diff --git a/src/features/auth/login.ts b/src/features/auth/login.ts
index d1e9ca3eb..f0c606b15 100644
--- a/src/features/auth/login.ts
+++ b/src/features/auth/login.ts
@@ -3,6 +3,7 @@ import { errors, sbvrUtils } from '@balena/pinejs';
 import { comparePassword, findUser } from '../../infra/auth/auth.js';
 import { loginUserXHR } from '../../infra/auth/jwt.js';
 import { captureException } from '../../infra/error-handling/index.js';
+import { permissions } from '@balena/pinejs';
 
 import type { SetupOptions } from '../../index.js';
 
@@ -23,6 +24,11 @@ export const login =
 				if (!user) {
 					throw new NotFoundError('User not found.');
 				}
+				const userPermissions = await permissions.getUserPermissions(user.id);
+
+				if (!userPermissions.includes('auth.credentials_login')) {
+					throw new BadRequestError('User not allowed to login.');
+				}
 
 				const matches = await comparePassword(password, user.password);
 				if (!matches) {