diff --git a/src/App/Pages/Accounts/LoginPasswordlessRequestViewModel.cs b/src/App/Pages/Accounts/LoginPasswordlessRequestViewModel.cs
index 8d9e116a2..607b8980f 100644
--- a/src/App/Pages/Accounts/LoginPasswordlessRequestViewModel.cs
+++ b/src/App/Pages/Accounts/LoginPasswordlessRequestViewModel.cs
@@ -221,6 +221,13 @@ namespace Bit.App.Pages
                 var authResult = await _authService.LogInPasswordlessAsync(Email, _requestAccessCode, _requestId, _requestKeyPair.Item2, response.Key, response.MasterPasswordHash);
                 await AppHelpers.ResetInvalidUnlockAttemptsAsync();
 
+                if(authResult == null && await _stateService.IsAuthenticatedAsync())
+                {
+                    _syncService.FullSyncAsync(true).FireAndForget();
+                    LogInSuccessAction?.Invoke();
+                    return;
+                }
+
                 if (await HandleCaptchaAsync(authResult.CaptchaSiteKey, authResult.CaptchaNeeded, CheckLoginRequestStatus))
                 {
                     return;
@@ -237,7 +244,6 @@ namespace Bit.App.Pages
                 else
                 {
                     _syncService.FullSyncAsync(true).FireAndForget();
-                    await _deviceTrustCryptoService.TrustDeviceIfNeededAsync();
                     LogInSuccessAction?.Invoke();
                 }
             }
@@ -255,6 +261,15 @@ namespace Bit.App.Pages
             var response = await _authService.PasswordlessCreateLoginRequestAsync(_email, AuthRequestType);
             if (response != null)
             {
+                //TODO TDE if is admin type save to memory to later see if it was approved
+                /*
+                  const adminAuthReqStorable = new AdminAuthRequestStorable({
+                      id: reqResponse.id,
+                      privateKey: this.authRequestKeyPair.privateKey,
+                    });
+
+                    await this.stateService.setAdminAuthRequest(adminAuthReqStorable);
+                */
                 FingerprintPhrase = response.FingerprintPhrase;
                 _requestId = response.Id;
                 _requestAccessCode = response.RequestAccessCode;
diff --git a/src/Core/Services/AuthService.cs b/src/Core/Services/AuthService.cs
index 31bcfefea..f86f4494c 100644
--- a/src/Core/Services/AuthService.cs
+++ b/src/Core/Services/AuthService.cs
@@ -198,12 +198,32 @@ namespace Bit.Core.Services
             return !await _policyService.EvaluateMasterPassword(strength.Value, masterPassword, _masterPasswordPolicy);
         }
 
-        public async Task<AuthResult> LogInPasswordlessAsync(string email, string accessCode, string authRequestId, byte[] decryptionKey, string userKeyCiphered, string localHashedPasswordCiphered)
+        public async Task<AuthResult> LogInPasswordlessAsync(string email, string accessCode, string authRequestId, byte[] decryptionKey, string masterKey, string masterKeyHash)
         {
-            var decKey = await _cryptoService.RsaDecryptAsync(userKeyCiphered, decryptionKey);
-            var decPasswordHash = await _cryptoService.RsaDecryptAsync(localHashedPasswordCiphered, decryptionKey);
-            return await LogInHelperAsync(email, accessCode, Encoding.UTF8.GetString(decPasswordHash), null, null, null, new MasterKey(decKey), null, null,
+            AuthResult response = null;
+            // On SSO flow user is already AuthN
+            if (await this._stateService.IsAuthenticatedAsync())
+            {
+                var decryptedKey = await _cryptoService.RsaDecryptAsync(masterKey, decryptionKey);
+                if (string.IsNullOrEmpty(masterKeyHash))
+                {
+                    await _cryptoService.SetUserKeyAsync(new UserKey(decryptedKey));
+                }
+                else
+                {
+                    var userKey = await _cryptoService.DecryptUserKeyWithMasterKeyAsync(new MasterKey(decryptedKey));
+                    await _cryptoService.SetUserKeyAsync(userKey);
+                }
+                await _deviceTrustCryptoService.TrustDeviceIfNeededAsync();
+            }
+            else
+            {
+                var decKey = await _cryptoService.RsaDecryptAsync(masterKey, decryptionKey);
+                var decKeyHash = await _cryptoService.RsaDecryptAsync(masterKeyHash, decryptionKey);
+                response = await LogInHelperAsync(email, accessCode, Encoding.UTF8.GetString(decKeyHash), null, null, null, new MasterKey(decKey), null, null,
                 null, null, authRequestId: authRequestId);
+            }
+            return response;
         }
 
         public async Task<AuthResult> LogInSsoAsync(string code, string codeVerifier, string redirectUrl, string orgId)
@@ -474,7 +494,6 @@ namespace Bit.Core.Services
             _messagingService.Send("accountAdded");
             if (_setCryptoKeys)
             {
-
                 if (localHashedPassword != null)
                 {
                     await _cryptoService.SetPasswordHashAsync(localHashedPassword);
@@ -506,6 +525,14 @@ namespace Bit.Core.Services
                         await _cryptoService.SetUserKeyAsync(userKey);
                     }
 
+                    // Login with Device
+                    if (masterKey != null && !string.IsNullOrEmpty(authRequestId))
+                    {
+                        await _cryptoService.SetMasterKeyAsync(masterKey);
+                        var userKey = await _cryptoService.DecryptUserKeyWithMasterKeyAsync(masterKey);
+                        await _cryptoService.SetUserKeyAsync(userKey);
+                    }
+
                     // User doesn't have a key pair yet (old account), let's generate one for them.
                     if (tokenResponse.PrivateKey == null)
                     {