feat: add WebAuthN support for passwordless login and 2fa (#966)

* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-15 04:17:38 +00:00 · 2020-12-02 17:00:04 +01:00
parent 184e79be97
commit 300ade66a7
115 changed files with 3383 additions and 740 deletions
--- a/internal/ui/login/handler/login.go
+++ b/internal/ui/login/handler/login.go
@@ -2,7 +2,6 @@ package handler

 import (
 	"context"
-	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"net"
 	"net/http"

@@ -16,6 +15,7 @@ import (
 	"github.com/caos/zitadel/internal/api/http/middleware"
 	auth_repository "github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/form"
 	"github.com/caos/zitadel/internal/id"
--- a/internal/ui/login/handler/mfa_init_done_handler.go
+++ b/internal/ui/login/handler/mfa_init_done_handler.go
@@ -7,15 +7,15 @@ import (
 )

 const (
-	tmplMfaInitDone = "mfainitdone"
+	tmplMFAInitDone = "mfainitdone"
 )

 type mfaInitDoneData struct {
 }

-func (l *Login) renderMfaInitDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaDoneData) {
+func (l *Login) renderMFAInitDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaDoneData) {
 	var errType, errMessage string
-	data.baseData = l.getBaseData(r, authReq, "Mfa Init Done", errType, errMessage)
+	data.baseData = l.getBaseData(r, authReq, "MFA Init Done", errType, errMessage)
 	data.profileData = l.getProfileData(authReq)
-	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaInitDone], data, nil)
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAInitDone], data, nil)
 }
--- a/internal/ui/login/handler/mfa_init_u2f.go
+++ b/internal/ui/login/handler/mfa_init_u2f.go
@@ -0,0 +1,59 @@
+package handler
+
+import (
+	"encoding/base64"
+	"net/http"
+
+	"github.com/caos/zitadel/internal/auth_request/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+)
+
+const (
+	tmplMFAU2FInit = "mfainitu2f"
+)
+
+func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage, credentialData string
+	var u2f *user_model.WebAuthNToken
+	if err == nil {
+		u2f, err = l.authRepo.AddMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+	}
+	if err != nil {
+		errMessage = l.getErrorMessage(r, err)
+	}
+	if u2f != nil {
+		credentialData = base64.RawURLEncoding.EncodeToString(u2f.CredentialCreationData)
+	}
+	data := &webAuthNData{
+		userData:               l.getUserData(r, authReq, "Register WebAuthNToken", errType, errMessage),
+		CredentialCreationData: credentialData,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAU2FInit], data, nil)
+}
+
+func (l *Login) handleRegisterU2F(w http.ResponseWriter, r *http.Request) {
+	data := new(webAuthNFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, data)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if data.Recreate {
+		l.renderRegisterU2F(w, r, authReq, nil)
+		return
+	}
+	credData, err := base64.URLEncoding.DecodeString(data.CredentialData)
+	if err != nil {
+		l.renderRegisterU2F(w, r, authReq, err)
+		return
+	}
+
+	if err = l.authRepo.VerifyMFAU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Name, credData); err != nil {
+		l.renderRegisterU2F(w, r, authReq, err)
+		return
+	}
+	done := &mfaDoneData{
+		MFAType: model.MFATypeU2F,
+	}
+	l.renderMFAInitDone(w, r, authReq, done)
+}
--- a/internal/ui/login/handler/mfa_init_verify_handler.go
+++ b/internal/ui/login/handler/mfa_init_verify_handler.go
@@ -12,17 +12,17 @@ import (
 )

 const (
-	tmplMfaInitVerify = "mfainitverify"
+	tmplMFAInitVerify = "mfainitverify"
 )

 type mfaInitVerifyData struct {
-	MfaType model.MFAType `schema:"mfaType"`
+	MFAType model.MFAType `schema:"mfaType"`
 	Code    string        `schema:"code"`
 	URL     string        `schema:"url"`
 	Secret  string        `schema:"secret"`
 }

-func (l *Login) handleMfaInitVerify(w http.ResponseWriter, r *http.Request) {
+func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
 	data := new(mfaInitVerifyData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
@@ -30,29 +30,29 @@ func (l *Login) handleMfaInitVerify(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	var verifyData *mfaVerifyData
-	switch data.MfaType {
+	switch data.MFAType {
 	case model.MFATypeOTP:
-		verifyData = l.handleOtpVerify(w, r, authReq, data)
+		verifyData = l.handleOTPVerify(w, r, authReq, data)
 	}

 	if verifyData != nil {
-		l.renderMfaInitVerify(w, r, authReq, verifyData, err)
+		l.renderMFAInitVerify(w, r, authReq, verifyData, err)
 		return
 	}

 	done := &mfaDoneData{
-		MfaType: data.MfaType,
+		MFAType: data.MFAType,
 	}
-	l.renderMfaInitDone(w, r, authReq, done)
+	l.renderMFAInitDone(w, r, authReq, done)
 }

-func (l *Login) handleOtpVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
-	err := l.authRepo.VerifyMfaOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code)
+func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
+	err := l.authRepo.VerifyMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code)
 	if err == nil {
 		return nil
 	}
 	mfadata := &mfaVerifyData{
-		MfaType: data.MfaType,
+		MFAType: data.MFAType,
 		otpData: otpData{
 			Secret: data.Secret,
 			Url:    data.URL,
@@ -62,21 +62,21 @@ func (l *Login) handleOtpVerify(w http.ResponseWriter, r *http.Request, authReq
 	return mfadata
 }

-func (l *Login) renderMfaInitVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData, err error) {
+func (l *Login) renderMFAInitVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
 	}
-	data.baseData = l.getBaseData(r, authReq, "Mfa Init Verify", errType, errMessage)
+	data.baseData = l.getBaseData(r, authReq, "MFA Init Verify", errType, errMessage)
 	data.profileData = l.getProfileData(authReq)
-	if data.MfaType == model.MFATypeOTP {
+	if data.MFAType == model.MFATypeOTP {
 		code, err := generateQrCode(data.otpData.Url)
 		if err == nil {
 			data.otpData.QrCode = code
 		}
 	}

-	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaInitVerify], data, nil)
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAInitVerify], data, nil)
 }

 func generateQrCode(url string) (string, error) {
--- a/internal/ui/login/handler/mfa_prompt_handler.go
+++ b/internal/ui/login/handler/mfa_prompt_handler.go
@@ -8,15 +8,15 @@ import (
 )

 const (
-	tmplMfaPrompt = "mfaprompt"
+	tmplMFAPrompt = "mfaprompt"
 )

 type mfaPromptData struct {
-	MfaProvider model.MFAType `schema:"provider"`
+	MFAProvider model.MFAType `schema:"provider"`
 	Skip        bool          `schema:"skip"`
 }

-func (l *Login) handleMfaPrompt(w http.ResponseWriter, r *http.Request) {
+func (l *Login) handleMFAPrompt(w http.ResponseWriter, r *http.Request) {
 	data := new(mfaPromptData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
@@ -25,11 +25,11 @@ func (l *Login) handleMfaPrompt(w http.ResponseWriter, r *http.Request) {
 	}
 	if !data.Skip {
 		mfaVerifyData := new(mfaVerifyData)
-		mfaVerifyData.MfaType = data.MfaProvider
-		l.handleMfaCreation(w, r, authReq, mfaVerifyData)
+		mfaVerifyData.MFAType = data.MFAProvider
+		l.handleMFACreation(w, r, authReq, mfaVerifyData)
 		return
 	}
-	err = l.authRepo.SkipMfaInit(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+	err = l.authRepo.SkipMFAInit(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -37,7 +37,7 @@ func (l *Login) handleMfaPrompt(w http.ResponseWriter, r *http.Request) {
 	l.handleLogin(w, r)
 }

-func (l *Login) handleMfaPromptSelection(w http.ResponseWriter, r *http.Request) {
+func (l *Login) handleMFAPromptSelection(w http.ResponseWriter, r *http.Request) {
 	data := new(mfaPromptData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
@@ -48,45 +48,48 @@ func (l *Login) handleMfaPromptSelection(w http.ResponseWriter, r *http.Request)
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderMfaPrompt(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, mfaPromptData *model.MfaPromptStep, err error) {
+func (l *Login) renderMFAPrompt(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, mfaPromptData *model.MFAPromptStep, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
 	}
 	data := mfaData{
-		baseData:    l.getBaseData(r, authReq, "Mfa Prompt", errType, errMessage),
+		baseData:    l.getBaseData(r, authReq, "MFA Prompt", errType, errMessage),
 		profileData: l.getProfileData(authReq),
 	}

 	if mfaPromptData == nil {
-		l.renderError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-XU0tj", "Errors.User.Mfa.NoProviders"))
+		l.renderError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-XU0tj", "Errors.User.MFA.NoProviders"))
 		return
 	}

-	data.MfaProviders = mfaPromptData.MfaProviders
-	data.MfaRequired = mfaPromptData.Required
+	data.MFAProviders = mfaPromptData.MFAProviders
+	data.MFARequired = mfaPromptData.Required

-	if len(mfaPromptData.MfaProviders) == 1 && mfaPromptData.Required {
+	if len(mfaPromptData.MFAProviders) == 1 && mfaPromptData.Required {
 		data := &mfaVerifyData{
-			MfaType: mfaPromptData.MfaProviders[0],
+			MFAType: mfaPromptData.MFAProviders[0],
 		}
-		l.handleMfaCreation(w, r, authReq, data)
+		l.handleMFACreation(w, r, authReq, data)
 		return
 	}
-	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaPrompt], data, nil)
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAPrompt], data, nil)
 }

-func (l *Login) handleMfaCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
-	switch data.MfaType {
+func (l *Login) handleMFACreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
+	switch data.MFAType {
 	case model.MFATypeOTP:
-		l.handleOtpCreation(w, r, authReq, data)
+		l.handleOTPCreation(w, r, authReq, data)
+		return
+	case model.MFATypeU2F:
+		l.renderRegisterU2F(w, r, authReq, nil)
 		return
 	}
-	l.renderError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "Errors.User.Mfa.NoProviders"))
+	l.renderError(w, r, authReq, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "Errors.User.MFA.NoProviders"))
 }

-func (l *Login) handleOtpCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
-	otp, err := l.authRepo.AddMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
+func (l *Login) handleOTPCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {
+	otp, err := l.authRepo.AddMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.UserID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -96,5 +99,5 @@ func (l *Login) handleOtpCreation(w http.ResponseWriter, r *http.Request, authRe
 		Secret: otp.SecretString,
 		Url:    otp.Url,
 	}
-	l.renderMfaInitVerify(w, r, authReq, data, nil)
+	l.renderMFAInitVerify(w, r, authReq, data, nil)
 }
--- a/internal/ui/login/handler/mfa_verify_handler.go
+++ b/internal/ui/login/handler/mfa_verify_handler.go
@@ -8,24 +8,24 @@ import (
 )

 const (
-	tmplMfaVerify = "mfaverify"
+	tmplMFAVerify = "mfaverify"
 )

 type mfaVerifyFormData struct {
-	MfaType model.MFAType `schema:"mfaType"`
+	MFAType model.MFAType `schema:"mfaType"`
 	Code    string        `schema:"code"`
 }

-func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
+func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
 	data := new(mfaVerifyFormData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	if data.MfaType == model.MFATypeOTP {
+	if data.MFAType == model.MFATypeOTP {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		err = l.authRepo.VerifyMfaOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
+		err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, data.Code, userAgentID, model.BrowserInfoFromRequest(r))
 	}
 	if err != nil {
 		l.renderError(w, r, authReq, err)
@@ -34,15 +34,23 @@ func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
 	l.renderNextStep(w, r, authReq)
 }

-func (l *Login) renderMfaVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MfaVerificationStep, err error) {
+func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MFAVerificationStep, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
 	}
-	data := l.getUserData(r, authReq, "Mfa Verify", errType, errMessage)
-	if verificationStep != nil {
-		data.MfaProviders = verificationStep.MfaProviders
-		data.SelectedMfaProvider = verificationStep.MfaProviders[0]
+	data := l.getUserData(r, authReq, "MFA Verify", errType, errMessage)
+	if verificationStep == nil {
+		l.renderError(w, r, authReq, err)
+		return
 	}
-	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMfaVerify], data, nil)
+	switch verificationStep.MFAProviders[len(verificationStep.MFAProviders)-1] {
+	case model.MFATypeU2F:
+		l.renderU2FVerification(w, r, authReq, nil)
+		return
+	case model.MFATypeOTP:
+		data.MFAProviders = verificationStep.MFAProviders
+		data.SelectedMFAProvider = model.MFATypeOTP
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAVerify], data, nil)
 }
--- a/internal/ui/login/handler/mfa_verify_u2f_handler.go
+++ b/internal/ui/login/handler/mfa_verify_u2f_handler.go
@@ -0,0 +1,59 @@
+package handler
+
+import (
+	"encoding/base64"
+	"net/http"
+
+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
+	"github.com/caos/zitadel/internal/auth_request/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+)
+
+const (
+	tmplU2FVerification = "u2fverification"
+)
+
+func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage, credentialData string
+	var webAuthNLogin *user_model.WebAuthNLogin
+	if err == nil {
+		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+		webAuthNLogin, err = l.authRepo.BeginMFAU2FLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID)
+	}
+	if err != nil {
+		errMessage = l.getErrorMessage(r, err)
+	}
+	if webAuthNLogin != nil {
+		credentialData = base64.RawURLEncoding.EncodeToString(webAuthNLogin.CredentialAssertionData)
+	}
+	data := &webAuthNData{
+		userData:               l.getUserData(r, authReq, "Login WebAuthNToken", errType, errMessage),
+		CredentialCreationData: credentialData,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplU2FVerification], data, nil)
+}
+
+func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
+	formData := new(webAuthNFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, formData)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if formData.Recreate {
+		l.renderU2FVerification(w, r, authReq, nil)
+		return
+	}
+	credData, err := base64.URLEncoding.DecodeString(formData.CredentialData)
+	if err != nil {
+		l.renderU2FVerification(w, r, authReq, err)
+		return
+	}
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID, credData, model.BrowserInfoFromRequest(r))
+	if err != nil {
+		l.renderU2FVerification(w, r, authReq, err)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}
--- a/internal/ui/login/handler/passwordless_login_handler.go
+++ b/internal/ui/login/handler/passwordless_login_handler.go
@@ -0,0 +1,59 @@
+package handler
+
+import (
+	"encoding/base64"
+	"net/http"
+
+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
+	"github.com/caos/zitadel/internal/auth_request/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+)
+
+const (
+	tmplPasswordlessVerification = "passwordlessverification"
+)
+
+func (l *Login) renderPasswordlessVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+	var errType, errMessage, credentialData string
+	var webAuthNLogin *user_model.WebAuthNLogin
+	if err == nil {
+		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+		webAuthNLogin, err = l.authRepo.BeginPasswordlessLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID)
+	}
+	if err != nil {
+		errMessage = l.getErrorMessage(r, err)
+	}
+	if webAuthNLogin != nil {
+		credentialData = base64.RawURLEncoding.EncodeToString(webAuthNLogin.CredentialAssertionData)
+	}
+	data := &webAuthNData{
+		userData:               l.getUserData(r, authReq, "Login Passwordless", errType, errMessage),
+		CredentialCreationData: credentialData,
+	}
+	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplPasswordlessVerification], data, nil)
+}
+
+func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Request) {
+	formData := new(webAuthNFormData)
+	authReq, err := l.getAuthRequestAndParseData(r, formData)
+	if err != nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if formData.Recreate {
+		l.renderPasswordlessVerification(w, r, authReq, nil)
+		return
+	}
+	credData, err := base64.URLEncoding.DecodeString(formData.CredentialData)
+	if err != nil {
+		l.renderPasswordlessVerification(w, r, authReq, err)
+		return
+	}
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID, credData, model.BrowserInfoFromRequest(r))
+	if err != nil {
+		l.renderPasswordlessVerification(w, r, authReq, err)
+		return
+	}
+	l.renderNextStep(w, r, authReq)
+}
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -3,18 +3,19 @@ package handler
 import (
 	"errors"
 	"fmt"
-	"github.com/caos/logging"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/gorilla/csrf"
-	"golang.org/x/text/language"
 	"html/template"
 	"net/http"
 	"path"

+	"github.com/caos/logging"
+	"github.com/gorilla/csrf"
+	"golang.org/x/text/language"
+
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/i18n"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/renderer"
 )

@@ -32,31 +33,34 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 		pathPrefix: pathPrefix,
 	}
 	tmplMapping := map[string]string{
-		tmplError:                  "error.html",
-		tmplLogin:                  "login.html",
-		tmplUserSelection:          "select_user.html",
-		tmplPassword:               "password.html",
-		tmplMfaVerify:              "mfa_verify.html",
-		tmplMfaPrompt:              "mfa_prompt.html",
-		tmplMfaInitVerify:          "mfa_init_verify.html",
-		tmplMfaInitDone:            "mfa_init_done.html",
-		tmplMailVerification:       "mail_verification.html",
-		tmplMailVerified:           "mail_verified.html",
-		tmplInitPassword:           "init_password.html",
-		tmplInitPasswordDone:       "init_password_done.html",
-		tmplInitUser:               "init_user.html",
-		tmplInitUserDone:           "init_user_done.html",
-		tmplPasswordResetDone:      "password_reset_done.html",
-		tmplChangePassword:         "change_password.html",
-		tmplChangePasswordDone:     "change_password_done.html",
-		tmplRegisterOption:         "register_option.html",
-		tmplRegister:               "register.html",
-		tmplLogoutDone:             "logout_done.html",
-		tmplRegisterOrg:            "register_org.html",
-		tmplChangeUsername:         "change_username.html",
-		tmplChangeUsernameDone:     "change_username_done.html",
-		tmplLinkUsersDone:          "link_users_done.html",
-		tmplExternalNotFoundOption: "external_not_found_option.html",
+		tmplError:                    "error.html",
+		tmplLogin:                    "login.html",
+		tmplUserSelection:            "select_user.html",
+		tmplPassword:                 "password.html",
+		tmplPasswordlessVerification: "passwordless.html",
+		tmplMFAVerify:                "mfa_verify.html",
+		tmplMFAPrompt:                "mfa_prompt.html",
+		tmplMFAInitVerify:            "mfa_init_verify.html",
+		tmplMFAU2FInit:               "mfa_init_u2f.html",
+		tmplU2FVerification:          "mfa_verification_u2f.html",
+		tmplMFAInitDone:              "mfa_init_done.html",
+		tmplMailVerification:         "mail_verification.html",
+		tmplMailVerified:             "mail_verified.html",
+		tmplInitPassword:             "init_password.html",
+		tmplInitPasswordDone:         "init_password_done.html",
+		tmplInitUser:                 "init_user.html",
+		tmplInitUserDone:             "init_user_done.html",
+		tmplPasswordResetDone:        "password_reset_done.html",
+		tmplChangePassword:           "change_password.html",
+		tmplChangePasswordDone:       "change_password_done.html",
+		tmplRegisterOption:           "register_option.html",
+		tmplRegister:                 "register.html",
+		tmplLogoutDone:               "logout_done.html",
+		tmplRegisterOrg:              "register_org.html",
+		tmplChangeUsername:           "change_username.html",
+		tmplChangeUsernameDone:       "change_username_done.html",
+		tmplLinkUsersDone:            "link_users_done.html",
+		tmplExternalNotFoundOption:   "external_not_found_option.html",
 	}
 	funcs := map[string]interface{}{
 		"resourceUrl": func(file string) string {
@@ -86,6 +90,9 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 		"userSelectionUrl": func() string {
 			return path.Join(r.pathPrefix, EndpointUserSelection)
 		},
+		"passwordLessVerificationUrl": func() string {
+			return path.Join(r.pathPrefix, EndpointPasswordlessLogin)
+		},
 		"passwordResetUrl": func(id string) string {
 			return path.Join(r.pathPrefix, fmt.Sprintf("%s?%s=%s", EndpointPasswordReset, queryAuthRequestID, id))
 		},
@@ -93,16 +100,22 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, cookieName str
 			return path.Join(r.pathPrefix, EndpointPassword)
 		},
 		"mfaVerifyUrl": func() string {
-			return path.Join(r.pathPrefix, EndpointMfaVerify)
+			return path.Join(r.pathPrefix, EndpointMFAVerify)
 		},
 		"mfaPromptUrl": func() string {
-			return path.Join(r.pathPrefix, EndpointMfaPrompt)
+			return path.Join(r.pathPrefix, EndpointMFAPrompt)
 		},
 		"mfaPromptChangeUrl": func(id string, provider model.MFAType) string {
-			return path.Join(r.pathPrefix, fmt.Sprintf("%s?%s=%s;%s=%v", EndpointMfaPrompt, queryAuthRequestID, id, "provider", provider))
+			return path.Join(r.pathPrefix, fmt.Sprintf("%s?%s=%s;%s=%v", EndpointMFAPrompt, queryAuthRequestID, id, "provider", provider))
 		},
 		"mfaInitVerifyUrl": func() string {
-			return path.Join(r.pathPrefix, EndpointMfaInitVerify)
+			return path.Join(r.pathPrefix, EndpointMFAInitVerify)
+		},
+		"mfaInitU2FVerifyUrl": func() string {
+			return path.Join(r.pathPrefix, EndpointMFAInitU2FVerify)
+		},
+		"mfaInitU2FLoginUrl": func() string {
+			return path.Join(r.pathPrefix, EndpointU2FVerification)
 		},
 		"mailVerificationUrl": func() string {
 			return path.Join(r.pathPrefix, EndpointMailVerification)
@@ -190,8 +203,10 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 	case *model.PasswordStep:
 		l.renderPassword(w, r, authReq, nil)
-	case *model.MfaVerificationStep:
-		l.renderMfaVerify(w, r, authReq, step, err)
+	case *model.PasswordlessStep:
+		l.renderPasswordlessVerification(w, r, authReq, nil)
+	case *model.MFAVerificationStep:
+		l.renderMFAVerify(w, r, authReq, step, err)
 	case *model.RedirectToCallbackStep:
 		if len(authReq.PossibleSteps) > 1 {
 			l.chooseNextStep(w, r, authReq, 1, err)
@@ -202,8 +217,8 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
 		l.renderChangePassword(w, r, authReq, err)
 	case *model.VerifyEMailStep:
 		l.renderMailVerification(w, r, authReq, "", err)
-	case *model.MfaPromptStep:
-		l.renderMfaPrompt(w, r, authReq, step, err)
+	case *model.MFAPromptStep:
+		l.renderMFAPrompt(w, r, authReq, step, err)
 	case *model.InitUserStep:
 		l.renderInitUser(w, r, authReq, "", "", step.PasswordSet, nil)
 	case *model.ChangeUsernameStep:
@@ -356,8 +371,8 @@ type userData struct {
 	baseData
 	profileData
 	PasswordChecked     string
-	MfaProviders        []model.MFAType
-	SelectedMfaProvider model.MFAType
+	MFAProviders        []model.MFAType
+	SelectedMFAProvider model.MFAType
 	Linking             bool
 }

@@ -386,21 +401,21 @@ type userSelectionData struct {
 type mfaData struct {
 	baseData
 	profileData
-	MfaProviders []model.MFAType
-	MfaRequired  bool
+	MFAProviders []model.MFAType
+	MFARequired  bool
 }

 type mfaVerifyData struct {
 	baseData
 	profileData
-	MfaType model.MFAType
+	MFAType model.MFAType
 	otpData
 }

 type mfaDoneData struct {
 	baseData
 	profileData
-	MfaType model.MFAType
+	MFAType model.MFAType
 }

 type otpData struct {
--- a/internal/ui/login/handler/router.go
+++ b/internal/ui/login/handler/router.go
@@ -13,6 +13,7 @@ const (
 	EndpointLogin                    = "/login"
 	EndpointExternalLogin            = "/login/externalidp"
 	EndpointExternalLoginCallback    = "/login/externalidp/callback"
+	EndpointPasswordlessLogin        = "/login/passwordless"
 	EndpointLoginName                = "/loginname"
 	EndpointUserSelection            = "/userselection"
 	EndpointChangeUsername           = "/username/change"
@@ -21,9 +22,11 @@ const (
 	EndpointChangePassword           = "/password/change"
 	EndpointPasswordReset            = "/password/reset"
 	EndpointInitUser                 = "/user/init"
-	EndpointMfaVerify                = "/mfa/verify"
-	EndpointMfaPrompt                = "/mfa/prompt"
-	EndpointMfaInitVerify            = "/mfa/init/verify"
+	EndpointMFAVerify                = "/mfa/verify"
+	EndpointMFAPrompt                = "/mfa/prompt"
+	EndpointMFAInitVerify            = "/mfa/init/verify"
+	EndpointMFAInitU2FVerify         = "/mfa/init/u2f/verify"
+	EndpointU2FVerification          = "/mfa/u2f/verify"
 	EndpointMailVerification         = "/mail/verification"
 	EndpointMailVerified             = "/mail/verified"
 	EndpointRegisterOption           = "/register/option"
@@ -46,6 +49,7 @@ func CreateRouter(login *Login, staticDir http.FileSystem, interceptors ...mux.M
 	router.HandleFunc(EndpointLogin, login.handleLogin).Methods(http.MethodGet, http.MethodPost)
 	router.HandleFunc(EndpointExternalLogin, login.handleExternalLogin).Methods(http.MethodGet)
 	router.HandleFunc(EndpointExternalLoginCallback, login.handleExternalLoginCallback).Methods(http.MethodGet)
+	router.HandleFunc(EndpointPasswordlessLogin, login.handlePasswordlessVerification).Methods(http.MethodPost)
 	router.HandleFunc(EndpointLoginName, login.handleLoginName).Methods(http.MethodGet)
 	router.HandleFunc(EndpointLoginName, login.handleLoginNameCheck).Methods(http.MethodPost)
 	router.HandleFunc(EndpointUserSelection, login.handleSelectUser).Methods(http.MethodPost)
@@ -56,10 +60,12 @@ func CreateRouter(login *Login, staticDir http.FileSystem, interceptors ...mux.M
 	router.HandleFunc(EndpointPasswordReset, login.handlePasswordReset).Methods(http.MethodGet)
 	router.HandleFunc(EndpointInitUser, login.handleInitUser).Methods(http.MethodGet)
 	router.HandleFunc(EndpointInitUser, login.handleInitUserCheck).Methods(http.MethodPost)
-	router.HandleFunc(EndpointMfaVerify, login.handleMfaVerify).Methods(http.MethodPost)
-	router.HandleFunc(EndpointMfaPrompt, login.handleMfaPromptSelection).Methods(http.MethodGet)
-	router.HandleFunc(EndpointMfaPrompt, login.handleMfaPrompt).Methods(http.MethodPost)
-	router.HandleFunc(EndpointMfaInitVerify, login.handleMfaInitVerify).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMFAVerify, login.handleMFAVerify).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMFAPrompt, login.handleMFAPromptSelection).Methods(http.MethodGet)
+	router.HandleFunc(EndpointMFAPrompt, login.handleMFAPrompt).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMFAInitVerify, login.handleMFAInitVerify).Methods(http.MethodPost)
+	router.HandleFunc(EndpointMFAInitU2FVerify, login.handleRegisterU2F).Methods(http.MethodPost)
+	router.HandleFunc(EndpointU2FVerification, login.handleU2FVerification).Methods(http.MethodPost)
 	router.HandleFunc(EndpointMailVerification, login.handleMailVerification).Methods(http.MethodGet)
 	router.HandleFunc(EndpointMailVerification, login.handleMailVerificationCheck).Methods(http.MethodPost)
 	router.HandleFunc(EndpointChangePassword, login.handleChangePassword).Methods(http.MethodPost)
--- a/internal/ui/login/handler/webauthn.go
+++ b/internal/ui/login/handler/webauthn.go
@@ -0,0 +1,12 @@
+package handler
+
+type webAuthNData struct {
+	userData
+	CredentialCreationData string
+}
+
+type webAuthNFormData struct {
+	CredentialData string `schema:"credentialData"`
+	Name           string `schema:"name"`
+	Recreate       bool   `schema:"recreate"`
+}
--- a/internal/ui/login/static/i18n/de.yaml
+++ b/internal/ui/login/static/i18n/de.yaml
@@ -35,10 +35,10 @@ UsernameChangeDone:
  Title: Username geändert
  Description: Der Username wurde erfolgreich geändert.

-MfaVerify:
+MFAVerify:
  Title: Multifaktor verifizieren
  Description: Verifiziere deinen Multifaktor
-  OTP: OTP
+  OTP: OTP (One Time Password)
  Code: Code
  
 InitPassword: 
@@ -63,23 +63,41 @@ InitUserDone:
  Title: User aktiviert
  Description: EMail verifiziert und Passwort erfolgreich gesetzt

-MfaPrompt:
+MFAPrompt:
  Title: Multifaktor hinzufügen
  Description: Möchtest du einen Mulitfaktor hinzufügen?
  Provider0: OTP (One Time Password)
  Provider1: U2F (Universal 2nd Factor)

-MfaInitVerify:
+MFAInitVerify:
  Title: Multifaktor Verifizierung
  Description: Verifiziere deinen Multifaktor
-  OtpDescription: Scanne den Code mit einem Authentifizierungs-App (z.B Google Authentificator) oder kopiere das Secret und gib anschliessend den Code ein.
+  OTPDescription: Scanne den Code mit einem Authentifizierungs-App (z.B Google Authenticator) oder kopiere das Secret und gib anschliessend den Code ein.
  Secret: Secret
  Code: Code

-MfaInitDone:
+MFAInitDone:
  Title: Multifaktor Verifizierung erstellt
  Description: Multifikator Verifizierung erfolgreich abgeschlossen. Der Multifaktor muss bei jeder Anmeldung eingegeben werden, dies beinhaltet auch den aktuellen Authentifizierungs Prozess.

+MFAInitU2F:
+  Title: Multifaktor U2F / WebAuthN hinzufügen
+  Description: Füge dein Token hinzu, indem du einen Namen eingibst und den 'Token registrieren' Button drückst.
+
+MFAVerifyU2F:
+  Title: Multifaktor Verifizierung
+  Description: Verifiziere deinen Multifaktor U2F / WebAuthN Token
+
+WebAuthN:
+  Name: Name des Tokens / Geräts
+  NotSupported: WebAuthN wird durch deinen Browser nicht unterstützt. Stelle sicher, dass du die aktuelle Version installiert hast oder nutze einen anderen (z.B. Chrome, Safari, Firefox)
+  Error:
+    Retry: Versuche es erneut, erstelle eine neue Abfrage oder wähle einen andere Methode.
+
+Passwordless:
+  Title: Passwortlos einloggen
+  Description: Verifiziere dein Token
+
 PasswordChange:
  Title: Passwort ändern
  Description: Ändere dein Password in dem du dein altes und dann dein neuen Passwort eingibst.
@@ -181,6 +199,9 @@ Actions:
  ForgotPassword: Password zurücksetzen
  Cancel: Abbrechen
  Save: speichern
+  RegisterToken: Token registrieren
+  ValidateToken: Token validieren
+  Recreate: erneut erstellen

 Errors:
  Internal: Es ist ein interner Fehler aufgetreten
@@ -215,9 +236,9 @@ Errors:
      GeneratorAlgNotSupported: Generator Algorithums wird nicht unterstützt
    EmailVerify:
      UserIDEmpty: UserID ist leer
-    Mfa:
+    MFA:
      NoProviders: Es stehen keine Multifaktorprovider zur Verfügung
-      Otp:
+      OTP:
        AlreadyReady: Multifaktor OTP (OneTimePassword) ist bereits eingerichtet
        NotExisting: Multifaktor OTP (OneTimePassword) existiert nicht
        InvalidCode: Code ist ungültig
--- a/internal/ui/login/static/i18n/en.yaml
+++ b/internal/ui/login/static/i18n/en.yaml
@@ -35,10 +35,10 @@ UsernameChangeDone:
  Title: Username changed
  Description: Your username was changed successfully.

-MfaVerify:
+MFAVerify:
  Title: Verify Multificator
  Description: Verify your multifactor
-  OTP: OTP
+  OTP: OTP (One Time Password)
  Code: Code

 InitPassword: 
@@ -63,23 +63,41 @@ InitUserDone:
  Title: User activated
  Description: Email verified and Password successfully set

-MfaPrompt:
+MFAPrompt:
  Title: Multifactor Setup
  Description: Would you like to setup multifactor authentication?
  Provider0: OTP (One Time Password)
  Provider1: U2F (Universal 2nd Factor)

-MfaInitVerify:
+MFAInitVerify:
  Title: Multifactor Verification
  Description: Verify your multifactor.
-  OtpDescription: Scan the code with your authenticator app (e.g Google-Authenticator) or copy the secret and insert the generated code below.
+  OTPDescription: Scan the code with your authenticator app (e.g Google Authenticator) or copy the secret and insert the generated code below.
  Secret: Secret
  Code: Code

-MfaInitDone:
+MFAInitDone:
  Title: Multifcator Verification done
  Description: Multifactor verification successfully done. The multifactor has to be entered on each login, even in the actual authentification process.

+MFAInitU2F:
+  Title: Multifactor Setup U2F / WebAuthN
+  Description: Add your Token by providing a name and then clicking on the 'Register Token' button below.
+
+MFAVerifyU2F:
+  Title: Multifactor Verification
+  Description: Verify your multifactor U2F / WebAuthN token
+
+WebAuthN:
+  Name: Name of the tokens / machine
+  NotSupported: WebAuthN is not supported by your browser. Please ensure it is up to date or use a different one (e.g. Chrome, Safari, Firefox)
+  Error:
+    Retry: Retry, create a new challenge or choose a different method.
+
+Passwordless:
+  Title: Login passwordles
+  Description: Verify your token
+
 PasswordChange:
  Title: Change Password
  Description: Change your password. Enter your old and new password.
@@ -181,6 +199,9 @@ Actions:
  ForgotPassword: reset password
  Cancel: cancel
  Save: save
+  RegisterToken: Register Token
+  ValidateToken: Validate Token
+  Recreate: recreate

 Errors:
  Internal: An internal error occured
@@ -215,9 +236,9 @@ Errors:
      GeneratorAlgNotSupported: Unsupported generator algorithm
    EmailVerify:
      UserIDEmpty: UserID is empty
-    Mfa:
+    MFA:
      NoProviders: No available multifactor providers
-      Otp:
+      OTP:
        AlreadyReady: Multifactor OTP (OneTimePassword) is already setup
        NotExisting: Multifactor OTP (OneTimePassword) doesn't exist
        InvalidCode: Invalid code
--- a/internal/ui/login/static/resources/scripts/base64.js
+++ b/internal/ui/login/static/resources/scripts/base64.js
@@ -0,0 +1,68 @@
+/*
+ * modified version of:
+ *
+ * base64-arraybuffer
+ * https://github.com/niklasvh/base64-arraybuffer
+ *
+ * Copyright (c) 2012 Niklas von Hertzen
+ * Licensed under the MIT license.
+ */
+
+"use strict";
+
+let chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+// Use a lookup table to find the index.
+let lookup = new Uint8Array(256);
+for (var i = 0; i < chars.length; i++) {
+    lookup[chars.charCodeAt(i)] = i;
+}
+
+function encode(arraybuffer) {
+    let bytes = new Uint8Array(arraybuffer),
+        i, len = bytes.length, base64 = "";
+
+    for (i = 0; i < len; i += 3) {
+        base64 += chars[bytes[i] >> 2];
+        base64 += chars[((bytes[i] & 3) << 4) | (bytes[i + 1] >> 4)];
+        base64 += chars[((bytes[i + 1] & 15) << 2) | (bytes[i + 2] >> 6)];
+        base64 += chars[bytes[i + 2] & 63];
+    }
+
+    if ((len % 3) === 2) {
+        base64 = base64.substring(0, base64.length - 1) + "=";
+    } else if (len % 3 === 1) {
+        base64 = base64.substring(0, base64.length - 2) + "==";
+    }
+
+    return base64;
+}
+
+function decode(base64) {
+    let bufferLength = base64.length * 0.75,
+        len = base64.length, i, p = 0,
+        encoded1, encoded2, encoded3, encoded4;
+
+    if (base64[base64.length - 1] === "=") {
+        bufferLength--;
+        if (base64[base64.length - 2] === "=") {
+            bufferLength--;
+        }
+    }
+
+    let arraybuffer = new ArrayBuffer(bufferLength),
+        bytes = new Uint8Array(arraybuffer);
+
+    for (i = 0; i < len; i += 4) {
+        encoded1 = lookup[base64.charCodeAt(i)];
+        encoded2 = lookup[base64.charCodeAt(i + 1)];
+        encoded3 = lookup[base64.charCodeAt(i + 2)];
+        encoded4 = lookup[base64.charCodeAt(i + 3)];
+
+        bytes[p++] = (encoded1 << 2) | (encoded2 >> 4);
+        bytes[p++] = ((encoded2 & 15) << 4) | (encoded3 >> 2);
+        bytes[p++] = ((encoded3 & 3) << 6) | (encoded4 & 63);
+    }
+
+    return arraybuffer;
+}
--- a/internal/ui/login/static/resources/scripts/webauthn.js
+++ b/internal/ui/login/static/resources/scripts/webauthn.js
@@ -0,0 +1,31 @@
+function checkWebauthnSupported(button, func) {
+    let support = document.getElementsByClassName("wa-support");
+    let noSupport = document.getElementsByClassName("wa-no-support");
+    if (typeof (PublicKeyCredential) === undefined) {
+        for (let item of noSupport) {
+            item.classList.remove('hidden');
+        }
+        for (let item of support) {
+            item.classList.add('hidden');
+        }
+        return
+    }
+    document.getElementById(button).addEventListener('click', func);
+}
+
+function webauthnError(error) {
+    let err = document.getElementById('wa-error');
+    err.getElementsByClassName('cause')[0].innerText = error.message;
+    err.classList.remove('hidden');
+}
+
+function bufferDecode(value) {
+    return decode(value);
+}
+
+function bufferEncode(value) {
+    return encode(value)
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=/g, "");
+}
--- a/internal/ui/login/static/resources/scripts/webauthn_login.js
+++ b/internal/ui/login/static/resources/scripts/webauthn_login.js
@@ -0,0 +1,42 @@
+document.addEventListener('DOMContentLoaded', checkWebauthnSupported('btn-login', login));
+
+function login() {
+    document.getElementById('wa-error').classList.add('hidden');
+
+    let makeAssertionOptions = JSON.parse(atob(document.getElementsByName('credentialAssertionData')[0].value));
+    makeAssertionOptions.publicKey.challenge = bufferDecode(makeAssertionOptions.publicKey.challenge);
+    makeAssertionOptions.publicKey.allowCredentials.forEach(function (listItem) {
+        listItem.id = bufferDecode(listItem.id)
+    });
+    console.log(makeAssertionOptions);
+    navigator.credentials.get({
+        publicKey: makeAssertionOptions.publicKey
+    }).then(function (credential) {
+            verifyAssertion(credential);
+        }).catch(function (err) {
+            webauthnError(err);
+    });
+}
+
+function verifyAssertion(assertedCredential) {
+    let authData = new Uint8Array(assertedCredential.response.authenticatorData);
+    let clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON);
+    let rawId = new Uint8Array(assertedCredential.rawId);
+    let sig = new Uint8Array(assertedCredential.response.signature);
+    let userHandle = new Uint8Array(assertedCredential.response.userHandle);
+
+    let data = JSON.stringify({
+        id: assertedCredential.id,
+        rawId: bufferEncode(rawId),
+        type: assertedCredential.type,
+        response: {
+            authenticatorData: bufferEncode(authData),
+            clientDataJSON: bufferEncode(clientDataJSON),
+            signature: bufferEncode(sig),
+            userHandle: bufferEncode(userHandle),
+        },
+    })
+
+    document.getElementsByName('credentialData')[0].value = btoa(data);
+    document.getElementsByTagName('form')[0].submit();
+}
--- a/internal/ui/login/static/resources/scripts/webauthn_register.js
+++ b/internal/ui/login/static/resources/scripts/webauthn_register.js
@@ -0,0 +1,42 @@
+document.addEventListener('DOMContentLoaded', checkWebauthnSupported('btn-register', registerCredential));
+
+function registerCredential() {
+    document.getElementById('wa-error').classList.add('hidden');
+
+    let opt = JSON.parse(atob(document.getElementsByName('credentialCreationData')[0].value));
+    opt.publicKey.challenge = bufferDecode(opt.publicKey.challenge);
+    opt.publicKey.user.id = bufferDecode(opt.publicKey.user.id);
+    if (opt.publicKey.excludeCredentials) {
+        for (let i = 0; i < opt.publicKey.excludeCredentials.length; i++) {
+            if (opt.publicKey.excludeCredentials[i].id !== null) {
+                opt.publicKey.excludeCredentials[i].id = bufferDecode(opt.publicKey.excludeCredentials[i].id);
+            }
+        }
+    }
+    navigator.credentials.create({
+        publicKey: opt.publicKey
+    }).then(function (credential) {
+        createCredential(credential);
+    }).catch(function (err) {
+        webauthnError(err);
+    });
+}
+
+function createCredential(newCredential) {
+    let attestationObject = new Uint8Array(newCredential.response.attestationObject);
+    let clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
+    let rawId = new Uint8Array(newCredential.rawId);
+
+    let data = JSON.stringify({
+        id: newCredential.id,
+        rawId: bufferEncode(rawId),
+        type: newCredential.type,
+        response: {
+            attestationObject: bufferEncode(attestationObject),
+            clientDataJSON: bufferEncode(clientDataJSON),
+        },
+    });
+
+    document.getElementsByName('credentialData')[0].value = btoa(data);
+    document.getElementsByTagName('form')[0].submit();
+}
--- a/internal/ui/login/static/resources/themes/caos/css/dark.css
+++ b/internal/ui/login/static/resources/themes/caos/css/dark.css
@@ -487,4 +487,12 @@ footer {
  color: #F20D6B;
 }

+.hidden {
+  display: none;
+}
+
+#wa-error {
+  margin-top: 20px;
+}
+
 /*# sourceMappingURL=dark.css.map */
--- a/internal/ui/login/static/resources/themes/caos/css/dark.css.map
+++ b/internal/ui/login/static/resources/themes/caos/css/dark.css.map
@@ -1 +1 @@
-{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/caos/variables.scss","../../scss/variables.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCMW;EDLX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCDc;EDEd,OCDQ;EDER;EACA;EACA;;;AAMJ;EACI,OCXQ;EDYR,aClBS;EDmBT;EACA,WEzBS;EF0BT;;;AAGJ;EACI,OCnBQ;EDoBR,aC1BS;ED2BT;EACA,WEhCU;;;AFmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OCvDW;EDwDX;EACA;;AAEA;EACI,OC3DY;;AD8DhB;EACI;;;AAIR;EACI,kBCvEc;EDwEd,OCtEW;EDuEX;EACA;EACA;EACA;EACA,QExFU;EFyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBCpFY;EDqFZ,OCxFU;EDyFV;;AAGJ;EACI,kBC3FO;ED4FP,OC7FI;ED8FJ;;AACA;EACI,kBC9FQ;;ADkGhB;EACI,kBExFW;EFyFX;;AAEA;EACI,kBE5FO;EF6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OEhGa;EFiGb,kBEhGmB;;AFkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBE9HmB;EF+HnB,OC7IQ;ED8IR,QE1JU;EF2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;EEzJN;;AACA;EFoJE;IEnJA;IACA;;;AF0JA;EE7JF;;AACA;EF4JE;IE3JA;IACA;;;;AFiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WEvLE;EFwLF;;AAGJ;EACI;EACA;EACA;EACA,OE1KC;;;AFgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OC/NA;;ADmOR;EACI,OExNK;EFyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OC9PI;ED+PJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBExPW;;AF2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cEjRO;EFkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OE7SP;;AFoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;EEvUV;;AACA;EFkUM;IEjUJ;IACA;;;AFyUQ;EACI;EACA;EE9Ud;;AACA;EF2UU;IE1UR;IACA;;;AFgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OErVN;;AF0VE;EACI,OE5VL;;AFiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MCxYI;;AD2YR;EACI,MC7YU;;;ADkZd;EACI;EACA;;;AAIR;EAEQ;EAEJ;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OE5aO","file":"dark.css"}
+{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/caos/variables.scss","../../scss/variables.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCMW;EDLX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCDc;EDEd,OCDQ;EDER;EACA;EACA;;;AAMJ;EACI,OCXQ;EDYR,aClBS;EDmBT;EACA,WEzBS;EF0BT;;;AAGJ;EACI,OCnBQ;EDoBR,aC1BS;ED2BT;EACA,WEhCU;;;AFmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OCvDW;EDwDX;EACA;;AAEA;EACI,OC3DY;;AD8DhB;EACI;;;AAIR;EACI,kBCvEc;EDwEd,OCtEW;EDuEX;EACA;EACA;EACA;EACA,QExFU;EFyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBCpFY;EDqFZ,OCxFU;EDyFV;;AAGJ;EACI,kBC3FO;ED4FP,OC7FI;ED8FJ;;AACA;EACI,kBC9FQ;;ADkGhB;EACI,kBExFW;EFyFX;;AAEA;EACI,kBE5FO;EF6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OEhGa;EFiGb,kBEhGmB;;AFkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBE9HmB;EF+HnB,OC7IQ;ED8IR,QE1JU;EF2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;EEzJN;;AACA;EFoJE;IEnJA;IACA;;;AF0JA;EE7JF;;AACA;EF4JE;IE3JA;IACA;;;;AFiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WEvLE;EFwLF;;AAGJ;EACI;EACA;EACA;EACA,OE1KC;;;AFgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OC/NA;;ADmOR;EACI,OExNK;EFyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OC9PI;ED+PJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBExPW;;AF2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cEjRO;EFkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OE7SP;;AFoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;EEvUV;;AACA;EFkUM;IEjUJ;IACA;;;AFyUQ;EACI;EACA;EE9Ud;;AACA;EF2UU;IE1UR;IACA;;;AFgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OErVN;;AF0VE;EACI,OE5VL;;AFiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MCxYI;;AD2YR;EACI,MC7YU;;;ADkZd;EACI;EACA;;;AAIR;EAEQ;EAEJ;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OE5aO;;;AF+aX;EACI;;;AAGJ;EACI","file":"dark.css"}
--- a/internal/ui/login/static/resources/themes/caos/css/light.css
+++ b/internal/ui/login/static/resources/themes/caos/css/light.css
@@ -487,6 +487,14 @@ footer {
  color: #F20D6B;
 }

+.hidden {
+  display: none;
+}
+
+#wa-error {
+  margin-top: 20px;
+}
+
 html {
  background-color: white;
  color: #282828;
--- a/internal/ui/login/static/resources/themes/caos/css/light.css.map
+++ b/internal/ui/login/static/resources/themes/caos/css/light.css.map
@@ -1 +1 @@
-{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/caos/variables.scss","../../scss/variables.scss","../../scss/light.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCMW;EDLX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCDc;EDEd,OCDQ;EDER;EACA;EACA;;;AAMJ;EACI,OCXQ;EDYR,aClBS;EDmBT;EACA,WEzBS;EF0BT;;;AAGJ;EACI,OCnBQ;EDoBR,aC1BS;ED2BT;EACA,WEhCU;;;AFmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OCvDW;EDwDX;EACA;;AAEA;EACI,OC3DY;;AD8DhB;EACI;;;AAIR;EACI,kBCvEc;EDwEd,OCtEW;EDuEX;EACA;EACA;EACA;EACA,QExFU;EFyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBCpFY;EDqFZ,OCxFU;EDyFV;;AAGJ;EACI,kBC3FO;ED4FP,OC7FI;ED8FJ;;AACA;EACI,kBC9FQ;;ADkGhB;EACI,kBExFW;EFyFX;;AAEA;EACI,kBE5FO;EF6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OEhGa;EFiGb,kBEhGmB;;AFkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBE9HmB;EF+HnB,OC7IQ;ED8IR,QE1JU;EF2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;EEzJN;;AACA;EFoJE;IEnJA;IACA;;;AF0JA;EE7JF;;AACA;EF4JE;IE3JA;IACA;;;;AFiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WEvLE;EFwLF;;AAGJ;EACI;EACA;EACA;EACA,OE1KC;;;AFgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OC/NA;;ADmOR;EACI,OExNK;EFyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OC9PI;ED+PJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBExPW;;AF2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cEjRO;EFkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OE7SP;;AFoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;EEvUV;;AACA;EFkUM;IEjUJ;IACA;;;AFyUQ;EACI;EACA;EE9Ud;;AACA;EF2UU;IE1UR;IACA;;;AFgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OErVN;;AF0VE;EACI,OE5VL;;AFiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MCxYI;;AD2YR;EACI,MC7YU;;;ADkZd;EACI;EACA;;;AAIR;EAEQ;EAEJ;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OE5aO;;;ACrCX;EACI,kBFeQ;EEdR,OFac;;AERd;EACI;;AAGJ;EACI,OFGU;;AEAd;EACI;EACA;EACA;;AAEA;EACI,kBFIa;EEHb;EACA,ODyBgB;;ACtBpB;EACI,kBFVG;EEWH,ODoBgB;ECnBhB;EACA;;AACA;EACI,kBFdI;;AEkBZ;EACI,kBDRO;ECSP;;AAEA;EACI,kBDZG;ECaH;;AAIR;EACI,OFhCM;;AEkCN;EACI;EACA,kBDHY;;ACQhB;EDxCV;;AACA;ECuCU;IDtCR;IACA;;;ACyCQ;EACI,kBDbY;;ACeZ;ED/Cd;;AACA;EC8Cc;ID7CZ;IACA;;;ACmDQ;EDtDV;;AACA;ECqDU;IDpDR;IACA;;;ACwDY;ED3Dd;;AACA;EC0Dc;IDzDZ;IACA;;;AC8DI;EACI,OD7Bc;EC8Bd,kBD7BoB;;AC+BpB;EACI;;AAKZ;EACI,kBD5CoB;EC6CpB,OF9EU;;AEkFV;EACI,MFnFM;;AEsFV;EACI,MFtFA;;AE0FR;EAEQ;;;AAMR;EACI,OFpGU;;AEwGb;EACI,ODhEM;;ACoEN;EACI,ODtEG;;;AC8EZ;EDrHF;;AACA;ECoHE;IDnHA;IACA;;;ACsHA;EDzHF;;AACA;ECwHE;IDvHA;IACA;;;;AC2HJ;EACI;;;AAGJ;EACI,OD5FY","file":"light.css"}
+{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/caos/variables.scss","../../scss/variables.scss","../../scss/light.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCMW;EDLX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCDc;EDEd,OCDQ;EDER;EACA;EACA;;;AAMJ;EACI,OCXQ;EDYR,aClBS;EDmBT;EACA,WEzBS;EF0BT;;;AAGJ;EACI,OCnBQ;EDoBR,aC1BS;ED2BT;EACA,WEhCU;;;AFmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OCvDW;EDwDX;EACA;;AAEA;EACI,OC3DY;;AD8DhB;EACI;;;AAIR;EACI,kBCvEc;EDwEd,OCtEW;EDuEX;EACA;EACA;EACA;EACA,QExFU;EFyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBCpFY;EDqFZ,OCxFU;EDyFV;;AAGJ;EACI,kBC3FO;ED4FP,OC7FI;ED8FJ;;AACA;EACI,kBC9FQ;;ADkGhB;EACI,kBExFW;EFyFX;;AAEA;EACI,kBE5FO;EF6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OEhGa;EFiGb,kBEhGmB;;AFkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBE9HmB;EF+HnB,OC7IQ;ED8IR,QE1JU;EF2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;EEzJN;;AACA;EFoJE;IEnJA;IACA;;;AF0JA;EE7JF;;AACA;EF4JE;IE3JA;IACA;;;;AFiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WEvLE;EFwLF;;AAGJ;EACI;EACA;EACA;EACA,OE1KC;;;AFgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OC/NA;;ADmOR;EACI,OExNK;EFyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OC9PI;ED+PJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBExPW;;AF2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cEjRO;EFkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OE7SP;;AFoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;EEvUV;;AACA;EFkUM;IEjUJ;IACA;;;AFyUQ;EACI;EACA;EE9Ud;;AACA;EF2UU;IE1UR;IACA;;;AFgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OErVN;;AF0VE;EACI,OE5VL;;AFiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MCxYI;;AD2YR;EACI,MC7YU;;;ADkZd;EACI;EACA;;;AAIR;EAEQ;EAEJ;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OE5aO;;;AF+aX;EACI;;;AAGJ;EACI;;;AGzdJ;EACI,kBFeQ;EEdR,OFac;;AERd;EACI;;AAGJ;EACI,OFGU;;AEAd;EACI;EACA;EACA;;AAEA;EACI,kBFIa;EEHb;EACA,ODyBgB;;ACtBpB;EACI,kBFVG;EEWH,ODoBgB;ECnBhB;EACA;;AACA;EACI,kBFdI;;AEkBZ;EACI,kBDRO;ECSP;;AAEA;EACI,kBDZG;ECaH;;AAIR;EACI,OFhCM;;AEkCN;EACI;EACA,kBDHY;;ACQhB;EDxCV;;AACA;ECuCU;IDtCR;IACA;;;ACyCQ;EACI,kBDbY;;ACeZ;ED/Cd;;AACA;EC8Cc;ID7CZ;IACA;;;ACmDQ;EDtDV;;AACA;ECqDU;IDpDR;IACA;;;ACwDY;ED3Dd;;AACA;EC0Dc;IDzDZ;IACA;;;AC8DI;EACI,OD7Bc;EC8Bd,kBD7BoB;;AC+BpB;EACI;;AAKZ;EACI,kBD5CoB;EC6CpB,OF9EU;;AEkFV;EACI,MFnFM;;AEsFV;EACI,MFtFA;;AE0FR;EAEQ;;;AAMR;EACI,OFpGU;;AEwGb;EACI,ODhEM;;ACoEN;EACI,ODtEG;;;AC8EZ;EDrHF;;AACA;ECoHE;IDnHA;IACA;;;ACsHA;EDzHF;;AACA;ECwHE;IDvHA;IACA;;;;AC2HJ;EACI;;;AAGJ;EACI,OD5FY","file":"light.css"}
--- a/internal/ui/login/static/resources/themes/scss/main.scss
+++ b/internal/ui/login/static/resources/themes/scss/main.scss
@@ -466,3 +466,11 @@ footer {
 .error {
    color: $nokColor;
 }
+
+.hidden {
+    display: none;
+}
+
+#wa-error {
+    margin-top: 20px;
+}
--- a/internal/ui/login/static/resources/themes/zitadel/css/dark.css
+++ b/internal/ui/login/static/resources/themes/zitadel/css/dark.css
@@ -487,4 +487,12 @@ footer {
  color: #F20D6B;
 }

+.hidden {
+  display: none;
+}
+
+#wa-error {
+  margin-top: 20px;
+}
+
 /*# sourceMappingURL=dark.css.map */
--- a/internal/ui/login/static/resources/themes/zitadel/css/dark.css.map
+++ b/internal/ui/login/static/resources/themes/zitadel/css/dark.css.map
@@ -1 +1 @@
-{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/variables.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCHW;EDIX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCQc;EDPd,OCQQ;EDPR;EACA;EACA;EAEI;;;AAIR;EACI,OCFQ;EDGR,aC3BS;ED4BT;EACA,WCzBS;ED0BT;;;AAGJ;EACI,OCVQ;EDWR,aCnCS;EDoCT;EACA,WChCU;;;ADmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OC9CW;ED+CX;EACA;;AAEA;EACI,OClDY;;ADqDhB;EACI;;;AAIR;EACI,kBC9Dc;ED+Dd,OC7DW;ED8DX;EACA;EACA;EACA;EACA,QCxFU;EDyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBC3EY;ED4EZ,OC/EU;EDgFV;;AAGJ;EACI,kBClFO;EDmFP,OCpFI;EDqFJ;;AACA;EACI,kBCrFQ;;ADyFhB;EACI,kBCxFW;EDyFX;;AAEA;EACI,kBC5FO;ED6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OChGa;EDiGb,kBChGmB;;ADkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBC9HmB;ED+HnB,OCpIQ;EDqIR,QC1JU;ED2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;ECzJN;;AACA;EDoJE;ICnJA;IACA;;;AD0JA;EC7JF;;AACA;ED4JE;IC3JA;IACA;;;;ADiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WCvLE;EDwLF;;AAGJ;EACI;EACA;EACA;EACA,OC1KC;;;ADgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OCtNA;;AD0NR;EACI,OCxNK;EDyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OCrPI;EDsPJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBCxPW;;AD2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cCjRO;EDkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OC7SP;;ADoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;ECvUV;;AACA;EDkUM;ICjUJ;IACA;;;ADyUQ;EACI;EACA;EC9Ud;;AACA;ED2UU;IC1UR;IACA;;;ADgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OCrVN;;AD0VE;EACI,OC5VL;;ADiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MC/XI;;ADkYR;EACI,MCpYU;;;ADyYd;EACI;EACA;;;AAIR;EAII;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OC5aO","file":"dark.css"}
+{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/variables.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCHW;EDIX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCQc;EDPd,OCQQ;EDPR;EACA;EACA;EAEI;;;AAIR;EACI,OCFQ;EDGR,aC3BS;ED4BT;EACA,WCzBS;ED0BT;;;AAGJ;EACI,OCVQ;EDWR,aCnCS;EDoCT;EACA,WChCU;;;ADmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OC9CW;ED+CX;EACA;;AAEA;EACI,OClDY;;ADqDhB;EACI;;;AAIR;EACI,kBC9Dc;ED+Dd,OC7DW;ED8DX;EACA;EACA;EACA;EACA,QCxFU;EDyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBC3EY;ED4EZ,OC/EU;EDgFV;;AAGJ;EACI,kBClFO;EDmFP,OCpFI;EDqFJ;;AACA;EACI,kBCrFQ;;ADyFhB;EACI,kBCxFW;EDyFX;;AAEA;EACI,kBC5FO;ED6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OChGa;EDiGb,kBChGmB;;ADkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBC9HmB;ED+HnB,OCpIQ;EDqIR,QC1JU;ED2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;ECzJN;;AACA;EDoJE;ICnJA;IACA;;;AD0JA;EC7JF;;AACA;ED4JE;IC3JA;IACA;;;;ADiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WCvLE;EDwLF;;AAGJ;EACI;EACA;EACA;EACA,OC1KC;;;ADgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OCtNA;;AD0NR;EACI,OCxNK;EDyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OCrPI;EDsPJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBCxPW;;AD2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cCjRO;EDkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OC7SP;;ADoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;ECvUV;;AACA;EDkUM;ICjUJ;IACA;;;ADyUQ;EACI;EACA;EC9Ud;;AACA;ED2UU;IC1UR;IACA;;;ADgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OCrVN;;AD0VE;EACI,OC5VL;;ADiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MC/XI;;ADkYR;EACI,MCpYU;;;ADyYd;EACI;EACA;;;AAIR;EAII;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OC5aO;;;AD+aX;EACI;;;AAGJ;EACI","file":"dark.css"}
--- a/internal/ui/login/static/resources/themes/zitadel/css/light.css
+++ b/internal/ui/login/static/resources/themes/zitadel/css/light.css
@@ -487,6 +487,14 @@ footer {
  color: #F20D6B;
 }

+.hidden {
+  display: none;
+}
+
+#wa-error {
+  margin-top: 20px;
+}
+
 html {
  background-color: #f5f5f5;
  color: #282828;
--- a/internal/ui/login/static/resources/themes/zitadel/css/light.css.map
+++ b/internal/ui/login/static/resources/themes/zitadel/css/light.css.map
@@ -1 +1 @@
-{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/variables.scss","../../scss/light.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCHW;EDIX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCQc;EDPd,OCQQ;EDPR;EACA;EACA;EAEI;;;AAIR;EACI,OCFQ;EDGR,aC3BS;ED4BT;EACA,WCzBS;ED0BT;;;AAGJ;EACI,OCVQ;EDWR,aCnCS;EDoCT;EACA,WChCU;;;ADmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OC9CW;ED+CX;EACA;;AAEA;EACI,OClDY;;ADqDhB;EACI;;;AAIR;EACI,kBC9Dc;ED+Dd,OC7DW;ED8DX;EACA;EACA;EACA;EACA,QCxFU;EDyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBC3EY;ED4EZ,OC/EU;EDgFV;;AAGJ;EACI,kBClFO;EDmFP,OCpFI;EDqFJ;;AACA;EACI,kBCrFQ;;ADyFhB;EACI,kBCxFW;EDyFX;;AAEA;EACI,kBC5FO;ED6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OChGa;EDiGb,kBChGmB;;ADkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBC9HmB;ED+HnB,OCpIQ;EDqIR,QC1JU;ED2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;ECzJN;;AACA;EDoJE;ICnJA;IACA;;;AD0JA;EC7JF;;AACA;ED4JE;IC3JA;IACA;;;;ADiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WCvLE;EDwLF;;AAGJ;EACI;EACA;EACA;EACA,OC1KC;;;ADgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OCtNA;;AD0NR;EACI,OCxNK;EDyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OCrPI;EDsPJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBCxPW;;AD2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cCjRO;EDkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OC7SP;;ADoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;ECvUV;;AACA;EDkUM;ICjUJ;IACA;;;ADyUQ;EACI;EACA;EC9Ud;;AACA;ED2UU;IC1UR;IACA;;;ADgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OCrVN;;AD0VE;EACI,OC5VL;;ADiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MC/XI;;ADkYR;EACI,MCpYU;;;ADyYd;EACI;EACA;;;AAIR;EAII;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OC5aO;;;ACrCX;EACI,kBD2CmB;EC1CnB,ODsBc;ECpBV;;AAGJ;EACI;;AAGJ;EACI,ODYU;;ACTd;EACI,kBD4Be;EC3Bf,ODSO;ECRP;;AAEA;EACI,kBD0Ba;ECzBb;EACA,ODyBgB;;ACtBpB;EACI,kBDDG;ECEH,ODoBgB;ECnBhB;EACA;;AACA;EACI,kBDLI;;ACSZ;EACI,kBDRO;ECSP;;AAEA;EACI,kBDZG;ECaH;;AAIR;EACI,ODvBM;;ACyBN;EACI;EACA,kBDHY;;ACQhB;EDxCV;;AACA;ECuCU;IDtCR;IACA;;;ACyCQ;EACI,kBDbY;;ACeZ;ED/Cd;;AACA;EC8Cc;ID7CZ;IACA;;;ACmDQ;EDtDV;;AACA;ECqDU;IDpDR;IACA;;;ACwDY;ED3Dd;;AACA;EC0Dc;IDzDZ;IACA;;;AC8DI;EACI,OD7Bc;EC8Bd,kBD7BoB;;AC+BpB;EACI;;AAKZ;EACI,kBD5CoB;EC6CpB,ODrEU;;ACyEV;EACI,MD1EM;;AC6EV;EACI,MD1DW;;ACsEnB;EACI,OD3FU;;AC+Fb;EACI,ODhEM;;ACoEN;EACI,ODtEG;;;AC8EZ;EDrHF;;AACA;ECoHE;IDnHA;IACA;;;ACsHA;EDzHF;;AACA;ECwHE;IDvHA;IACA;;;;AC2HJ;EACI;;;AAGJ;EACI,OD5FY","file":"light.css"}
+{"version":3,"sourceRoot":"","sources":["../../scss/fonts.scss","../../scss/main.scss","../../scss/variables.scss","../../scss/light.scss"],"names":[],"mappings":"AACA;EACI;EACA;;AAIJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAEJ;EACI;EACA;EACA;EACA;;AAIJ;EACI;EACA;EACA;EACA;AAA6D;EAC7D;;AC5EJ;EACI;EACA,aCHW;EDIX;EACA;;;AAGJ;EACI;;;AAGJ;EACI;EACA;EACA;EACA,kBCQc;EDPd,OCQQ;EDPR;EACA;EACA;EAEI;;;AAIR;EACI,OCFQ;EDGR,aC3BS;ED4BT;EACA,WCzBS;ED0BT;;;AAGJ;EACI,OCVQ;EDWR,aCnCS;EDoCT;EACA,WChCU;;;ADmCd;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI;EACA;EACA;EACA;EACA;;;AAIR;EACI;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;;;AAGJ;EACI,OC9CW;ED+CX;EACA;;AAEA;EACI,OClDY;;ADqDhB;EACI;;;AAIR;EACI,kBC9Dc;ED+Dd,OC7DW;ED8DX;EACA;EACA;EACA;EACA,QCxFU;EDyFV;EACA;EACA;EACA;EACA;EACA;EACA;;AAEA;EACI,kBC3EY;ED4EZ,OC/EU;EDgFV;;AAGJ;EACI,kBClFO;EDmFP,OCpFI;EDqFJ;;AACA;EACI,kBCrFQ;;ADyFhB;EACI,kBCxFW;EDyFX;;AAEA;EACI,kBC5FO;ED6FP;;AAIR;EACI;EACA;EACA;EACA;EACA,OChGa;EDiGb,kBChGmB;;ADkGnB;EACI;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGJ;EACI;EACA;EACA;;;AAOZ;EACI,kBC9HmB;ED+HnB,OCpIQ;EDqIR,QC1JU;ED2JV;EACA;EACA;;;AAIA;EACI;EACA;EACA;EACA;ECzJN;;AACA;EDoJE;ICnJA;IACA;;;AD0JA;EC7JF;;AACA;ED4JE;IC3JA;IACA;;;;ADiKA;EACI;EACA;;AAGJ;EACI;EACA;;AAEA;EACI,WCvLE;EDwLF;;AAGJ;EACI;EACA;EACA;EACA,OC1KC;;;ADgLT;EACI;EACA;;AAGJ;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;;AAIR;EACI;;AAEA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA;EACA,OCtNA;;AD0NR;EACI,OCxNK;EDyNL;EACA;EACA;;AAEA;EACI;EACA;;AAIR;EACI;;AAEA;EACI;;AAGJ;EACI;;AAIR;EACI;EACA;EACA,OCrPI;EDsPJ;EACA;EACA;EACA;;AAEA;EACI;EACA,kBCxPW;;AD2Pf;EACI;;AAIR;EACI;;AAKA;EACI;EACA;;AAGJ;EACI;EACA;EACA;EACA;EACA,cCjRO;EDkRP;EACA;EACA;EACA;EACA;;AAEA;EACI;;AAGJ;EACI;;AAKR;EACI;;AAEA;EACI;;AAEA;EACI;;AAEJ;EACI,OC7SP;;ADoTL;EACI;;AAEJ;EACI;EACA;EACA;EACA;ECvUV;;AACA;EDkUM;ICjUJ;IACA;;;ADyUQ;EACI;EACA;EC9Ud;;AACA;ED2UU;IC1UR;IACA;;;ADgVI;EACI;EACA;;AAIR;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA;EACA;;AAEA;EACI;EACA;EACA;EACA,OCrVN;;AD0VE;EACI,OC5VL;;ADiWP;EACI;;AACA;EACI;EACA;;;AAKZ;EACI;EACA;;;AAGJ;EACI;;AAEA;EACI,MC/XI;;ADkYR;EACI,MCpYU;;;ADyYd;EACI;EACA;;;AAIR;EAII;EACA;EACA;EACA;;;AAGJ;EACI;EACA;EACA;EACA;AAAkB;EAClB;EACA;EACA;EACA;EACA;EACA;EACA;AAEA;EACA;AACA;EACA;AAEA;EACA;AAEA;EACA;;;AAGJ;EACI;EACA;EACA;;;AAGJ;EACI,OC5aO;;;AD+aX;EACI;;;AAGJ;EACI;;;AEzdJ;EACI,kBD2CmB;EC1CnB,ODsBc;ECpBV;;AAGJ;EACI;;AAGJ;EACI,ODYU;;ACTd;EACI,kBD4Be;EC3Bf,ODSO;ECRP;;AAEA;EACI,kBD0Ba;ECzBb;EACA,ODyBgB;;ACtBpB;EACI,kBDDG;ECEH,ODoBgB;ECnBhB;EACA;;AACA;EACI,kBDLI;;ACSZ;EACI,kBDRO;ECSP;;AAEA;EACI,kBDZG;ECaH;;AAIR;EACI,ODvBM;;ACyBN;EACI;EACA,kBDHY;;ACQhB;EDxCV;;AACA;ECuCU;IDtCR;IACA;;;ACyCQ;EACI,kBDbY;;ACeZ;ED/Cd;;AACA;EC8Cc;ID7CZ;IACA;;;ACmDQ;EDtDV;;AACA;ECqDU;IDpDR;IACA;;;ACwDY;ED3Dd;;AACA;EC0Dc;IDzDZ;IACA;;;AC8DI;EACI,OD7Bc;EC8Bd,kBD7BoB;;AC+BpB;EACI;;AAKZ;EACI,kBD5CoB;EC6CpB,ODrEU;;ACyEV;EACI,MD1EM;;AC6EV;EACI,MD1DW;;ACsEnB;EACI,OD3FU;;AC+Fb;EACI,ODhEM;;ACoEN;EACI,ODtEG;;;AC8EZ;EDrHF;;AACA;ECoHE;IDnHA;IACA;;;ACsHA;EDzHF;;AACA;ECwHE;IDvHA;IACA;;;;AC2HJ;EACI;;;AAGJ;EACI,OD5FY","file":"light.css"}
--- a/internal/ui/login/static/templates/mfa_init_done.html
+++ b/internal/ui/login/static/templates/mfa_init_done.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaInitDone.Description"}}</p>
+    <p>{{t "MFAInitDone.Description"}}</p>
 </div>

 <form action="{{ loginUrl }}" method="POST">
@@ -11,7 +11,7 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .MfaType }}" />
+    <input type="hidden" name="mfaType" value="{{ .MFAType }}" />

    <div class="actions">
        <button class="primary right" type="submit">{{t "Actions.Next"}}</button>
--- a/internal/ui/login/static/templates/mfa_init_u2f.html
+++ b/internal/ui/login/static/templates/mfa_init_u2f.html
@@ -0,0 +1,42 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "MFAInitU2F.Description"}}</p>
+</div>
+
+<form action="{{ mfaInitU2FVerifyUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
+    <input type="hidden" name="credentialCreationData" value="{{ .CredentialCreationData }}" />
+    <input type="hidden" name="credentialData" />
+
+    <div class="fields">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <div class="field">
+            <label class="label" for="name">{{t "WebAuthN.Name"}}</label>
+            <input class="input" type="text" id="name" name="name" autocomplete="off" autofocus>
+        </div>
+        <a id="btn-register" class="button primary wa-support">{{t "Actions.RegisterToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_register.js" }}"></script>
+
+{{template "main-bottom" .}}
+ 
--- a/internal/ui/login/static/templates/mfa_init_verify.html
+++ b/internal/ui/login/static/templates/mfa_init_verify.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaInitVerify.Description"}}</p>
+    <p>{{t "MFAInitVerify.Description"}}</p>
 </div>

 <form action="{{ mfaInitVerifyUrl }}" method="POST">
@@ -11,25 +11,25 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .MfaType }}" />
+    <input type="hidden" name="mfaType" value="{{ .MFAType }}" />
    <input type="hidden" name="url" value="{{ .Url }}" />
    <input type="hidden" name="secret" value="{{ .Secret }}" />

-    {{if (eq .MfaType 0) }}
-        <p>{{t "MfaInitVerify.OtpDescription"}}</p>
+    {{if (eq .MFAType 0) }}
+        <p>{{t "MFAInitVerify.OTPDescription"}}</p>
        <div id="qrcode">
            {{.QrCode}}
        </div>
        <div class="fields">
            <div class="field">
-                <span class="label" for="secret">{{t "MfaInitVerify.Secret"}}</span>
+                <span class="label" for="secret">{{t "MFAInitVerify.Secret"}}</span>
                <span class="input" id="secret">
                    {{.Secret}}
                    <span class="copy material-icons" data-copy="{{ .Secret }}" >content_copy</span>
                </span>
            </div>
            <div class="field">
-               <label class="label" for="code">{{t "MfaInitVerify.Code"}}</label>
+               <label class="label" for="code">{{t "MFAInitVerify.Code"}}</label>
                <input class="input" type="text" id="code" name="code" autocomplete="off" autofocus required>
            </div>
        </div>
@@ -37,7 +37,7 @@

    <div class="actions">
        <button class="primary right" id="submit-button" type="submit">{{t "Actions.Next"}}</button>
-        <a class="button secondary" href="{{ mfaPromptChangeUrl .AuthReqID .MfaType }}">
+        <a class="button secondary" href="{{ mfaPromptChangeUrl .AuthReqID .MFAType }}">
            {{t "Actions.Back"}}
        </a>
        <a class="button secondary" href="{{ loginUrl }}">
--- a/internal/ui/login/static/templates/mfa_prompt.html
+++ b/internal/ui/login/static/templates/mfa_prompt.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaPrompt.Description"}}</p>
+    <p>{{t "MFAPrompt.Description"}}</p>
 </div>

 <form action="{{ mfaPromptUrl }}" method="POST">
@@ -13,8 +13,8 @@
    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
    
    <div class="fields">
-        {{ range $provider := .MfaProviders}}
-        {{ $providerName := (t (printf "MfaPrompt.Provider%v" $provider)) }}
+        {{ range $provider := .MFAProviders}}
+        {{ $providerName := (t (printf "MFAPrompt.Provider%v" $provider)) }}
            <div class="field radio-button">
                <input id="{{ $provider }}" type="radio" name="provider" value="{{ $provider }}">
                <label for="{{ $provider }}">{{ $providerName }}</label>
@@ -24,7 +24,7 @@

    <div class="actions">
        <button class="primary right" type="submit">{{t "Actions.Next"}}</button>
-        {{if not .MfaRequired}}
+        {{if not .MFARequired}}
        <button class="default right" name="skip" value="true" type="submit" formnovalidate>{{t "Actions.Skip"}}</button>
        {{end}}
        <a class="button secondary" href="{{ loginUrl }}">
--- a/internal/ui/login/static/templates/mfa_verification_u2f.html
+++ b/internal/ui/login/static/templates/mfa_verification_u2f.html
@@ -0,0 +1,37 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "MFAVerifyU2F.Description"}}</p>
+</div>
+
+<form action="{{ mfaInitU2FLoginUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}"/>
+    <input type="hidden" name="credentialAssertionData" value="{{ .CredentialCreationData }}"/>
+    <input type="hidden" name="credentialData"/>
+
+    <div id="webauthn">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <a id="btn-login" class="button primary wa-support">{{t "Actions.ValidateToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_login.js" }}"></script>
+
+{{template "main-bottom" .}}
--- a/internal/ui/login/static/templates/mfa_verify.html
+++ b/internal/ui/login/static/templates/mfa_verify.html
@@ -3,7 +3,7 @@
 <div class="head">
    {{ template "user-profile" . }}

-    <p>{{t "MfaVerify.Description"}}</p>
+    <p>{{t "MFAVerify.Description"}}</p>
 </div>

 <form action="{{ mfaVerifyUrl }}" method="POST">
@@ -11,11 +11,11 @@
    {{ .CSRF }}

    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}" />
-    <input type="hidden" name="mfaType" value="{{ .SelectedMfaProvider }}" />
+    <input type="hidden" name="mfaType" value="{{ .SelectedMFAProvider }}" />

    <div class="fields">
        <div class="field">
-            <label class="label" for="code">{{t "MfaVerify.Code"}}</label>
+            <label class="label" for="code">{{t "MFAVerify.Code"}}</label>
            <input class="input" type="text" id="code" name="code" autocomplete="off" autofocus required>
        </div>
    </div>
--- a/internal/ui/login/static/templates/passwordless.html
+++ b/internal/ui/login/static/templates/passwordless.html
@@ -0,0 +1,37 @@
+{{template "main-top" .}}
+
+<div class="head">
+    {{ template "user-profile" . }}
+
+    <p>{{t "Passwordless.Description"}}</p>
+</div>
+
+<form action="{{ passwordLessVerificationUrl }}" method="POST">
+
+    {{ .CSRF }}
+
+    <input type="hidden" name="authRequestID" value="{{ .AuthReqID }}"/>
+    <input type="hidden" name="credentialAssertionData" value="{{ .CredentialCreationData }}"/>
+    <input type="hidden" name="credentialData"/>
+
+    <div id="webauthn">
+        <p class="wa-no-support error hidden">{{t "WebAuthN.NotSupported"}}</p>
+        <a id="btn-login" class="button primary wa-support">{{t "Actions.ValidateToken"}}</a>
+        <div id="wa-error" class="error hidden">
+            <span class="cause"></span>
+            <span>{{t "WebAuthN.Error.Retry"}}</span>
+        </div>
+    </div>
+
+    {{ template "error-message" .}}
+
+    <div class="actions">
+        <button class="secondary right wa-support" id="submit-button" type="submit" name="recreate" value="true">{{t "Actions.Recreate"}}</button>
+    </div>
+</form>
+
+<script src="{{ resourceUrl "scripts/base64.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn.js" }}"></script>
+<script src="{{ resourceUrl "scripts/webauthn_login.js" }}"></script>
+
+{{template "main-bottom" .}}