diff --git a/pwreset.php b/pwreset.php
index 429b43f59f4d3f9477f865528b8ed764a38e5a98..6fb51b48728df6292ca5daddc24586434bca39c6 100644
--- a/pwreset.php
+++ b/pwreset.php
@@ -49,7 +49,14 @@ elseif ($_GET['token']) {
             $acct->confirm();
             // TODO: Log the user in
             if ($client = UserAuthenticationBackend::processSignOn($errors)) {
-                $acct->cancelResetTokens();
+                if ($acct->hasPassword() && !$acct->get('backend')) {
+                    $acct->cancelResetTokens();
+                }
+                // No password setup yet -- force one to be created
+                else {
+                    $_SESSION['_client']['reset-token'] = $_GET['token'];
+                    $acct->forcePasswdReset();
+                }
                 Http::redirect('account.php?confirmed');
             }
         }