diff --git a/lib/web/desktop.go b/lib/web/desktop.go
index 726f407824f93..b75025f462a89 100644
--- a/lib/web/desktop.go
+++ b/lib/web/desktop.go
@@ -382,6 +382,9 @@ func (h *Handler) performMFACeremony(
 	promptMFA := mfa.PromptFunc(func(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) {
 		codec := tdpMFACodec{}
 
+		if chal.WebauthnChallenge == nil {
+			return nil, trace.AccessDenied("Desktop access requires WebAuthn MFA, please register a WebAuthn device to connect")
+		}
 		// Send the challenge over the socket.
 		msg, err := codec.Encode(
 			&client.MFAAuthenticateChallenge{