diff --git a/api/types/authentication.go b/api/types/authentication.go
index 71cd7767cf3ae..ff69277bc651d 100644
--- a/api/types/authentication.go
+++ b/api/types/authentication.go
@@ -800,7 +800,9 @@ func (d *MFADevice) MarshalJSON() ([]byte, error) {
 }
 
 func (d *MFADevice) UnmarshalJSON(buf []byte) error {
-	return jsonpb.Unmarshal(bytes.NewReader(buf), d)
+	unmarshaler := jsonpb.Unmarshaler{AllowUnknownFields: true}
+	err := unmarshaler.Unmarshal(bytes.NewReader(buf), d)
+	return trace.Wrap(err)
 }
 
 // IsSessionMFARequired returns whether this RequireMFAType requires per-session MFA.
diff --git a/api/types/authentication_mfadevice_test.go b/api/types/authentication_mfadevice_test.go
index 239b1b9bba092..0a42729eca51d 100644
--- a/api/types/authentication_mfadevice_test.go
+++ b/api/types/authentication_mfadevice_test.go
@@ -15,9 +15,13 @@
 package types_test
 
 import (
+	"encoding/json"
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/defaults"
 	"github.com/gravitational/teleport/api/types"
 )
 
@@ -104,3 +108,34 @@ func TestMFADevice_CheckAndSetDefaults(t *testing.T) {
 		})
 	}
 }
+
+func TestMFADevice_Unmarshal(t *testing.T) {
+	const raw = `{"kind":"mfa_device","version":"v1","metadata":{"Name":"fake","Namespace":"default"},"id":"123","addedAt":"2023-05-01T19:37:20Z","lastUsed":"2023-05-01T19:37:20Z","webauthn":{"credentialId":"bGxhbWE=","publicKeyCbor":"bGxhbWE=","attestationType":"none","aaguid":"bGxhbWE=","attestationObject":"bGxhbWE=","credentialRpId":"llama.com","fakeField":"this-does-exist"}}`
+	var d types.MFADevice
+	require.NoError(t, json.Unmarshal([]byte(raw), &d))
+
+	expectedTime, err := time.Parse(time.RFC3339, "2023-05-01T19:37:20Z")
+	require.NoError(t, err)
+	expected := types.MFADevice{
+		Kind:     types.KindMFADevice,
+		Version:  types.V1,
+		Id:       "123",
+		AddedAt:  expectedTime,
+		LastUsed: expectedTime,
+		Metadata: types.Metadata{
+			Name:      "fake",
+			Namespace: defaults.Namespace,
+		},
+		Device: &types.MFADevice_Webauthn{
+			Webauthn: &types.WebauthnDevice{
+				CredentialId:      []byte("llama"),
+				PublicKeyCbor:     []byte("llama"),
+				AttestationType:   "none",
+				AttestationObject: []byte("llama"),
+				Aaguid:            []byte("llama"),
+				CredentialRpId:    "llama.com",
+			},
+		},
+	}
+	require.Equal(t, expected, d)
+}
diff --git a/lib/auth/usertoken.go b/lib/auth/usertoken.go
index 51bb7ae3c0a15..ee47d5bc8a78e 100644
--- a/lib/auth/usertoken.go
+++ b/lib/auth/usertoken.go
@@ -139,11 +139,6 @@ func (s *Server) CreateResetPasswordToken(ctx context.Context, req CreateUserTok
 		return nil, trace.BadParameter("invalid reset password token request type")
 	}
 
-	_, err = s.GetUser(req.Name, false)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-
 	_, err = s.ResetPassword(req.Name)
 	if err != nil {
 		return nil, trace.Wrap(err)