@brugeman You mention using webauthn as a second factor. But in my opinion, only webauthn authentication is sufficient and password authentication is not necessary. This is nosskey.😁