diff --git a/cli/command/registry/login.go b/cli/command/registry/login.go
index c35f5f3d6..f6cb579e7 100644
--- a/cli/command/registry/login.go
+++ b/cli/command/registry/login.go
@@ -143,7 +143,8 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
 	creds := dockerCli.ConfigFile().GetCredentialsStore(serverAddress)
 
 	store, isDefault := creds.(isFileStore)
-	if isDefault {
+	// Display a warning if we're storing the users password (not a token)
+	if isDefault && authConfig.Password != "" {
 		err = displayUnencryptedWarning(dockerCli, store.GetFilename())
 		if err != nil {
 			return err
diff --git a/cli/command/registry/login_test.go b/cli/command/registry/login_test.go
index 6cbf3570c..0f1374ddb 100644
--- a/cli/command/registry/login_test.go
+++ b/cli/command/registry/login_test.go
@@ -24,6 +24,7 @@ var testAuthErrors = map[string]error{
 }
 
 var expiredPassword = "I_M_EXPIRED"
+var useToken = "I_M_TOKEN"
 
 type fakeClient struct {
 	client.Client
@@ -37,6 +38,11 @@ func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (r
 	if auth.Password == expiredPassword {
 		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
 	}
+	if auth.Password == useToken {
+		return registrytypes.AuthenticateOKBody{
+			IdentityToken: auth.Password,
+		}, nil
+	}
 	err := testAuthErrors[auth.Username]
 	return registrytypes.AuthenticateOKBody{}, err
 }
@@ -90,6 +96,11 @@ func TestRunLogin(t *testing.T) {
 		Username:      validUsername,
 		Password:      expiredPassword,
 	}
+	validIdentityToken := configtypes.AuthConfig{
+		ServerAddress: storedServerAddress,
+		Username:      validUsername,
+		IdentityToken: useToken,
+	}
 	testCases := []struct {
 		inputLoginOption  loginOptions
 		inputStoredCred   *configtypes.AuthConfig
@@ -134,6 +145,16 @@ func TestRunLogin(t *testing.T) {
 			inputStoredCred: &validAuthConfig,
 			expectedErr:     testAuthErrMsg,
 		},
+		{
+			inputLoginOption: loginOptions{
+				serverAddress: storedServerAddress,
+				user:          validUsername,
+				password:      useToken,
+			},
+			inputStoredCred:   &validIdentityToken,
+			expectedErr:       "",
+			expectedSavedCred: validIdentityToken,
+		},
 	}
 	for i, tc := range testCases {
 		t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {