diff --git a/app/main/views/new_password.py b/app/main/views/new_password.py
index 84f5051d8..32d0ae0fd 100644
--- a/app/main/views/new_password.py
+++ b/app/main/views/new_password.py
@@ -8,6 +8,7 @@ from notifications_utils.url_safe_token import check_token
 from app import user_api_client
 from app.main import main
 from app.main.forms import NewPasswordForm
+from app.main.views.two_factor import log_in_user
 
 
 @main.route('/new-password/<path:token>', methods=['GET', 'POST'])
@@ -29,12 +30,17 @@ def new_password(token):
     form = NewPasswordForm()
 
     if form.validate_on_submit():
-        user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
         user_api_client.reset_failed_login_count(user.id)
         session['user_details'] = {
             'id': user.id,
             'email': user.email_address,
             'password': form.new_password.data}
-        return redirect(url_for('main.two_factor'))
+        if user.auth_type == 'email_auth':
+            # they've just clicked an email link, so have done an email auth journey anyway. Just log them in.
+            return log_in_user(user.id)
+        else:
+            # send user a 2fa sms code
+            user_api_client.send_verify_code(user.id, 'sms', user.mobile_number)
+            return redirect(url_for('main.two_factor'))
     else:
         return render_template('views/new-password.html', token=token, form=form, user=user)
diff --git a/tests/app/main/views/test_new_password.py b/tests/app/main/views/test_new_password.py
index 6efbeec87..82f12774c 100644
--- a/tests/app/main/views/test_new_password.py
+++ b/tests/app/main/views/test_new_password.py
@@ -80,3 +80,32 @@ def test_should_redirect_to_forgot_password_with_flash_message_when_token_is_exp
 
     assert response.status_code == 302
     assert response.location == url_for('.forgot_password', _external=True)
+
+
+def test_should_sign_in_when_password_reset_is_successful_for_email_auth(
+    app_,
+    client,
+    mock_get_user,
+    mock_get_user_by_email_request_password_reset,
+    mock_login,
+    mock_send_verify_code,
+    mock_reset_failed_login_count,
+    mock_update_user_password
+):
+    user = mock_get_user_by_email_request_password_reset.return_value
+    user.auth_type = 'email_auth'
+    data = json.dumps({'email': user.email_address, 'created_at': str(datetime.utcnow())})
+    token = generate_token(data, app_.config['SECRET_KEY'], app_.config['DANGEROUS_SALT'])
+
+    response = client.post(url_for('.new_password', token=token), data={'new_password': 'a-new_password'})
+
+    assert response.status_code == 302
+    assert response.location == url_for('.choose_service', _external=True)
+    assert mock_get_user_by_email_request_password_reset.called
+    assert mock_reset_failed_login_count.called
+
+    # the log-in flow makes a couple of calls
+    mock_get_user.assert_called_once_with(user.id)
+    mock_update_user_password.assert_called_once_with(user.id, password='a-new_password')
+
+    assert not mock_send_verify_code.called