diff --git a/app/assets/javascripts/discourse/app/controllers/password-reset.js b/app/assets/javascripts/discourse/app/controllers/password-reset.js
index d6787d93a7a..fd3a2f9e7e8 100644
--- a/app/assets/javascripts/discourse/app/controllers/password-reset.js
+++ b/app/assets/javascripts/discourse/app/controllers/password-reset.js
@@ -136,6 +136,10 @@ export default Controller.extend(PasswordValidation, {
     },
 
     authenticateSecurityKey() {
+      this.set(
+        "selectedSecondFactorMethod",
+        SECOND_FACTOR_METHODS.SECURITY_KEY
+      );
       getWebauthnCredential(
         this.model.challenge,
         this.model.allowed_credential_ids,
diff --git a/spec/system/login_spec.rb b/spec/system/login_spec.rb
index 42c1246635d..6c68febeb58 100644
--- a/spec/system/login_spec.rb
+++ b/spec/system/login_spec.rb
@@ -4,7 +4,9 @@ require "rotp"
 
 shared_examples "login scenarios" do
   let(:login_modal) { PageObjects::Modals::Login.new }
+  let(:user_preferences_security_page) { PageObjects::Pages::UserPreferencesSecurity.new }
   fab!(:user) { Fabricate(:user, username: "john", password: "supersecurepassword") }
+  let(:user_menu) { PageObjects::Components::UserMenu.new }
 
   before { Jobs.run_immediately! }
 
@@ -224,6 +226,46 @@ shared_examples "login scenarios" do
       find(".change-password-form .btn-primary").click
       expect(page).to have_css(".header-dropdown-toggle.current-user")
     end
+
+    it "can reset password with a security key" do
+      # testing the 2FA flow requires a user that was created > 5 minutes ago
+      user.created_at = 6.minutes.ago
+      user.save!
+      sign_in(user)
+      options = ::Selenium::WebDriver::VirtualAuthenticatorOptions.new
+      authenticator = page.driver.browser.add_virtual_authenticator(options)
+
+      user_preferences_security_page.visit(user)
+      user_preferences_security_page.visit_second_factor("supersecurepassword")
+
+      find(".security-key .new-security-key").click
+      expect(user_preferences_security_page).to have_css("input#security-key-name")
+
+      find(".d-modal__body input#security-key-name").fill_in(with: "First Key")
+      find(".add-security-key").click
+
+      expect(user_preferences_security_page).to have_css(".security-key .second-factor-item")
+
+      user_menu.sign_out
+
+      # reset password flow
+      login_modal.open
+      login_modal.fill_username("john")
+      login_modal.forgot_password
+      find("button.forgot-password-reset").click
+
+      reset_password_link = wait_for_email_link(user, :reset_password)
+      visit reset_password_link
+
+      find("#security-key .btn-primary").click
+
+      find("#new-account-password").fill_in(with: "newsuperpassword")
+      find(".change-password-form .btn-primary").click
+      expect(page).to have_css(".header-dropdown-toggle.current-user")
+    ensure
+      # clear authenticator (otherwise it will interfere with other tests)
+      authenticator&.remove!
+    end
   end
 end