diff --git a/src/sslengines/engine_pkcs11.c b/src/sslengines/engine_pkcs11.c
index 63082e21..20f4a12d 100644
--- a/src/sslengines/engine_pkcs11.c
+++ b/src/sslengines/engine_pkcs11.c
@@ -330,7 +330,8 @@ EVP_PKEY *pkcs11_load_key(ENGINE * e, const char *s_slot_key_id,
 			break;
 		if (pin == NULL) {
 			pin = (char *) calloc(12, sizeof(char));
-			get_pin(ui_method, pin, 12);
+			if (!tok->secureLogin)
+				get_pin(ui_method, pin, 12);
 		}
 		if (PKCS11_login(slot, 0, pin)) {
 			if(pin != NULL) {
diff --git a/src/sslengines/p11_slot.c b/src/sslengines/p11_slot.c
index ac4be947..d22ec67d 100644
--- a/src/sslengines/p11_slot.c
+++ b/src/sslengines/p11_slot.c
@@ -337,6 +337,7 @@ int pkcs11_check_token(PKCS11_CTX * ctx, PKCS11_SLOT * slot)
 	token->model = PKCS11_DUP(info.model);
 	token->initialized = (info.flags & CKF_TOKEN_INITIALIZED) ? 1 : 0;
 	token->loginRequired = (info.flags & CKF_LOGIN_REQUIRED) ? 1 : 0;
+	token->secureLogin = (info.flags & CKF_PROTECTED_AUTHENTICATION_PATH) ? 1 : 0;
 	token->userPinSet = (info.flags & CKF_USER_PIN_INITIALIZED) ? 1 : 0;
 	token->readOnly = (info.flags & CKF_WRITE_PROTECTED) ? 1 : 0;
 	token->_private = tpriv;
diff --git a/src/sslengines/pkcs11-internal.h b/src/sslengines/pkcs11-internal.h
index 032f397b..7f1becc6 100644
--- a/src/sslengines/pkcs11-internal.h
+++ b/src/sslengines/pkcs11-internal.h
@@ -116,6 +116,7 @@ typedef struct PKCS11_token_st {
 	char *model;
 	unsigned char initialized;
 	unsigned char loginRequired;
+	unsigned char secureLogin;
 	unsigned char userPinSet;
 	unsigned char readOnly;
 	void *_private;