diff --git a/README.md b/README.md
index af6d761e..5869f060 100644
--- a/README.md
+++ b/README.md
@@ -766,6 +766,8 @@ Output:
 The `api_key` is used in all subsequent requests. It's empty if MFA is enabled.
 If user hasn't enabled MFA, `mfa_key` is empty.
 
+Return 403 if user has enabled FIDO. The client can display a message to suggest user to use the `API Key` instead.
+
 #### POST /api/auth/mfa
 
 Input:
diff --git a/app/api/views/auth.py b/app/api/views/auth.py
index 09e2c620..df5ed749 100644
--- a/app/api/views/auth.py
+++ b/app/api/views/auth.py
@@ -55,6 +55,8 @@ def auth_login():
         return jsonify(error="Email or password incorrect"), 400
     elif not user.activated:
         return jsonify(error="Account not activated"), 400
+    elif user.fido_enabled():
+        return jsonify(error="Currently we don't support FIDO on mobile yet"), 403
 
     return jsonify(**auth_payload(user, device)), 200