpc/admin/org.go
index 270fcff892..7e6fb9f6af 100644
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -2,6 +2,7 @@ package admin
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/domain"
@@ -44,7 +45,7 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 	human := setUpOrgHumanToDomain(req.User.(*admin_pb.SetUpOrgRequest_Human_).Human) //TODO: handle machine
 	org := setUpOrgOrgToDomain(req.Org)
 
-	objectDetails, err := s.command.SetUpOrg(ctx, org, human, userIDs)
+	objectDetails, err := s.command.SetUpOrg(ctx, org, human, userIDs, false)
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/api/grpc/admin/user_converter.go b/internal/api/grpc/admin/user_converter.go
index b2e9a75435..729ec0940b 100644
--- a/internal/api/grpc/admin/user_converter.go
+++ b/internal/api/grpc/admin/user_converter.go
@@ -14,6 +14,7 @@ func setUpOrgHumanToDomain(human *admin_grpc.SetUpOrgRequest_Human) *domain.Huma
 		Profile:  setUpOrgHumanProfileToDomain(human.Profile),
 		Email:    setUpOrgHumanEmailToDomain(human.Email),
 		Phone:    setUpOrgHumanPhoneToDomain(human.Phone),
+		Password: setUpOrgHumanPasswordToDomain(human.Password),
 	}
 }
 
@@ -48,3 +49,10 @@ func setUpOrgHumanPhoneToDomain(phone *admin_grpc.SetUpOrgRequest_Human_Phone) *
 		IsPhoneVerified: phone.IsPhoneVerified,
 	}
 }
+
+func setUpOrgHumanPasswordToDomain(password string) *domain.Password {
+	if password == "" {
+		return nil
+	}
+	return domain.NewPassword(password)
+}
diff --git a/internal/command/org.go b/internal/command/org.go
index 041aca1498..7a4b1ff5f9 100644
--- a/internal/command/org.go
+++ b/internal/command/org.go
@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
@@ -30,7 +31,7 @@ func (c *Commands) checkOrgExists(ctx context.Context, orgID string) error {
 	return nil
 }
 
-func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, claimedUserIDs []string) (*domain.ObjectDetails, error) {
+func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, claimedUserIDs []string, selfregistered bool) (*domain.ObjectDetails, error) {
 	orgIAMPolicy, err := c.getDefaultOrgIAMPolicy(ctx)
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.IAM.OrgIAMPolicy.NotFound")
@@ -39,7 +40,7 @@ func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin
 	if err != nil {
 		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.IAM.PasswordComplexity.NotFound")
 	}
-	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin, orgIAMPolicy, pwPolicy, claimedUserIDs)
+	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin, orgIAMPolicy, pwPolicy, claimedUserIDs, selfregistered)
 	if err != nil {
 		return nil, err
 	}
@@ -161,13 +162,26 @@ func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.Obj
 	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
-func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human, loginPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy, claimedUserIDs []string) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
+func (c *Commands) setUpOrg(
+	ctx context.Context,
+	organisation *domain.Org,
+	admin *domain.Human,
+	loginPolicy *domain.OrgIAMPolicy,
+	pwPolicy *domain.PasswordComplexityPolicy,
+	claimedUserIDs []string,
+	selfregistered bool,
+) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
 	orgAgg, orgWriteModel, addOrgEvents, err := c.addOrg(ctx, organisation, claimedUserIDs)
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
 
-	userEvents, human, err := c.addHuman(ctx, orgAgg.ID, admin, loginPolicy, pwPolicy)
+	var userEvents []eventstore.EventPusher
+	if selfregistered {
+		userEvents, human, err = c.registerHuman(ctx, orgAgg.ID, admin, nil, loginPolicy, pwPolicy)
+	} else {
+		userEvents, human, err = c.addHuman(ctx, orgAgg.ID, admin, loginPolicy, pwPolicy)
+	}
 	if err != nil {
 		return nil, nil, nil, nil, nil, err
 	}
diff --git a/internal/command/setup_step1.go b/internal/command/setup_step1.go
index 72da8b2168..e191feafbb 100644
--- a/internal/command/setup_step1.go
+++ b/internal/command/setup_step1.go
@@ -134,7 +134,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 					EmailAddress:    organisation.Owner.Email,
 					IsEmailVerified: true,
 				},
-			}, orgIAMPolicy, pwPolicy, nil)
+			}, orgIAMPolicy, pwPolicy, nil, false)
 		if err != nil {
 			return err
 		}
diff --git a/internal/command/user_human.go b/internal/command/user_human.go
index 9b9be94424..16172f6674 100644
--- a/internal/command/user_human.go
+++ b/internal/command/user_human.go
@@ -2,6 +2,7 @@ package command
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore"
 
 	"github.com/caos/zitadel/internal/domain"
@@ -116,7 +117,18 @@ func (c *Commands) importHuman(ctx context.Context, orgID string, human *domain.
 }
 
 func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, orgMemberRoles []string) (*domain.Human, error) {
-	userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, externalIDP)
+	if orgID == "" || !human.IsValid() || externalIDP == nil && (human.Password == nil || human.SecretString == "") {
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-GEdf2", "Errors.User.Invalid")
+	}
+	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.OrgIAMPolicy.NotFound")
+	}
+	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
+	if err != nil {
+		return nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
+	}
+	userEvents, registeredHuman, err := c.registerHuman(ctx, orgID, human, externalIDP, orgIAMPolicy, pwPolicy)
 	if err != nil {
 		return nil, err
 	}
@@ -150,21 +162,13 @@ func (c *Commands) RegisterHuman(ctx context.Context, orgID string, human *domai
 	return writeModelToHuman(registeredHuman), nil
 }
 
-func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP) ([]eventstore.EventPusher, *HumanWriteModel, error) {
+func (c *Commands) registerHuman(ctx context.Context, orgID string, human *domain.Human, externalIDP *domain.ExternalIDP, orgIAMPolicy *domain.OrgIAMPolicy, pwPolicy *domain.PasswordComplexityPolicy) ([]eventstore.EventPusher, *HumanWriteModel, error) {
 	if human != nil && human.Username == "" {
 		human.Username = human.EmailAddress
 	}
 	if orgID == "" || !human.IsValid() || externalIDP == nil && (human.Password == nil || human.SecretString == "") {
 		return nil, nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-9dk45", "Errors.User.Invalid")
 	}
-	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
-	if err != nil {
-		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-33M9f", "Errors.Org.OrgIAMPolicy.NotFound")
-	}
-	pwPolicy, err := c.getOrgPasswordComplexityPolicy(ctx, orgID)
-	if err != nil {
-		return nil, nil, caos_errs.ThrowPreconditionFailed(err, "COMMAND-M5Fsd", "Errors.Org.PasswordComplexity.NotFound")
-	}
 	if human.Password != nil && human.SecretString != "" {
 		human.ChangeRequired = false
 	}
diff --git a/internal/repository/user/human_mfa_otp.go b/internal/repository/user/human_mfa_otp.go
index 6b4e61573a..43d568b807 100644
--- a/internal/repository/user/human_mfa_otp.go
+++ b/internal/repository/user/human_mfa_otp.go
@@ -3,6 +3,7 @@ package user
 import (
 	"context"
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/eventstore"
 
 	"github.com/caos/zitadel/internal/crypto"
@@ -65,7 +66,7 @@ type HumanOTPVerifiedEvent struct {
 }
 
 func (e *HumanOTPVerifiedEvent) Data() interface{} {
-	return nil
+	return e
 }
 
 func (e *HumanOTPVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
diff --git a/internal/ui/login/handler/register_org_handler.go b/internal/ui/login/handler/register_org_handler.go
index 68efa17b9b..6cf11384e0 100644
--- a/internal/ui/login/handler/register_org_handler.go
+++ b/internal/ui/login/handler/register_org_handler.go
@@ -65,7 +65,7 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
 	}
-	_, err = l.command.SetUpOrg(ctx, data.toOrgDomain(), data.toUserDomain(), userIDs)
+	_, err = l.command.SetUpOrg(ctx, data.toOrgDomain(), data.toUserDomain(), userIDs, true)
 	if err != nil {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return