diff --git a/go.mod b/go.mod
index 21f58b9..a81533a 100644
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/go-chi/chi/v5 v5.0.7
+	github.com/go-webauthn/webauthn v0.8.1
 	github.com/google/uuid v1.3.0
 	github.com/gorilla/csrf v1.7.1
 	github.com/hashicorp/consul/api v1.13.0
@@ -18,7 +19,8 @@ require (
 	github.com/zaffka/zap-to-hclog v0.10.5
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/zap v1.21.0
-	golang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d
+	golang.org/x/crypto v0.6.0
+	golang.org/x/sys v0.5.0
 )
 
 require (
@@ -26,7 +28,11 @@ require (
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/go-webauthn/revoke v0.1.9 // indirect
 	github.com/goccy/go-json v0.9.7 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
+	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
 	github.com/hashicorp/go-hclog v1.2.1 // indirect
@@ -45,9 +51,9 @@ require (
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
 )
 
 replace github.com/varlink/go => github.com/erincandescent/varlink-go v0.4.1-0.20220710172442-b1ca3a35207e
diff --git a/go.sum b/go.sum
index 4a04e6c..d510a0f 100644
--- a/go.sum
+++ b/go.sum
@@ -1,22 +1,40 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1 h1:q763qf9huN11kDQavWsoZXJNW3xEE4JJyHa5Q25/sd8=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2 h1:D9/bQk5vlXQFZ6Kwuu6zaiXJ9oTPe68++AzAJc1DzSI=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -24,21 +42,65 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erincandescent/varlink-go v0.4.1-0.20220710172442-b1ca3a35207e h1:vGp1F0lLJqVpuZNVXedply/GckrIcibkVmHoFvQ6KQk=
 github.com/erincandescent/varlink-go v0.4.1-0.20220710172442-b1ca3a35207e/go.mod h1:DKg9Y2ctoNkesREGAEak58l+jOC6JU2aqZvUYs5DynU=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-webauthn/revoke v0.1.9 h1:gSJ1ckA9VaKA2GN4Ukp+kiGTk1/EXtaDb1YE8RknbS0=
+github.com/go-webauthn/revoke v0.1.9/go.mod h1:j6WKPnv0HovtEs++paan9g3ar46gm1NarktkXBaPR+w=
+github.com/go-webauthn/webauthn v0.8.1 h1:Yv9yOxEhsJULGYLbDfEuQXtSu2RthLGzPPSN2DYdXG8=
+github.com/go-webauthn/webauthn v0.8.1/go.mod h1:22OJd+TV8oHrjjXmPHtcPR82lR/yR5m5ilGiF8yPFrE=
 github.com/goccy/go-json v0.9.7 h1:IcB+Aqpx/iMHu5Yooh7jEzJk1JZ7Pjtmys2ukPr7EeM=
 github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c h1:964Od4U6p2jUkFxvCydnIczKteheJEzHRToSGK3Bnlw=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
+github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7 h1:81/ik6ipDQS2aGcBfIN5dHDB36BwrStyeAQquSYCV4o=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
+github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
+github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
+github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo=
+github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4=
+github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
+github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -46,6 +108,10 @@ github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
 github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/hashicorp/consul/api v1.13.0 h1:2hnLQ0GjQvw7f3O61jMO8gbasZviZTrt9R8WzgiirHc=
 github.com/hashicorp/consul/api v1.13.0/go.mod h1:ZlVrynguJKcYr54zGaDbaL3fOvKC9m72FhPvA8T35KQ=
 github.com/hashicorp/consul/sdk v0.8.0 h1:OJtKBtEjboEZvG6AOUdh4Z1Zbyu0WcxQ0qatRrZHTVU=
@@ -75,6 +141,7 @@ github.com/hashicorp/go-uuid v1.0.1 h1:fv1ep09latC32wFoVwnqcnKJGnMSdBanPczbHAYm1
 github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru v0.5.0 h1:CL2msUPvZTLb5O648aiLNJw3hnBxN2+1Jq8rCOH9wdo=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.3.0 h1:8+567mCcFDnS5ADl7lrpxPMWiFCElyUEeW0gtj34fMA=
@@ -83,9 +150,14 @@ github.com/hashicorp/serf v0.9.6 h1:uuEX1kLR6aoda1TBttmJQKDLZE1Ob7KN0NPdE7EtCDc=
 github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -102,6 +174,7 @@ github.com/lestrrat-go/jwx/v2 v2.0.3 h1:9zeZGkbiVkiSuzRsy2SbQJdTuA/At1I2Hh9R/Gon
 github.com/lestrrat-go/jwx/v2 v2.0.3/go.mod h1:4tnab1l/rJWhxmtVsAtc2kr+pWGg72IcnWFk8gM0tLM=
 github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -117,6 +190,7 @@ github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOA
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
 github.com/miekg/dns v1.1.41 h1:WMszZWJG0XmzbK9FEmzH2TVcqYzFesusSIB41b8KHxY=
 github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
@@ -129,8 +203,12 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c h1:Lgl0gzECD8GnQ5QCWA8o6BtfL6mDH5rQgM4/fX3avOs=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -138,66 +216,125 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529 h1:nn5Wsu0esKSJiIVhscUtVbo7ada43DJhG55ua/hjS5I=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
 github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zaffka/zap-to-hclog v0.10.5 h1:6s9uMa4H8slD3c0UE7Ga3DreJci95Ujjbc8X+bMVPAU=
 github.com/zaffka/zap-to-hclog v0.10.5/go.mod h1:5b3vf3ndIbXOmBrnDHoCyh4F6h5VNtTO2va7AX17cwg=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.11 h1:wy28qYRKZgnJTxGxvye5/wgWr1EKjmUDGYox5mGlRlI=
 go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.5.0/go.mod h1:FeouvMocqHpRaaGuG9EjoKcStLC43Zu/fmqdUMPcKYU=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
 go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
 go.uber.org/tools v0.0.0-20190618225709-2cfd321de3ee/go.mod h1:vJERXedbb3MVM5f9Ejo0C68/HhF8uaILCdgjnY+goOA=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.16.0/go.mod h1:MA8QOfq0BHJwdXa996Y4dYkAqRKB8/1K1QMMZVaNZjQ=
 go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8=
 go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
 golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
-golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.6.0 h1:L4ZwwTvKW9gr0ZMS1yrHD9GZhIuVjOBBnaKH+SPQK0Q=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -215,18 +352,24 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220503163025-988cb79eb6c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d h1:/m5NbqQelATgoSPVC2Z23sR4kVNokFwDDyWh/3rGY+I=
-golang.org/x/sys v0.0.0-20220708085239-5a0f0661e09d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -238,10 +381,31 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
@@ -250,4 +414,6 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
diff --git a/internal/admintool/group.go b/internal/admintool/group.go
index fd59e69..b1f89cb 100644
--- a/internal/admintool/group.go
+++ b/internal/admintool/group.go
@@ -5,8 +5,8 @@ import (
 	"fmt"
 
 	"github.com/google/uuid"
-	"github.com/spf13/cobra"
 	"github.com/manifoldco/promptui"
+	"github.com/spf13/cobra"
 	"go.uber.org/zap"
 
 	"go.e43.eu/authentricity/internal/models"
@@ -41,7 +41,7 @@ var createGroupCmd = &cobra.Command{
 		}).Run()
 		if err != nil {
 			return err
-		}		
+		}
 
 		group := &models.GroupRecord{
 			UUID:        uuid.New(),
diff --git a/internal/models/field.go b/internal/models/field.go
new file mode 100644
index 0000000..6202055
--- /dev/null
+++ b/internal/models/field.go
@@ -0,0 +1,24 @@
+package models
+
+import "encoding/base64"
+
+type Base64Field []byte
+
+func (f Base64Field) String() string {
+	return base64.RawStdEncoding.EncodeToString([]byte(f))
+}
+
+func (f Base64Field) MarshalText() ([]byte, error) {
+	buf := make([]byte, base64.RawStdEncoding.EncodedLen(len(f)))
+	base64.RawStdEncoding.Encode(buf, []byte(f))
+	return buf, nil
+}
+
+func (f *Base64Field) UnmarshalText(text []byte) error {
+	buf := make([]byte, base64.RawStdEncoding.DecodedLen(len(text)))
+	_, err := base64.RawStdEncoding.Decode(buf, text)
+	if err == nil {
+		*f = Base64Field(buf)
+	}
+	return err
+}
diff --git a/internal/models/public_key_credential.go b/internal/models/public_key_credential.go
new file mode 100644
index 0000000..c63d6a0
--- /dev/null
+++ b/internal/models/public_key_credential.go
@@ -0,0 +1,32 @@
+package models
+
+import "encoding/json"
+
+type PublicKeyCredential struct {
+	Credential   Base64Field `mapstructure:"credential,omitempty"`
+	PublicKey    Base64Field `mapstructure:"publicKey,omitempty"`
+	UserPresent  bool        `mapstructure:"up,omitempty"`
+	UserVerified bool        `mapstructure:"uv,omitempty"`
+	Comment      string      `mapstructure:"comment,omitempty"`
+
+	Other map[string]interface{} `mapstructure:"-,remain"`
+}
+
+func (c PublicKeyCredential) MarshalJSON() ([]byte, error) {
+	m := make(map[string]interface{})
+	for k, v := range c.Other {
+		m[k] = v
+	}
+	if err := decode(c, &m); err != nil {
+		return nil, err
+	}
+	return json.Marshal(m)
+}
+
+func (c *PublicKeyCredential) UnmarshalJSON(data []byte) error {
+	m := make(map[string]interface{})
+	if err := json.Unmarshal(data, m); err != nil {
+		return err
+	}
+	return decode(m, c)
+}
diff --git a/internal/models/user.go b/internal/models/user.go
index 95ccf98..47b16ff 100644
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -136,8 +136,11 @@ func (ur *UserRecord) EnsurePrivileged() *UserPrivileged {
 }
 
 type UserPrivileged struct {
-	HashedPassword    []string `mapstructure:"hashedPassword,omitempty"`
-	SSHAuthorizedKeys []string `mapstructure:"sshAuthorizedKeys,omitempty"`
+	HashedPassword       []string              `mapstructure:"hashedPassword,omitempty"`
+	SSHAuthorizedKeys    []string              `mapstructure:"sshAuthorizedKeys,omitempty"`
+	PublicKeyCredentials []PublicKeyCredential `mapstructure:"publicKeyCredentials,omitempty"`
+
+	Other map[string]interface{} `mapstructure:"-,remain"`
 }
 
 func (priv *UserPrivileged) CheckPassword(pw string) bool {
diff --git a/internal/webui/act_chpw.go b/internal/webui/act_chpw.go
index 5fd37b2..f044f2d 100644
--- a/internal/webui/act_chpw.go
+++ b/internal/webui/act_chpw.go
@@ -15,11 +15,11 @@ func (s *Service) actionChangePassword(
 	ent models.Entity,
 	md store.EntryMetadata,
 ) {
-	if ent.Type() != models.TypeUser {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
 		s.renderBadRequest(w, r)
 		return
 	}
-	user := ent.(*models.UserRecord)
 
 	if !s.canEditEntity(r.Context(), user.UUID) {
 		s.renderForbidden(w, r)
diff --git a/internal/webui/act_groups.go b/internal/webui/act_groups.go
index a4e8bea..f4c7124 100644
--- a/internal/webui/act_groups.go
+++ b/internal/webui/act_groups.go
@@ -16,11 +16,11 @@ func (s *Service) actionAddGroup(
 	ent models.Entity,
 	md store.EntryMetadata,
 ) {
-	if ent.Type() != models.TypeUser {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
 		s.renderBadRequest(w, r)
 		return
 	}
-	user := ent.(*models.UserRecord)
 
 	if !s.isAdmin(r.Context()) {
 		s.renderForbidden(w, r)
@@ -61,11 +61,11 @@ func (s *Service) actionRemoveGroups(
 	ent models.Entity,
 	md store.EntryMetadata,
 ) {
-	if ent.Type() != models.TypeUser {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
 		s.renderBadRequest(w, r)
 		return
 	}
-	user := ent.(*models.UserRecord)
 
 	if !s.isAdmin(r.Context()) {
 		s.renderForbidden(w, r)
diff --git a/internal/webui/act_ssh.go b/internal/webui/act_ssh.go
index 16ad68e..7caedcd 100644
--- a/internal/webui/act_ssh.go
+++ b/internal/webui/act_ssh.go
@@ -15,11 +15,11 @@ func (s *Service) actionAddSSHKey(
 	ent models.Entity,
 	md store.EntryMetadata,
 ) {
-	if ent.Type() != models.TypeUser {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
 		s.renderBadRequest(w, r)
 		return
 	}
-	user := ent.(*models.UserRecord)
 
 	if !s.canEditEntity(r.Context(), user.ID()) {
 		s.renderForbidden(w, r)
@@ -29,6 +29,7 @@ func (s *Service) actionAddSSHKey(
 	key := strings.TrimSpace(r.PostForm.Get("key"))
 	if key == "" {
 		s.renderEntity(w, r, ent, "No SSH key Specified")
+		return
 	}
 
 	priv := user.EnsurePrivileged()
@@ -57,11 +58,11 @@ func (s *Service) actionRemoveSSHKeys(
 	ent models.Entity,
 	md store.EntryMetadata,
 ) {
-	if ent.Type() != models.TypeUser {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
 		s.renderBadRequest(w, r)
 		return
 	}
-	user := ent.(*models.UserRecord)
 
 	if !s.canEditEntity(r.Context(), user.UUID) {
 		s.renderForbidden(w, r)
diff --git a/internal/webui/act_webauthn.go b/internal/webui/act_webauthn.go
new file mode 100644
index 0000000..f5ee09c
--- /dev/null
+++ b/internal/webui/act_webauthn.go
@@ -0,0 +1,104 @@
+package webui
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"go.e43.eu/authentricity/internal/models"
+	"go.e43.eu/authentricity/internal/store"
+	"go.uber.org/zap"
+)
+
+func (s *Service) actionAddAuthenticator(
+	w http.ResponseWriter,
+	r *http.Request,
+	ent models.Entity,
+	md store.EntryMetadata,
+) {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
+		s.renderBadRequest(w, r)
+		return
+	}
+
+	tok := getUserToken(r.Context())
+	isYou := user.UUID.String() == tok.Subject()
+	if !isYou {
+		s.renderForbidden(w, r)
+		return
+	}
+
+	rr := WebAuthnRegistrationResponse{
+		Session:  r.PostForm.Get("session"),
+		Response: r.PostForm.Get("response"),
+	}
+
+	cred, err := s.webAuthnCreateCredential(user, rr)
+	if err != nil {
+		zap.L().Error("Error creating credential", zap.Reflect("error", err))
+		s.renderError(w)
+	}
+
+	pkCred := models.PublicKeyCredential{
+		Credential:   cred.ID,
+		PublicKey:    cred.PublicKey,
+		UserPresent:  cred.Flags.UserPresent,
+		UserVerified: cred.Flags.UserVerified,
+		Comment:      fmt.Sprintf("Added %s", time.Now().Format("Mon Jan _2 2006")),
+	}
+
+	priv := user.EnsurePrivileged()
+	priv.PublicKeyCredentials = append(priv.PublicKeyCredentials, pkCred)
+
+	if err := s.store.UpdateEntitySimple(r.Context(), user, md); err != nil {
+		zap.L().Error("Error updating user", zap.Error(err))
+		s.renderError(w)
+	} else {
+		s.renderEntity(w, r, ent, "Authenticator Added")
+	}
+}
+
+func (s *Service) actionRemoveCredentials(
+	w http.ResponseWriter,
+	r *http.Request,
+	ent models.Entity,
+	md store.EntryMetadata,
+) {
+	user, ok := ent.(*models.UserRecord)
+	if !ok {
+		s.renderBadRequest(w, r)
+		return
+	}
+
+	if !s.canEditEntity(r.Context(), user.UUID) {
+		s.renderForbidden(w, r)
+		return
+	}
+
+	toRemove := r.PostForm["credential"]
+	priv := user.EnsurePrivileged()
+	var newCreds []models.PublicKeyCredential
+
+	for _, cred := range priv.PublicKeyCredentials {
+		remove := false
+		for _, kr := range toRemove {
+			if cred.Credential.String() == kr {
+				remove = true
+			}
+		}
+
+		if !remove {
+			newCreds = append(newCreds, cred)
+		}
+	}
+
+	priv.PublicKeyCredentials = newCreds
+
+	if err := s.store.UpdateEntitySimple(r.Context(), user, md); err != nil {
+		zap.L().Error("Error updating user", zap.Error(err))
+		s.renderError(w)
+	} else {
+		s.renderEntity(w, r, ent, "Credentials removed")
+	}
+}
diff --git a/internal/webui/content/base.tmpl b/internal/webui/content/base.tmpl
index 60d43a6..0e0f6ec 100644
--- a/internal/webui/content/base.tmpl
+++ b/internal/webui/content/base.tmpl
@@ -7,6 +7,7 @@
     <title>{{.Title}}</title>    
     <link href="/static/bootstrap/css/bootstrap.min.css" rel="stylesheet">
     <link href="/static/bootstrap-icons/bootstrap-icons.css" rel="stylesheet">
+    <script type="module" src="/static/authentricity.js"></script>
   </head>
   <body>
     <div class="container">
@@ -40,4 +41,4 @@
     </div>
   </body>
 </html>
-{{end}}
\ No newline at end of file
+{{end}}
diff --git a/internal/webui/content/ent_user.tmpl b/internal/webui/content/ent_user.tmpl
index 1a40590..17df938 100644
--- a/internal/webui/content/ent_user.tmpl
+++ b/internal/webui/content/ent_user.tmpl
@@ -41,6 +41,45 @@
 </div>
 {{end}}
 
+<h3>Credentials</h3>
+<div>
+<form method="POST" id="cred-remove-form"  data-req="{{.WA.Request}}">
+	<input type="hidden" name="action" value="remove_credentials">
+	<table class="table" style="overflow-wrap: anywhere;">
+		<tr>
+			<th scope="col"></th>  <!-- Checkbox -->
+			<th scope="col">#</th> <!-- Number   -->
+			<th scope="col"></th>  <!-- Type     -->
+			<th scope="col" style="width: 100%">Description</th>
+		</tr>
+		{{range $ix, $cred := .Credentials}}
+		<tr>
+			<td>{{if $.Editable}}<input type="checkbox" name="credential" value="{{$cred.Credential}}">{{end}}</td>
+			<th>{{$ix}}</th>
+			<td><i class="bi bi-key-fill"></i></td>
+			<td>{{$cred.Comment}}</td>
+		</tr>
+		{{end}}
+	</table>
+	{{.CSRFField}}
+</form>
+</div>
+{{if .Editable}}
+	<div class="d-flex flex-row justify-content-between">
+		<div><button type="submit" class="btn btn-danger" form="cred-remove-form">Remove selected credentials</button></div>
+		<div style="float:right">
+			<form method="POST" id="sk-add-form"  data-req="{{.WA.Request}}">
+				<input type="hidden" name="action" value="add_authenticator">
+				<input type="hidden" name="session" value="{{.WA.Session}}">
+				<input type="hidden" name="response">
+				<button name="add" type="button" class="btn btn-primary" style="display: none">Add</button>
+				{{.CSRFField}}
+			</form>
+		</div>
+	</div>
+{{end}}
+
+<br>
 <h3>SSH Keys</h3>
 <div>
 <form method="POST" id="remove_ssh_keys_form">
@@ -99,4 +138,4 @@
 	{{.CSRFField}}
 </form>
 {{end}}
-{{template "footer"}}
\ No newline at end of file
+{{template "footer"}}
diff --git a/internal/webui/content/login.tmpl b/internal/webui/content/login.tmpl
index 03e05a8..50c93c1 100644
--- a/internal/webui/content/login.tmpl
+++ b/internal/webui/content/login.tmpl
@@ -29,7 +29,7 @@
         z-index: 2;
       }
 
-      .form-signin input[type="email"] {
+      .form-signin input[type="username"] {
         margin-bottom: -1px;
         border-bottom-right-radius: 0;
         border-bottom-left-radius: 0;
@@ -92,11 +92,13 @@
         -webkit-overflow-scrolling: touch;
       }
     </style>
+    <script type="module" src="/static/authentricity.js"></script>
   </head>
   <body class="text-center">
     <main class="form-signin w-100 m-auto">
       <form action="/login" method="POST">
         <!--<img class="mb-4" src="/docs/5.2/assets/brand/bootstrap-logo.svg" alt="" width="72" height="57">-->
+        <input type="hidden" name="action" value="up-login">
         <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
 
         {{if .ShowError}}
@@ -124,6 +126,15 @@
         {{.CSRFField}}
         <!--<p class="mt-5 mb-3 text-muted">&copy; 2017–2022</p>-->
       </form>
+      <br>
+      <form method="POST" action="/login/webauthn-discovered" id="sk-login-form"  data-req="{{.WA.Request}}">
+        <input type="hidden" name="session" value="{{.WA.Session}}">
+        <input type="hidden" name="response">
+        {{.CSRFField}}
+        <button name="login" type="button" class="btn btn-primary" style="display: none">
+          <i class="bi bi-key-fill"></i>Login with Security Key
+        </button>
+      </form>
     </main>
   </body>
 </html>
diff --git a/internal/webui/content/static/authentricity.js b/internal/webui/content/static/authentricity.js
new file mode 100644
index 0000000..1356f4e
--- /dev/null
+++ b/internal/webui/content/static/authentricity.js
@@ -0,0 +1,115 @@
+import * as b64 from "./base64.js";
+
+
+function addSecurityKey() {
+	const form = document.getElementById("sk-add-form");
+	const req = JSON.parse(form.dataset["req"]);
+
+	console.log("Request", req);
+	req.publicKey.challenge = b64.decode(req.publicKey.challenge);
+	req.publicKey.user.id = b64.decode(req.publicKey.user.id);
+
+	let excl = req.publicKey.excludeCredentials;
+	if (excl) for (var i = 0; i < excl.length; i++) {
+		excl[i].id = b64.decode(excl[i].id);
+	}
+
+	console.log("Request", req);
+
+	navigator.credentials.create(req).then((cred) => {
+		console.log("Credential", cred);
+
+		let jsonCred = {
+			"type": cred.type,
+			"id":   cred.id,
+			"response": {
+				"clientDataJSON": b64.encode(cred.response.clientDataJSON),
+				"attestationObject": b64.encode(cred.response.attestationObject),
+			},
+		}
+
+		console.log("JSON Credential", jsonCred);
+		form.elements["response"].value = JSON.stringify(jsonCred);
+		console.log("JSON Credential", form.elements["response"].value);
+		alert(form.elements["response"].value);
+		form.submit();
+	})
+	return false	
+}
+
+var abort;
+function doSecurityKeyLogin(form, mediation) {
+	if (abort)
+		abort.abort("cancelled");
+	abort = new AbortController();
+
+	const req = JSON.parse(form.dataset["req"]);
+	req.signal = abort.signal;
+	req.mediation = mediation;
+	req.publicKey.challenge = b64.decode(req.publicKey.challenge);
+	if (req.publicKey.user)
+		req.publicKey.user.id = b64.decode(req.publicKey.user.id);
+	console.log("Request", req);
+
+	navigator.credentials.get(req).then((cred) => {
+		console.log("Credential", cred);	
+
+		let jsonCred = {
+			"type": cred.type,
+			"id":   cred.id,
+			"rawId": b64.encode(cred.rawId),
+			"response": {
+				"clientDataJSON": b64.encode(cred.response.clientDataJSON),
+				"authenticatorData": b64.encode(cred.response.authenticatorData),
+				"signature": b64.encode(cred.response.signature),
+				"userHandle": b64.encode(cred.response.userHandle),
+			},
+		}
+
+		console.log("JSON Credential", jsonCred);
+		form.elements["response"].value = JSON.stringify(jsonCred);
+		console.log("JSON Credential", form.elements["response"].value);
+		form.submit();
+	}, (exc) => {
+		console.log("Promise rejected", exc)
+	})
+}
+
+async function check(fn, orElse) {
+	return fn ? await fn() : orElse;
+}
+
+(async () => {
+	if (!navigator.credentials || !PublicKeyCredential) {
+		console.log("[WebAuthn] No support for WebAuthn, funcitonality will be disabled");
+		return;
+	}
+
+	const ctap2Supported = await check(PublicKeyCredential.isExternalCTAP2SecurityKeySupported, true);
+	const passkeySupported = await check(PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable, false);
+
+	console.log("Credential support", { 
+		"ctap2": ctap2Supported, 
+		"passkey": passkeySupported,
+	});
+	if (!ctap2Supported && !passkeySupported) {
+		console.log("[WebAuthn] No supported credential type, funcitonality will be disabled.");
+		return;
+	}
+
+	const skLoginForm = document.getElementById("sk-login-form");
+	if (skLoginForm) {
+		doSecurityKeyLogin(skLoginForm, "conditional");
+		
+		const button = skLoginForm.elements["login"]
+		button.addEventListener("click", (_) => doSecurityKeyLogin(skLoginForm, "required"));
+		button.style.display = "";
+	}
+
+	const skAddForm = document.getElementById("sk-add-form");
+	if (skAddForm) {
+		const button = skAddForm.elements["add"];
+		button.addEventListener("click", addSecurityKey);
+		button.style.display = "";
+	}
+})();
diff --git a/internal/webui/content/static/base64.js b/internal/webui/content/static/base64.js
new file mode 100644
index 0000000..a2a8a2f
--- /dev/null
+++ b/internal/webui/content/static/base64.js
@@ -0,0 +1,44 @@
+/*
+ * base64-arraybuffer 1.0.2 <https://github.com/niklasvh/base64-arraybuffer>
+ * Copyright (c) 2022 Niklas von Hertzen <https://hertzen.com>
+ * Released under MIT License
+ *
+ * Adjusted here to be base64url, without padding
+ */
+var chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+// Use a lookup table to find the index.
+var lookup = typeof Uint8Array === 'undefined' ? [] : new Uint8Array(256);
+for (var i = 0; i < chars.length; i++) {
+    lookup[chars.charCodeAt(i)] = i;
+}
+var encode = function (arraybuffer) {
+    var bytes = new Uint8Array(arraybuffer), i, len = bytes.length, base64 = '';
+    for (i = 0; i < len; i += 3) {
+        base64 += chars[bytes[i] >> 2];
+        base64 += chars[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+        base64 += chars[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+        base64 += chars[bytes[i + 2] & 63];
+    }
+    if (len % 3 === 2) {
+        base64 = base64.substring(0, base64.length - 1);
+    } else if (len % 3 === 1) {
+        base64 = base64.substring(0, base64.length - 2)
+    }
+    return base64;
+};
+var decode = function (base64) {
+    var bufferLength = base64.length * 0.75, len = base64.length, i, p = 0, encoded1, encoded2, encoded3, encoded4;
+    var arraybuffer = new ArrayBuffer(bufferLength), bytes = new Uint8Array(arraybuffer);
+    for (i = 0; i < len; i += 4) {
+        encoded1 = lookup[base64.charCodeAt(i)];
+        encoded2 = lookup[base64.charCodeAt(i + 1)];
+        encoded3 = lookup[base64.charCodeAt(i + 2)];
+        encoded4 = lookup[base64.charCodeAt(i + 3)];
+        bytes[p++] = (encoded1 << 2) | (encoded2 >> 4);
+        bytes[p++] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+        bytes[p++] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+    }
+    return arraybuffer;
+};
+
+export { decode, encode };
diff --git a/internal/webui/jwt.go b/internal/webui/jwt.go
index 026c4c3..718b105 100644
--- a/internal/webui/jwt.go
+++ b/internal/webui/jwt.go
@@ -20,6 +20,7 @@ type tokenCtxKey struct{}
 
 func getUserToken(ctx context.Context) openid.Token {
 	tok, ok := ctx.Value(tokenCtxKey{}).(openid.Token)
+	zap.S().Debugf("getUserToken %+v", tok)
 	if ok {
 		return tok
 	} else {
@@ -29,11 +30,11 @@ func getUserToken(ctx context.Context) openid.Token {
 
 func requireLogin(w http.ResponseWriter, r *http.Request) bool {
 	tok := getUserToken(r.Context())
-	if tok == nil {
-		http.Redirect(w, r, "/login?next="+url.QueryEscape(r.URL.String()), http.StatusFound)
-		return false
+	if tok != nil {
+		return true
 	}
-	return true
+	http.Redirect(w, r, "/login?next="+url.QueryEscape(r.URL.String()), http.StatusFound)
+	return false
 }
 
 func (s *Service) buildTokenForUser(
@@ -94,6 +95,7 @@ func (s *Service) buildTokenCookie(data []byte, maxAge int) http.Cookie {
 		Name:     s.tokenCookie,
 		Value:    string(data),
 		Domain:   s.cookieDomain,
+		Path:     "/",
 		Secure:   s.cookieSecure,
 		HttpOnly: true,
 		MaxAge:   maxAge,
@@ -103,6 +105,7 @@ func (s *Service) buildTokenCookie(data []byte, maxAge int) http.Cookie {
 func (s *Service) tokenValidationMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ck, err := r.Cookie(s.tokenCookie)
+		zap.L().Debug("Token", zap.Any("token", ck))
 		if err == nil {
 			body, err := jwe.Decrypt([]byte(ck.Value), jwe.WithKey(s.cookieKey.Algorithm(), s.cookieKey))
 			if err != nil {
diff --git a/internal/webui/main.go b/internal/webui/main.go
index 4f24430..9c8a842 100644
--- a/internal/webui/main.go
+++ b/internal/webui/main.go
@@ -14,14 +14,15 @@ import (
 )
 
 type Config struct {
-	Debug         bool      `default:"false" description:"Enable debug logging"`
-	ListenType    string    `envconfig:"listen_type" default:"tcp" description:"Type of socket to listen on (Go 'net.Listen()' network)"`
-	ListenAddress string    `envconfig:"listen_address" default:":8700" description:"Address to listen on (Go 'net.Listen()' address)"`
-	SecretsDir    string    `envconfig:"secrets_dir" default:"/var/lib/authentricity/webui/secrets" description:"Directory in which to store secrets"`
-	TokenCookie   string    `envconfig:"token_cookie" default:"authentricity_token" description:"Cookie in which to store authentication token"`
-	AdminGroupID  uuid.UUID `envconfig:"admin_group_id" required:"true" description:"UUID of administrator group"`
-	CookieDomain  string    `envconfig:"cookie_domain" default:"" description:"Domain to use when setting token cookie - customize to do cross-domain cookie based SSO"`
-	NoHTTPS       bool      `envconfig:"no_https" default:"false" description:"Allow access over insecure HTTP. For development only"`
+	Debug          bool      `default:"false" description:"Enable debug logging"`
+	ListenType     string    `envconfig:"listen_type" default:"tcp" description:"Type of socket to listen on (Go 'net.Listen()' network)"`
+	ListenAddress  string    `envconfig:"listen_address" default:":8700" description:"Address to listen on (Go 'net.Listen()' address)"`
+	SecretsDir     string    `envconfig:"secrets_dir" default:"/var/lib/authentricity/webui/secrets" description:"Directory in which to store secrets"`
+	TokenCookie    string    `envconfig:"token_cookie" default:"authentricity_token" description:"Cookie in which to store authentication token"`
+	AdminGroupID   uuid.UUID `envconfig:"admin_group_id" required:"true" description:"UUID of administrator group"`
+	CookieDomain   string    `envconfig:"cookie_domain" default:"" description:"Domain to use when setting token cookie - customize to do cross-domain cookie based SSO"`
+	NoHTTPS        bool      `envconfig:"no_https" default:"false" description:"Allow access over insecure HTTP. For development only"`
+	WebAuthnOrigin string    `envconfig:"webauthn_origin" default:"" description:"WebAuthn Origin"`
 }
 
 func Main() {
diff --git a/internal/webui/pg_entity.go b/internal/webui/pg_entity.go
index 4e9fe66..d4d4969 100644
--- a/internal/webui/pg_entity.go
+++ b/internal/webui/pg_entity.go
@@ -103,6 +103,10 @@ func (s *Service) entityPost(w http.ResponseWriter, r *http.Request) {
 		s.actionAddGroup(w, r, ent, md)
 	case "remove_groups":
 		s.actionRemoveGroups(w, r, ent, md)
+	case "add_authenticator":
+		s.actionAddAuthenticator(w, r, ent, md)
+	case "remove_credentials":
+		s.actionRemoveCredentials(w, r, ent, md)
 	default:
 		s.renderError(w)
 	}
@@ -145,11 +149,17 @@ func (s *Service) renderUser(w http.ResponseWriter, r *http.Request, user *model
 		UserName    string
 		DisplayName string
 		Email       string
-		Groups      []group
-		SSHKeys     []string
-		Title       string
-		Message     string
-		CSRFField   template.HTML
+
+		Groups []group
+
+		Credentials []models.PublicKeyCredential
+		WA          WebAuthnRegistrationRequest
+
+		SSHKeys []string
+
+		Title     string
+		Message   string
+		CSRFField template.HTML
 	}{
 		IsYou:       user.UUID.String() == tok.Subject(),
 		IsAdmin:     s.isAdmin(r.Context()),
@@ -164,10 +174,6 @@ func (s *Service) renderUser(w http.ResponseWriter, r *http.Request, user *model
 		CSRFField:   csrf.TemplateField(r),
 	}
 
-	if user.Privileged != nil {
-		params.SSHKeys = user.Privileged.SSHAuthorizedKeys
-	}
-
 	groupIDs, _, err := s.store.GetUserGroups(r.Context(), user.UUID)
 	if err != nil {
 		zap.L().Error("Error getting user groups", zap.Error(err))
@@ -194,6 +200,18 @@ func (s *Service) renderUser(w http.ResponseWriter, r *http.Request, user *model
 		})
 	}
 
+	params.WA, err = s.webAuthnRegister(user)
+	if err != nil {
+		zap.L().Error("Error generating WebAuthn registration information", zap.Error(err))
+		s.renderError(w)
+		return
+	}
+
+	if user.Privileged != nil {
+		params.SSHKeys = user.Privileged.SSHAuthorizedKeys
+		params.Credentials = user.Privileged.PublicKeyCredentials
+	}
+
 	err = s.templates.ExecuteTemplate(w, "ent_user.tmpl", params)
 	if err != nil {
 		zap.L().Error("Error rendering template", zap.Error(err))
diff --git a/internal/webui/pg_login.go b/internal/webui/pg_login.go
index 3109710..e04095d 100644
--- a/internal/webui/pg_login.go
+++ b/internal/webui/pg_login.go
@@ -65,7 +65,7 @@ func (s *Service) loginPost(w http.ResponseWriter, r *http.Request) {
 	username := r.PostForm.Get("username")
 	password := r.PostForm.Get("password")
 
-	user, err := s.tryLogin(r.Context(), username, password)
+	user, err := s.tryPasswordLogin(r.Context(), username, password)
 	if err != nil {
 		var reason loginFailureReason
 		if errors.As(err, &reason) {
@@ -76,16 +76,20 @@ func (s *Service) loginPost(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	s.finishLoginAsUser(w, r, user)
+}
+
+func (s *Service) finishLoginAsUser(w http.ResponseWriter, r *http.Request, user *models.UserRecord) {
 	tok, err := s.buildTokenForUser(r.Context(), user)
 	if err != nil {
-		L.Error("Error constructing token", zap.Error(err))
+		zap.S().Error("Error constructing token: %v", err)
 		s.renderError(w)
 		return
 	}
 
 	serialized, err := s.serializeCookieToken(tok)
 	if err != nil {
-		L.Error("Error constructing token", zap.Error(err))
+		zap.S().Error("Error constructing token: %v", err)
 		s.renderError(w)
 		return
 	}
@@ -132,7 +136,7 @@ func (s *Service) getLoginNextURL(r *http.Request) (string, bool) {
 	return nextURL.String(), true
 }
 
-func (s *Service) tryLogin(ctx context.Context, username, password string) (*models.UserRecord, error) {
+func (s *Service) tryPasswordLogin(ctx context.Context, username, password string) (*models.UserRecord, error) {
 	L := zap.L().With(zap.String("username", username))
 
 	if username == "" {
@@ -176,19 +180,27 @@ func (s *Service) tryLogin(ctx context.Context, username, password string) (*mod
 }
 
 func (s *Service) showLoginPage(w http.ResponseWriter, r *http.Request, message string) {
+	wa, err := s.webAuthnBeginDiscover()
+	if err != nil {
+		zap.L().Error("Error doing WebAuthn discovery", zap.Error(err))
+		s.renderError(w)
+	}
+
 	params := struct {
 		ShowError    bool
 		ErrorMessage string
 		CSRFField    template.HTML
 		Next         string
+		WA           WebAuthnDiscoverRequest
 	}{
 		ShowError:    message != "",
 		ErrorMessage: message,
 		CSRFField:    csrf.TemplateField(r),
 		Next:         r.Form.Get("next"),
+		WA:           wa,
 	}
 
-	err := s.templates.ExecuteTemplate(w, "login.tmpl", params)
+	err = s.templates.ExecuteTemplate(w, "login.tmpl", params)
 	if err != nil {
 		zap.L().Error("Error rendering template", zap.Error(err))
 		s.renderError(w)
diff --git a/internal/webui/pg_login_webauthn.go b/internal/webui/pg_login_webauthn.go
new file mode 100644
index 0000000..2928586
--- /dev/null
+++ b/internal/webui/pg_login_webauthn.go
@@ -0,0 +1,35 @@
+package webui
+
+import (
+	"net/http"
+
+	"go.uber.org/zap"
+)
+
+func (s *Service) loginWebauthnDiscoveredPost(w http.ResponseWriter, r *http.Request) {
+	L := zap.L()
+	if err := r.ParseForm(); err != nil {
+		L.Error("Error parsing form data", zap.Error(err))
+		s.renderError(w)
+		return
+	}
+
+	dr := WebAuthnDiscoverResponse{
+		Session:  r.PostForm.Get("session"),
+		Response: r.PostForm.Get("response"),
+	}
+
+	user, err := s.webauthnCompleteDiscover(r.Context(), dr)
+	switch {
+	case err != nil:
+		L.Error("Error doing discoverable login", zap.Error(err))
+		s.renderError(w)
+		return
+
+	case user == nil:
+		s.renderForbidden(w, r)
+		return
+	}
+
+	s.finishLoginAsUser(w, r, user)
+}
diff --git a/internal/webui/service.go b/internal/webui/service.go
index ec7899b..e221927 100644
--- a/internal/webui/service.go
+++ b/internal/webui/service.go
@@ -2,10 +2,12 @@ package webui
 
 import (
 	"crypto/rand"
+	"crypto/sha256"
 	"embed"
 	"encoding/json"
 	"errors"
 	"html/template"
+	"io"
 	"io/fs"
 	"net/http"
 	"os"
@@ -13,6 +15,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
 	"github.com/gorilla/csrf"
 	"github.com/lestrrat-go/jwx/v2/jwa"
@@ -20,6 +23,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"go.e43.eu/authentricity/internal/store"
 	"go.uber.org/zap"
+	"golang.org/x/crypto/hkdf"
 )
 
 //go:embed content
@@ -29,11 +33,14 @@ type Service struct {
 	router       *chi.Mux
 	templates    *template.Template
 	store        store.WritableStore
+	masterKey    []byte
+	webAuthnKey  []byte
 	cookieKey    jwk.Key
 	tokenCookie  string
 	cookieDomain string
 	cookieSecure bool
 	adminGroup   uuid.UUID
+	wa           *webauthn.WebAuthn
 }
 
 func buildService(cfg Config, st store.WritableStore) *Service {
@@ -58,8 +65,10 @@ func buildService(cfg Config, st store.WritableStore) *Service {
 		adminGroup:   cfg.AdminGroupID,
 	}
 
+	s.setupMasterKey(cfg)
 	csrf := s.setupCSRFMiddleware(cfg)
 	s.setupCookieSecret(cfg)
+	s.setupWebAuthn(cfg)
 
 	r.Use(logMiddleware(zap.L().Named("http")))
 	r.Use(middleware.Recoverer)
@@ -70,6 +79,7 @@ func buildService(cfg Config, st store.WritableStore) *Service {
 	r.Get("/", s.indexGet)
 	r.Get("/login", s.loginGet)
 	r.Post("/login", s.loginPost)
+	r.Post("/login/webauthn-discovered", s.loginWebauthnDiscoveredPost)
 	r.Post("/logout", s.logoutPost)
 	r.Get("/entity", s.entitySearch)
 	r.Get("/entity/{id}", s.entityGet)
@@ -127,15 +137,15 @@ func (s *Service) setupCookieSecret(cfg Config) {
 	}
 }
 
-func (s *Service) setupCSRFMiddleware(cfg Config) func(http.Handler) http.Handler {
-	keyPath := path.Join(cfg.SecretsDir, "csrf.key")
+func (s *Service) setupMasterKey(cfg Config) {
+	keyPath := path.Join(cfg.SecretsDir, "web.key")
 	data, err := os.ReadFile(keyPath)
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
-			zap.S().Fatalf("Error loading CSRF key: %v", err)
+			zap.S().Fatalf("Error loading web master key: %v", err)
 		}
 
-		zap.S().Info("No CSRF key found, generating new key")
+		zap.S().Info("No web master key found, generating new key")
 
 		var raw [32]byte
 		_, err := rand.Read(raw[:])
@@ -150,7 +160,47 @@ func (s *Service) setupCSRFMiddleware(cfg Config) func(http.Handler) http.Handle
 		data = raw[:]
 	}
 
-	return csrf.Protect(data,
+	if len(data) != 32 {
+		zap.S().Fatalf("Web master key %s too short (must be at least 32B)", keyPath)
+	}
+
+	s.masterKey = data
+}
+
+func (s *Service) deriveKey(label string) io.Reader {
+	return hkdf.Expand(sha256.New, s.masterKey, []byte(label))
+}
+
+func (s *Service) setupWebAuthn(cfg Config) {
+	s.webAuthnKey = make([]byte, 16)
+	_, err := s.deriveKey("WebAuthn").Read(s.webAuthnKey)
+	if err != nil {
+		zap.S().Fatalf("Error deriving WebAuthn key: %v", err)
+	}
+
+	wc := &webauthn.Config{
+		RPID: cfg.CookieDomain,
+		// TODO: Make configurable
+		RPDisplayName: cfg.CookieDomain,
+		RPOrigins:     []string{cfg.WebAuthnOrigin},
+		Debug:         true,
+	}
+	wa, err := webauthn.New(wc)
+	if err != nil {
+		zap.S().Fatalf("Error setting up webauthn: %v", err)
+	}
+
+	s.wa = wa
+}
+
+func (s *Service) setupCSRFMiddleware(cfg Config) func(http.Handler) http.Handler {
+	var key [32]byte
+	_, err := s.deriveKey("CSRF").Read(key[:])
+	if err != nil {
+		zap.S().Fatalf("Error deriving CSRF key: %v", err)
+	}
+
+	return csrf.Protect(key[:],
 		csrf.Path("/"),
 		csrf.Secure(!cfg.NoHTTPS))
 }
diff --git a/internal/webui/webauthn.go b/internal/webui/webauthn.go
new file mode 100644
index 0000000..878837a
--- /dev/null
+++ b/internal/webui/webauthn.go
@@ -0,0 +1,236 @@
+package webui
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/go-webauthn/webauthn/webauthn"
+	"github.com/google/uuid"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwe"
+	"go.e43.eu/authentricity/internal/models"
+	"go.e43.eu/authentricity/internal/store"
+)
+
+type WebAuthnUser struct {
+	*models.UserRecord
+}
+
+func (u WebAuthnUser) WebAuthnID() []byte {
+	return u.UUID[:]
+}
+
+func (u WebAuthnUser) WebAuthnName() string {
+	switch {
+	case u.UserName != "":
+		return u.UserName
+	case u.EmailAddress != "":
+		return u.EmailAddress
+	default:
+		return u.UUID.String()
+	}
+}
+
+func (u WebAuthnUser) WebAuthnDisplayName() string {
+	switch {
+	case u.RealName != "":
+		return u.RealName
+	case u.UserName != "":
+		return u.UserName
+	case u.EmailAddress != "":
+		return u.EmailAddress
+	default:
+		return u.UUID.String()
+	}
+}
+
+func (u WebAuthnUser) WebAuthnCredentials() []webauthn.Credential {
+	if u.Privileged == nil {
+		return nil
+	}
+
+	creds := make([]webauthn.Credential, len(u.Privileged.PublicKeyCredentials))
+	for i, c := range u.Privileged.PublicKeyCredentials {
+		creds[i] = webauthn.Credential{
+			ID:        c.Credential,
+			PublicKey: c.PublicKey,
+			Flags: webauthn.CredentialFlags{
+				UserPresent:  c.UserPresent,
+				UserVerified: c.UserVerified,
+			},
+		}
+	}
+	return creds
+}
+
+func (u WebAuthnUser) WebAuthnCredentialDescriptors() []protocol.CredentialDescriptor {
+	if u.Privileged == nil {
+		return nil
+	}
+
+	creds := make([]protocol.CredentialDescriptor, len(u.Privileged.PublicKeyCredentials))
+	for i, c := range u.Privileged.PublicKeyCredentials {
+		creds[i] = protocol.CredentialDescriptor{
+			Type:         protocol.PublicKeyCredentialType,
+			CredentialID: protocol.URLEncodedBase64(c.Credential),
+		}
+	}
+	return creds
+}
+
+func (u WebAuthnUser) WebAuthnIcon() string {
+	return ""
+}
+
+func (s *Service) webAuthnMarshalSession(sd *webauthn.SessionData) (string, error) {
+	data, err := json.Marshal(sd)
+	if err != nil {
+		return "", err
+	}
+
+	data, err = jwe.Encrypt(data,
+		jwe.WithKey(jwa.DIRECT, s.webAuthnKey),
+		jwe.WithContentEncryption(jwa.A128GCM))
+
+	return string(data), err
+}
+
+func (s *Service) webAuthnUnmarshalSession(session string) (*webauthn.SessionData, error) {
+	body, err := jwe.Decrypt([]byte(session),
+		jwe.WithKey(jwa.DIRECT, s.webAuthnKey))
+
+	if err != nil {
+		return nil, fmt.Errorf("Decrypting WebAuthn session: %v", err)
+	}
+
+	sess := new(webauthn.SessionData)
+	err = json.Unmarshal(body, sess)
+	return sess, err
+}
+
+type WebAuthnRegistrationRequest struct {
+	Request string
+	Session string
+}
+
+type WebAuthnRegistrationResponse struct {
+	Response string
+	Session  string
+}
+
+func (s *Service) webAuthnRegister(user *models.UserRecord) (WebAuthnRegistrationRequest, error) {
+	waUser := WebAuthnUser{user}
+	waReq, waSess, err := s.wa.BeginRegistration(waUser,
+		webauthn.WithExclusions(waUser.WebAuthnCredentialDescriptors()),
+		webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired))
+	if err != nil {
+		return WebAuthnRegistrationRequest{}, err
+	}
+
+	req, err := json.Marshal(waReq)
+	if err != nil {
+		return WebAuthnRegistrationRequest{}, err
+	}
+
+	sess, err := s.webAuthnMarshalSession(waSess)
+	if err != nil {
+		return WebAuthnRegistrationRequest{}, err
+	}
+
+	return WebAuthnRegistrationRequest{
+		Request: string(req),
+		Session: sess,
+	}, nil
+}
+
+func (s *Service) webAuthnCreateCredential(user *models.UserRecord, regResp WebAuthnRegistrationResponse) (*webauthn.Credential, error) {
+	waUser := WebAuthnUser{user}
+
+	sess, err := s.webAuthnUnmarshalSession(regResp.Session)
+	if err != nil {
+		return nil, err
+	}
+
+	pcc, err := protocol.ParseCredentialCreationResponseBody(bytes.NewReader([]byte(regResp.Response)))
+	if err != nil {
+		return nil, err
+	}
+
+	cred, err := s.wa.CreateCredential(waUser, *sess, pcc)
+	if err != nil {
+		return nil, err
+	}
+
+	return cred, nil
+}
+
+type WebAuthnDiscoverRequest struct {
+	Request string
+	Session string
+}
+
+type WebAuthnDiscoverResponse struct {
+	Response string
+	Session  string
+}
+
+func (s *Service) webAuthnBeginDiscover() (WebAuthnDiscoverRequest, error) {
+	waReq, waSess, err := s.wa.BeginDiscoverableLogin(webauthn.WithUserVerification(protocol.VerificationRequired))
+
+	req, err := json.Marshal(waReq)
+	if err != nil {
+		return WebAuthnDiscoverRequest{}, err
+	}
+
+	sess, err := s.webAuthnMarshalSession(waSess)
+	if err != nil {
+		return WebAuthnDiscoverRequest{}, err
+	}
+
+	return WebAuthnDiscoverRequest{
+		Request: string(req),
+		Session: sess,
+	}, nil
+}
+
+func (s *Service) webauthnCompleteDiscover(
+	ctx context.Context,
+	resp WebAuthnDiscoverResponse,
+) (*models.UserRecord, error) {
+	sess, err := s.webAuthnUnmarshalSession(resp.Session)
+	if err != nil {
+		return nil, err
+	}
+
+	pcr, err := protocol.ParseCredentialRequestResponseBody(bytes.NewReader([]byte(resp.Response)))
+	if err != nil {
+		return nil, err
+	}
+
+	if len(pcr.Response.UserHandle) != 16 {
+		return nil, errors.New("Invalid user handle")
+	}
+
+	userID, err := uuid.FromBytes(pcr.Response.UserHandle)
+	if err != nil {
+		return nil, err
+	}
+
+	user, _, err := store.GetUser(ctx, s.store, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = s.wa.ValidateDiscoverableLogin(func(_, _ []byte) (webauthn.User, error) {
+		return WebAuthnUser{user}, nil
+	}, *sess, pcr)
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
diff --git a/module.nix b/module.nix
index e2759d7..d91c837 100644
--- a/module.nix
+++ b/module.nix
@@ -54,6 +54,14 @@ with lib;
 					description = "Disable SecureOnly cookie flag";
 					default = false;
 				};
+
+				webauthnOrigin = mkOption {
+					type = with types; str;
+					description = "Domain to use as WebAuthn RPID";
+					default = config.services.authentricity.webui.cookieDomain;
+					defaultText = "config.services.authentricity.webui.cookieDomain";
+					example = "example.com";
+				};
 			};
 		};
 	};
@@ -116,9 +124,11 @@ with lib;
 			description = "Authentricity Web UI";
 
 			environment = {
-				AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID = cfg.webui.adminGroupID;
-				AUTHENTRICITY_WEBUI_COOKIE_DOMAIN  = cfg.webui.cookieDomain;
-				AUTHENTRICITY_WEBUI_NO_HTTPS       = mkIf cfg.webui.noHTTPS "true";
+				AUTHENTRICITY_WEBUI_ADMIN_GROUP_ID  = cfg.webui.adminGroupID;
+				AUTHENTRICITY_WEBUI_COOKIE_DOMAIN   = cfg.webui.cookieDomain;
+				AUTHENTRICITY_WEBUI_WEBAUTHN_ORIGIN = cfg.webui.webauthnOrigin;
+				AUTHENTRICITY_WEBUI_NO_HTTPS        = mkIf cfg.webui.noHTTPS "true";
+
 			};
 
 			serviceConfig = {
@@ -160,4 +170,4 @@ with lib;
 		};
 		users.groups.authentricity-webui = mkIf cfg.webui.enable {};
 	};
-}
\ No newline at end of file
+}