diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index a990325f9..9a281df16 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -35,7 +35,7 @@ class Auth::PasswordsController < Devise::PasswordsController
     yield resource if block_given?
 
     if resource.errors.empty?
-      resource.unlock_access! if unlockable?(resource)
+      resource.unlock_access! if resource.respond_to?(:unlock_access!)
       if Devise.sign_in_after_reset_password
         set_flash_message!(:notice, password_update_flash_message)
         resource.after_database_authentication
diff --git a/spec/requests/auth/passwords_controller_spec.rb b/spec/requests/auth/passwords_controller_spec.rb
index 2685e19ab..3c0788cd5 100644
--- a/spec/requests/auth/passwords_controller_spec.rb
+++ b/spec/requests/auth/passwords_controller_spec.rb
@@ -72,6 +72,19 @@ RSpec.describe Auth::PasswordsController, type: :request do
         follow_redirect!
         expect(page).to have_css("p", class: "govuk-notification-banner__heading", text: message)
       end
+
+      context "when the user had been locked out" do
+        let(:user) { create(:user, locked_at: Time.zone.now, failed_attempts: 5) }
+
+        it "after password change, unlocks the user account and signs them in" do
+          put "/account/password", params: update_password_params
+          follow_redirect!
+          user.reload
+          expect(user.locked_at).to be_nil
+          expect(user.failed_attempts).to be 0
+          expect(page).to have_content("Welcome back, #{user.name}")
+        end
+      end
     end
   end