diff --git a/src/common/dpp.c b/src/common/dpp.c
index 47817de66..36b1bce30 100644
--- a/src/common/dpp.c
+++ b/src/common/dpp.c
@@ -2841,6 +2841,11 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 				      "Initiator Bootstrapping Key Hash attribute did not match");
 			return NULL;
 		}
+	} else if (auth->own_bi && auth->own_bi->type == DPP_BOOTSTRAP_PKEX) {
+		/* PKEX bootstrapping mandates use of mutual authentication */
+		dpp_auth_fail(auth,
+			      "Missing Initiator Bootstrapping Key Hash attribute");
+		return NULL;
 	}
 
 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,
@@ -2859,6 +2864,12 @@ dpp_auth_resp_rx(struct dpp_authentication *auth, const u8 *hdr,
 		return NULL;
 	}
 
+	if (!i_bootstrap && auth->own_bi) {
+		wpa_printf(MSG_DEBUG,
+			   "DPP: Responder decided not to use mutual authentication");
+		auth->own_bi = NULL;
+	}
+
 	r_proto = dpp_get_attr(attr_start, attr_len, DPP_ATTR_R_PROTOCOL_KEY,
 			       &r_proto_len);
 	if (!r_proto) {
@@ -3102,6 +3113,12 @@ int dpp_auth_conf_rx(struct dpp_authentication *auth, const u8 *hdr,
 				      "Initiator Bootstrapping Key Hash mismatch");
 			return -1;
 		}
+	} else if (auth->own_bi && auth->peer_bi) {
+		/* Mutual authentication and peer did not include its
+		 * Bootstrapping Key Hash attribute. */
+		dpp_auth_fail(auth,
+			      "Missing Initiator Bootstrapping Key Hash attribute");
+		return -1;
 	}
 
 	status = dpp_get_attr(attr_start, attr_len, DPP_ATTR_STATUS,