diff --git a/app/models.py b/app/models.py
index dfb70b050..8023f8dd7 100644
--- a/app/models.py
+++ b/app/models.py
@@ -145,6 +145,9 @@ class User(db.Model):
         if self.platform_admin:
             return True
 
+        if self.auth_type == 'webauthn_auth':
+            return True
+
         return any(
             str(service.organisation_id) == current_app.config['BROADCAST_ORGANISATION_ID'] or
             str(service.id) == current_app.config['NOTIFY_SERVICE_ID']
diff --git a/tests/app/test_model.py b/tests/app/test_model.py
index 84e59a19a..5924f0a0b 100644
--- a/tests/app/test_model.py
+++ b/tests/app/test_model.py
@@ -344,11 +344,21 @@ def test_template_folder_is_parent(sample_service):
 
 
 @pytest.mark.parametrize('is_platform_admin', (False, True))
-def test_user_can_use_webauthn_returns_false(sample_user, is_platform_admin):
+def test_user_can_use_webauthn_if_platform_admin(sample_user, is_platform_admin):
     sample_user.platform_admin = is_platform_admin
     assert sample_user.can_use_webauthn == is_platform_admin
 
 
+@pytest.mark.parametrize(('auth_type', 'can_use_webauthn'), [
+    ('email_auth', False),
+    ('sms_auth', False),
+    ('webauthn_auth', True)
+])
+def test_user_can_use_webauthn_if_they_login_with_it(sample_user, auth_type, can_use_webauthn):
+    sample_user.auth_type = auth_type
+    assert sample_user.can_use_webauthn == can_use_webauthn
+
+
 def test_user_can_use_webauthn_if_in_broadcast_org(sample_broadcast_service):
     assert sample_broadcast_service.users[0].can_use_webauthn