diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index f3aaf432e239f..515ec79e526ed 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -50,3 +50,10 @@ build/media_source/*/js/*  @wilsonge
 plugins/system/httpheaders/*  @zero-24
 administrator/components/com_csp/* @zero-24
 components/com_csp/* @zero-24
+
+# Web Authentication (WebAuthn)
+
+plugins/system/webauthn/*   @nikosdion
+media/plg_system_webauthn/*   @nikosdion
+language/administrator/en-GB/en-GB.plg_system_webauthn.ini   @nikosdion
+language/administrator/en-GB/en-GB.plg_system_webauthn.sys.ini   @nikosdion
diff --git a/.gitignore b/.gitignore
index 89f7804d40967..ee85aa319e20d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -101,3 +101,6 @@ RoboFile.ini
 # Media Manager
 /media/com_media/js/mediamanager.min.js.map
 /media/com_media/css/mediamanager.min.css.map
+
+# Web Authentication plugin
+!/build/media_source/plg_system_webauthn/js/*.es6.js
diff --git a/administrator/components/com_admin/sql/updates/mysql/4.0.0-2019-07-02.sql b/administrator/components/com_admin/sql/updates/mysql/4.0.0-2019-07-02.sql
new file mode 100644
index 0000000000000..4cf70da3dffb4
--- /dev/null
+++ b/administrator/components/com_admin/sql/updates/mysql/4.0.0-2019-07-02.sql
@@ -0,0 +1,14 @@
+CREATE TABLE IF NOT EXISTS `#__webauthn_credentials`
+(
+    `id`         VARCHAR(1000)   NOT NULL COMMENT 'Credential ID',
+    `user_id`    VARCHAR(128)    NOT NULL COMMENT 'User handle',
+    `label`      VARCHAR(190)    NOT NULL COMMENT 'Human readable label',
+    `credential` MEDIUMTEXT      NOT NULL COMMENT 'Credential source data, JSON format',
+    PRIMARY KEY (`id`(100)),
+    INDEX (`user_id`(100))
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4
+  DEFAULT COLLATE = utf8mb4_unicode_ci;
+
+INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `manifest_cache`, `params`, `checked_out`, `checked_out_time`, `ordering`, `state`) VALUES
+(0, 'plg_system_webauthn', 'plugin', 'webauthn', 'system', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0);
diff --git a/administrator/components/com_admin/sql/updates/postgresql/4.0.0-2019-07-02.sql b/administrator/components/com_admin/sql/updates/postgresql/4.0.0-2019-07-02.sql
new file mode 100644
index 0000000000000..f3b8c2402776c
--- /dev/null
+++ b/administrator/components/com_admin/sql/updates/postgresql/4.0.0-2019-07-02.sql
@@ -0,0 +1,13 @@
+CREATE TABLE IF NOT EXISTS "#__webauthn_credentials"
+(
+    "id"         varchar(1000)    NOT NULL,
+    "user_id"    varchar(128)     NOT NULL,
+    "label"      varchar(190)     NOT NULL,
+    "credential" TEXT             NOT NULL,
+    PRIMARY KEY ("id")
+);
+
+CREATE INDEX "#__webauthn_credentials_user_id" ON "#__webauthn_credentials" ("user_id");
+
+INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "manifest_cache", "params", "checked_out", "checked_out_time", "ordering", "state") VALUES
+(0, 'plg_system_webauthn', 'plugin', 'webauthn', 'system', 0, 1, 1, 0, '', '{}', 0, '1970-01-01 00:00:00', 8, 0);
diff --git a/administrator/language/en-GB/en-GB.plg_system_webauthn.ini b/administrator/language/en-GB/en-GB.plg_system_webauthn.ini
new file mode 100644
index 0000000000000..57ea022d85be4
--- /dev/null
+++ b/administrator/language/en-GB/en-GB.plg_system_webauthn.ini
@@ -0,0 +1,46 @@
+; Joomla! Project
+; Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.
+; License GNU General Public License version 2 or later; see LICENSE.txt, see LICENSE.php
+; Note : All ini files need to be saved as UTF-8
+
+PLG_SYSTEM_WEBAUTHN="System - WebAuthn Passwordless Login"
+PLG_SYSTEM_WEBAUTHN_DESCRIPTION="Enables passwordless authentication using the W3C Web Authentication (WebAuthn) API."
+
+PLG_SYSTEM_WEBAUTHN_LOGIN_LABEL="Web Authentication"
+PLG_SYSTEM_WEBAUTHN_LOGIN_DESC="Login without a password using the W3C Web Authentication (WebAuthn) standard in compatible browsers. You need to have already set up WebAuthn authentication in your user profile."
+
+PLG_SYSTEM_WEBAUTHN_HEADER="W3C Web Authentication (WebAuthn) Login"
+PLG_SYSTEM_WEBAUTHN_FIELD_LABEL="W3C Web Authentication (WebAuthn) Login"
+PLG_SYSTEM_WEBAUTHN_FIELD_DESC="Lets you manage passwordless login methods using the W3C Web Authentication standard. You need a supported browser and authenticator (e.g. Google Chrome or Firefox with a FIDO2 certified security key)."
+
+PLG_SYSTEM_WEBAUTHN_MANAGE_FIELD_KEYLABEL_LABEL="Authenticator name"
+PLG_SYSTEM_WEBAUTHN_MANAGE_FIELD_KEYLABEL_DESC="A short name for the authenticator used with this passwordless login method."
+PLG_SYSTEM_WEBAUTHN_MANAGE_HEADER_NOMETHODS_LABEL="No authenticators have been set up yet."
+PLG_SYSTEM_WEBAUTHN_MANAGE_HEADER_ACTIONS_LABEL="Actions"
+PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_DELETE_LABEL="Remove"
+PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_EDIT_LABEL="Edit name"
+PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_ADD_LABEL="Add new authenticator"
+PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_SAVE_LABEL="Save"
+PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_CANCEL_LABEL="Cancel"
+
+PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR_LABEL="Authenticator added on %s"
+
+PLG_SYSTEM_WEBAUTHN_MSG_SAVED_LABEL="The label has been saved successfully."
+PLG_SYSTEM_WEBAUTHN_MSG_DELETED="The authenticator has been removed successfully."
+
+PLG_SYSTEM_WEBAUTHN_ERR_NO_STORED_CREDENTIAL="Cannot find the stored credentials for your login authenticator."
+PLG_SYSTEM_WEBAUTHN_ERR_CORRUPT_STORED_CREDENTIAL="The stored credentials are corrupt for your user account. Log in using another method, then remove and add again your login authenticator."
+PLG_SYSTEM_WEBAUTHN_ERR_CANT_STORE_FOR_GUEST="Cannot possibly store credentials for Guest user!"
+PLG_SYSTEM_WEBAUTHN_ERR_CREDENTIAL_ID_ALREADY_IN_USE="Cannot save credentials. These credentials are already being used by a different user."
+PLG_SYSTEM_WEBAUTHN_ERR_USER_REMOVED="The user for this authenticator seems to no longer exist on this site."
+PLG_SYSTEM_WEBAUTHN_ERR_NO_BROWSER_SUPPORT="Sorry, your browser does not support the W3C Web Authentication standard for passwordless logins. You will need to log into this site using your username and password."
+PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK="The server has not issued a Public Key for authenticator registration but somehow received an authenticator registration request from the browser. This means that someone tried to hack you or something is broken."
+PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_PK="The authenticator registration has failed. The authenticator response received from the browser does not match the Public Key issued by the server. This means that someone tried to hack you or something is broken."
+PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER="For security reasons you are not allowed to register passwordless authentication tokens on behalf of another user."
+PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_ATTESTED_DATA="Something went wrong but no further information about the error is available at this time. Please retry registering your authenticator."
+PLG_SYSTEM_WEBAUTHN_ERR_LABEL_NOT_SAVED="Could not save the new label"
+PLG_SYSTEM_WEBAUTHN_ERR_NOT_DELETED="Could not remove the authenticator"
+PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST="Invalid passwordless login request. Something is broken or this is an attempt to hack the site."
+PLG_SYSTEM_WEBAUTHN_ERR_CANNOT_FIND_USERNAME="Cannot find the username field in the login module. Sorry, Passwordless authentication will not work on this site unless you use a different login module."
+PLG_SYSTEM_WEBAUTHN_ERR_EMPTY_USERNAME="You need to enter your username (but NOT your password) before clicking the Passwordless Login button."
+PLG_SYSTEM_WEBAUTHN_ERR_INVALID_USERNAME="The specified username does not correspond to a user account that has enabled passwordless login on this site."
diff --git a/administrator/language/en-GB/en-GB.plg_system_webauthn.sys.ini b/administrator/language/en-GB/en-GB.plg_system_webauthn.sys.ini
new file mode 100644
index 0000000000000..4be68e3ed6857
--- /dev/null
+++ b/administrator/language/en-GB/en-GB.plg_system_webauthn.sys.ini
@@ -0,0 +1,7 @@
+; Joomla! Project
+; Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.
+; License GNU General Public License version 2 or later; see LICENSE.txt, see LICENSE.php
+; Note : All ini files need to be saved as UTF-8
+
+PLG_SYSTEM_WEBAUTHN="System - WebAuthn Passwordless Login"
+PLG_SYSTEM_WEBAUTHN_DESCRIPTION="Enables passwordless authentication using the W3C Web Authentication (WebAuthn) API."
diff --git a/administrator/modules/mod_login/mod_login.php b/administrator/modules/mod_login/mod_login.php
index 53445e1b0f54e..23d407779b1b6 100644
--- a/administrator/modules/mod_login/mod_login.php
+++ b/administrator/modules/mod_login/mod_login.php
@@ -15,6 +15,7 @@
 
 $langs            = LoginHelper::getLanguageList();
 $twofactormethods = AuthenticationHelper::getTwoFactorMethods();
+$extraButtons     = AuthenticationHelper::getLoginButtons('form-login');
 $return           = LoginHelper::getReturnUri();
 
 require ModuleHelper::getLayoutPath('mod_login', $params->get('layout', 'default'));
diff --git a/administrator/modules/mod_login/tmpl/default.php b/administrator/modules/mod_login/tmpl/default.php
index 16fcc38bf42ce..36c61a791e36a 100644
--- a/administrator/modules/mod_login/tmpl/default.php
+++ b/administrator/modules/mod_login/tmpl/default.php
@@ -96,6 +96,25 @@ class="form-control input-full"
 				<?php echo $langs; ?>
 			</div>
 		<?php endif; ?>
+		<?php foreach($extraButtons as $button): ?>
+		<div class="form-group">
+			<button type="button"
+			        class="btn btn-secondary btn-block mt-4 <?= $button['class'] ?? '' ?>"
+			        onclick="<?= $button['onclick'] ?>"
+			        title="<?= Text::_($button['label']) ?>"
+			        id="<?= $button['id'] ?>"
+			>
+				<?php if (!empty($button['icon'])): ?>
+					<span class="<?= $button['icon'] ?>"></span>
+				<?php elseif (!empty($button['image'])): ?>
+					<?= HTMLHelper::_('image', $button['image'], Text::_('PLG_SYSTEM_WEBAUTHN_LOGIN_DESC'), [
+						'class' => 'icon',
+					], true) ?>
+				<?php endif; ?>
+				<?= Text::_($button['label']) ?>
+			</button>
+		</div>
+		<?php endforeach; ?>
 		<div class="form-group">
 			<button class="btn btn-primary btn-block btn-lg mt-4" id="btn-login-submit"><?php echo Text::_('JLOGIN'); ?></button>
 		</div>
diff --git a/build/media_source/plg_system_webauthn/images/webauthn-black.png b/build/media_source/plg_system_webauthn/images/webauthn-black.png
new file mode 100644
index 0000000000000..db7a146ef9e80
Binary files /dev/null and b/build/media_source/plg_system_webauthn/images/webauthn-black.png differ
diff --git a/build/media_source/plg_system_webauthn/images/webauthn-color.png b/build/media_source/plg_system_webauthn/images/webauthn-color.png
new file mode 100644
index 0000000000000..ec570bd00ac80
Binary files /dev/null and b/build/media_source/plg_system_webauthn/images/webauthn-color.png differ
diff --git a/build/media_source/plg_system_webauthn/images/webauthn-white.png b/build/media_source/plg_system_webauthn/images/webauthn-white.png
new file mode 100644
index 0000000000000..42cc9b452e74a
Binary files /dev/null and b/build/media_source/plg_system_webauthn/images/webauthn-white.png differ
diff --git a/build/media_source/plg_system_webauthn/js/login.es6.js b/build/media_source/plg_system_webauthn/js/login.es6.js
new file mode 100644
index 0000000000000..7cd60d0680397
--- /dev/null
+++ b/build/media_source/plg_system_webauthn/js/login.es6.js
@@ -0,0 +1,231 @@
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+/**
+ * Finds the first field matching a selector inside a form
+ *
+ * @param   {HTMLFormElement}  elForm         The FORM element
+ * @param   {String}           fieldSelector  The CSS selector to locate the field
+ *
+ * @returns {Element|null}  NULL when no element is found
+ */
+function plgSystemWebauthnFindField(elForm, fieldSelector) {
+  let elInputs = elForm.querySelectorAll(fieldSelector);
+
+  if (!elInputs.length) {
+    return null;
+  }
+
+  return elInputs[0];
+}
+
+/**
+ * Find a form field described the CSS selector fieldSelector. The field must be inside a <form>
+ * element which is either the outerElement itself or enclosed by outerElement.
+ *
+ * @param   {Element}  outerElement   The element which is either our form or contains our form.
+ * @param   {String}   fieldSelector  The CSS selector to locate the field
+ *
+ * @returns {null|Element}  NULL when no element is found
+ */
+function plgSystemWebauthnLookForField(outerElement, fieldSelector) {
+  var elElement = outerElement.parentElement;
+  var elInput = null;
+
+  if (elElement.nodeName === 'FORM') {
+    elInput = plgSystemWebauthnFindField(elElement, fieldSelector);
+
+    return elInput;
+  }
+
+  var elForms = elElement.querySelectorAll('form');
+
+  if (elForms.length) {
+    for (var i = 0; i < elForms.length; i++) {
+      elInput = plgSystemWebauthnFindField(elForms[i], fieldSelector);
+
+      if (elInput !== null) {
+        return elInput;
+      }
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Initialize the passwordless login, going through the server to get the registered certificates
+ * for the user.
+ *
+ * @param   {string}   form_id       The login form's or login module's HTML ID
+ * @param   {string}   callback_url  The URL we will use to post back to the server. Must include
+ *   the anti-CSRF token.
+ *
+ * @returns {boolean}  Always FALSE to prevent BUTTON elements from reloading the page.
+ */
+function plgSystemWebauthnLogin(form_id, callback_url) {
+  // Get the username
+  let elFormContainer = document.getElementById(form_id);
+  let elUsername = plgSystemWebauthnLookForField(elFormContainer, 'input[name=username]');
+  let elReturn = plgSystemWebauthnLookForField(elFormContainer, 'input[name=return]');
+
+  if (elUsername === null) {
+    alert(Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_CANNOT_FIND_USERNAME'));
+
+    return false;
+  }
+
+  let username = elUsername.value;
+  let returnUrl = elReturn ? elReturn.value : null;
+
+  // No username? We cannot proceed. We need a username to find the acceptable public keys :(
+  if (username === '') {
+    alert(Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_EMPTY_USERNAME'));
+
+    return false;
+  }
+
+  // Get the Public Key Credential Request Options (challenge and acceptable public keys)
+  let postBackData = {
+    'option': 'com_ajax',
+    'group': 'system',
+    'plugin': 'webauthn',
+    'format': 'raw',
+    'akaction': 'challenge',
+    'encoding': 'raw',
+    'username': username,
+    'returnUrl': returnUrl
+  };
+
+  Joomla.request({
+    url: callback_url,
+    method: 'POST',
+    data: plgSystemWebauthnInterpolateParameters(postBackData),
+    onSuccess(rawResponse) {
+      let jsonData = {};
+
+      try {
+        jsonData = JSON.parse(rawResponse);
+      } catch (e) {
+        /**
+         * In case of JSON decoding failure fall through; the error will be handled in the login
+         * challenge handler called below.
+         */
+      }
+
+      plgSystemWebauthnHandleLoginChallenge(jsonData, callback_url);
+    },
+    onError: (xhr) => {
+      plgSystemWebauthnHandleLoginError(xhr.status + ' ' + xhr.statusText);
+    }
+  });
+
+  return false;
+}
+
+/**
+ * Handles the browser response for the user interaction with the authenticator. Redirects to an
+ * internal page which handles the login server-side.
+ *
+ * @param {  Object}  publicKey     Public key request options, returned from the server
+ * @param   {String}  callback_url  The URL we will use to post back to the server. Must include
+ *   the anti-CSRF token.
+ */
+function plgSystemWebauthnHandleLoginChallenge(publicKey, callback_url) {
+  function arrayToBase64String(a) {
+    return btoa(String.fromCharCode(...a));
+  }
+
+  if (!publicKey.challenge) {
+    plgSystemWebauthnHandleLoginError(Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_INVALID_USERNAME'));
+
+    return;
+  }
+
+  publicKey.challenge = Uint8Array.from(window.atob(publicKey.challenge), c => c.charCodeAt(0));
+  publicKey.allowCredentials = publicKey.allowCredentials.map(function (data) {
+    return {
+      ...data,
+      'id': Uint8Array.from(atob(data.id), c => c.charCodeAt(0))
+    };
+  });
+
+  navigator.credentials.get({publicKey})
+    .then(data => {
+      let publicKeyCredential = {
+        id: data.id,
+        type: data.type,
+        rawId: arrayToBase64String(new Uint8Array(data.rawId)),
+        response: {
+          authenticatorData: arrayToBase64String(new Uint8Array(data.response.authenticatorData)),
+          clientDataJSON: arrayToBase64String(new Uint8Array(data.response.clientDataJSON)),
+          signature: arrayToBase64String(new Uint8Array(data.response.signature)),
+          userHandle: data.response.userHandle ? arrayToBase64String(
+            new Uint8Array(data.response.userHandle)) : null
+        }
+      };
+
+      window.location = callback_url + '&option=com_ajax&group=system&plugin=webauthn&' +
+        'format=raw&akaction=login&encoding=redirect&data=' +
+        btoa(JSON.stringify(publicKeyCredential));
+
+    }, error => {
+      // Example: timeout, interaction refused...
+      console.log(error);
+      plgSystemWebauthnHandleLoginError(error);
+    });
+}
+
+/**
+ * A simple error handler.
+ *
+ * @param   {String}  message
+ */
+function plgSystemWebauthnHandleLoginError(message) {
+  alert(message);
+
+  console.log(message);
+}
+
+/**
+ * Converts a simple object containing query string parameters to a single, escaped query string.
+ * This method is a necessary evil since Joomla.request can only accept data as a string.
+ *
+ * @param    object   {object}  A plain object containing the query parameters to pass
+ * @param    prefix   {string}  Prefix for array-type parameters
+ *
+ * @returns  {string}
+ */
+function plgSystemWebauthnInterpolateParameters(object, prefix) {
+  prefix = prefix || '';
+  var encodedString = '';
+
+  for (var prop in object) {
+    if (object.hasOwnProperty(prop)) {
+      if (encodedString.length > 0) {
+        encodedString += '&';
+      }
+
+      if (typeof object[prop] !== 'object') {
+        if (prefix === '') {
+          encodedString += encodeURIComponent(prop) + '=' + encodeURIComponent(object[prop]);
+        } else {
+          encodedString +=
+            encodeURIComponent(prefix) + '[' + encodeURIComponent(prop) + ']=' + encodeURIComponent(
+            object[prop]);
+        }
+
+        continue;
+      }
+
+      // Objects need special handling
+      encodedString += plgSystemWebauthnInterpolateParameters(object[prop], prop);
+    }
+  }
+  return encodedString;
+}
diff --git a/build/media_source/plg_system_webauthn/js/management.es6.js b/build/media_source/plg_system_webauthn/js/management.es6.js
new file mode 100644
index 0000000000000..f1668a0a09b2d
--- /dev/null
+++ b/build/media_source/plg_system_webauthn/js/management.es6.js
@@ -0,0 +1,346 @@
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+/**
+ * Ask the user to link an authenticator using the provided public key (created server-side). Posts
+ * the credentials to the URL defined in post_url using AJAX. That URL must re-render the management
+ * interface. These contents will replace the element identified by the interface_selector CSS
+ * selector.
+ *
+ * @param   {String}  store_id            CSS ID for the element storing the configuration in its
+ *                                        data properties
+ * @param   {String}  interface_selector  CSS selector for the GUI container
+ */
+function plgSystemWebauthnCreateCredentials(store_id, interface_selector) {
+  // Make sure the browser supports Webauthn
+  if (!('credentials' in navigator)) {
+    alert(Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_NO_BROWSER_SUPPORT'));
+
+    console.log('This browser does not support Webauthn');
+    return;
+  }
+
+  // Extract the configuration from the store
+  let elStore = document.getElementById(store_id);
+
+  if (!elStore) {
+    return;
+  }
+
+  let publicKey = JSON.parse(atob(elStore.dataset.public_key));
+  let post_url = atob(elStore.dataset.postback_url);
+
+  // Utility function to convert array data to base64 strings
+  function arrayToBase64String(a) {
+    return btoa(String.fromCharCode(...a));
+  }
+
+  // Convert the public key information to a format usable by the browser's credentials manager
+  publicKey.challenge = Uint8Array.from(
+    window.atob(publicKey.challenge),
+    c => c.charCodeAt(0))
+  ;
+  publicKey.user.id = Uint8Array.from(
+    window.atob(publicKey.user.id),
+    c => c.charCodeAt(0)
+  );
+
+  if (publicKey.excludeCredentials) {
+    publicKey.excludeCredentials = publicKey.excludeCredentials.map(function (data) {
+      return {
+        ...data,
+        'id': Uint8Array.from(window.atob(data.id), c => c.charCodeAt(0))
+      };
+    });
+  }
+
+  // Ask the browser to prompt the user for their authenticator
+  navigator.credentials.create({publicKey})
+    .then(function (data) {
+      let publicKeyCredential = {
+        id: data.id,
+        type: data.type,
+        rawId: arrayToBase64String(new Uint8Array(data.rawId)),
+        response: {
+          clientDataJSON: arrayToBase64String(new Uint8Array(data.response.clientDataJSON)),
+          attestationObject: arrayToBase64String(new Uint8Array(data.response.attestationObject))
+        }
+      };
+
+      let postBackData = {
+        'option': 'com_ajax',
+        'group': 'system',
+        'plugin': 'webauthn',
+        'format': 'raw',
+        'akaction': 'create',
+        'encoding': 'raw',
+        'data': btoa(JSON.stringify(publicKeyCredential))
+      };
+
+      Joomla.request({
+        url: post_url,
+        method: 'POST',
+        data: plgSystemWebauthnInterpolateParameters(postBackData),
+        onSuccess(responseHTML) {
+          let elements = document.querySelectorAll(interface_selector);
+
+          if (!elements) {
+            return;
+          }
+
+          let elContainer = elements[0];
+
+          elContainer.outerHTML = responseHTML;
+        },
+        onError: (xhr) => {
+          plgSystemWebauthnHandleCreationError(xhr.status + ' ' + xhr.statusText);
+        }
+      });
+
+    }, function (error) {
+      // An error occurred: timeout, request to provide the authenticator refused, hardware /
+      // software error...
+      plgSystemWebauthnHandleCreationError(error);
+    });
+}
+
+/**
+ * A simple error handler
+ *
+ * @param   {String}  message
+ */
+function plgSystemWebauthnHandleCreationError(message) {
+  alert(message);
+
+  console.log(message);
+}
+
+/**
+ * Edit label button
+ *
+ * @param   {Element} that      The button being clicked
+ * @param   {String}  store_id  CSS ID for the element storing the configuration in its data
+ *                              properties
+ */
+function plgSystemWebauthnEditLabel(that, store_id) {
+  // Extract the configuration from the store
+  let elStore = document.getElementById(store_id);
+
+  if (!elStore) {
+    return;
+  }
+
+  let post_url = atob(elStore.dataset.postback_url);
+
+  // Find the UI elements
+  let elTR = that.parentElement.parentElement;
+  let credentialId = elTR.dataset.credential_id;
+  let elTDs = elTR.querySelectorAll('td');
+  let elLabelTD = elTDs[0];
+  let elButtonsTD = elTDs[1];
+  let elButtons = elButtonsTD.querySelectorAll('button');
+  let elEdit = elButtons[0];
+  let elDelete = elButtons[1];
+
+  // Show the editor
+  let oldLabel = elLabelTD.innerText;
+
+  let elInput = document.createElement('input');
+  elInput.type = 'text';
+  elInput.name = 'label';
+  elInput.defaultValue = oldLabel;
+
+  let elSave = document.createElement('button');
+  elSave.className = 'btn btn-success btn-sm';
+  elSave.innerText = Joomla.JText._('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_SAVE_LABEL');
+  elSave.addEventListener('click', function (e) {
+    let elNewLabel = elInput.value;
+
+    if (elNewLabel !== '') {
+      let postBackData = {
+        'option': 'com_ajax',
+        'group': 'system',
+        'plugin': 'webauthn',
+        'format': 'json',
+        'encoding': 'json',
+        'akaction': 'savelabel',
+        'credential_id': credentialId,
+        'new_label': elNewLabel
+      };
+
+      Joomla.request({
+        url: post_url,
+        method: 'POST',
+        data: plgSystemWebauthnInterpolateParameters(postBackData),
+        onSuccess(rawResponse) {
+          let result = false;
+
+          try {
+            result = JSON.parse(rawResponse);
+          } catch (e) {
+            result = (rawResponse === 'true');
+          }
+
+          if (result !== true) {
+            plgSystemWebauthnHandleCreationError(
+              Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_LABEL_NOT_SAVED')
+            );
+          }
+
+          //alert(Joomla.JText._('PLG_SYSTEM_WEBAUTHN_MSG_SAVED_LABEL'));
+        },
+        onError: (xhr) => {
+          plgSystemWebauthnHandleCreationError(
+            Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_LABEL_NOT_SAVED')
+            + ' -- ' + xhr.status + ' ' + xhr.statusText
+          );
+        }
+      });
+    }
+
+    elLabelTD.innerText = elNewLabel;
+    elEdit.disabled = false;
+    elDelete.disabled = false;
+
+    return false;
+  }, false);
+
+  let elCancel = document.createElement('button');
+  elCancel.className = 'btn btn-danger btn-sm';
+  elCancel.innerText = Joomla.JText._('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_CANCEL_LABEL');
+  elCancel.addEventListener('click', function (e) {
+    elLabelTD.innerText = oldLabel;
+    elEdit.disabled = false;
+    elDelete.disabled = false;
+
+    return false;
+  }, false);
+
+  elLabelTD.innerHTML = '';
+  elLabelTD.appendChild(elInput);
+  elLabelTD.appendChild(elSave);
+  elLabelTD.appendChild(elCancel);
+  elEdit.disabled = true;
+  elDelete.disabled = true;
+
+  return false;
+}
+
+/**
+ * Delete button
+ *
+ * @param   {Element} that      The button being clicked
+ * @param   {String}  store_id  CSS ID for the element storing the configuration in its data
+ *                              properties
+ */
+function plgSystemWebauthnDelete(that, store_id) {
+  // Extract the configuration from the store
+  let elStore = document.getElementById(store_id);
+
+  if (!elStore) {
+    return;
+  }
+
+  let post_url = atob(elStore.dataset.postback_url);
+
+  // Find the UI elements
+  let elTR = that.parentElement.parentElement;
+  let credentialId = elTR.dataset.credential_id;
+  let elTDs = elTR.querySelectorAll('td');
+  let elButtonsTD = elTDs[1];
+  let elButtons = elButtonsTD.querySelectorAll('button');
+  let elEdit = elButtons[0];
+  let elDelete = elButtons[1];
+
+  elEdit.disabled = true;
+  elDelete.disabled = true;
+
+  // Delete the record
+  let postBackData = {
+    'option': 'com_ajax',
+    'group': 'system',
+    'plugin': 'webauthn',
+    'format': 'json',
+    'encoding': 'json',
+    'akaction': 'delete',
+    'credential_id': credentialId
+  };
+
+  Joomla.request({
+    url: post_url,
+    method: 'POST',
+    data: plgSystemWebauthnInterpolateParameters(postBackData),
+    onSuccess(rawResponse) {
+      let result = false;
+
+      try {
+        result = JSON.parse(rawResponse);
+      } catch (e) {
+        result = (rawResponse === 'true');
+      }
+
+      if (result !== true) {
+        plgSystemWebauthnHandleCreationError(
+          Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_NOT_DELETED')
+        );
+
+        return;
+      }
+
+      elTR.parentElement.removeChild(elTR);
+    },
+    onError: (xhr) => {
+      elEdit.disabled = false;
+      elDelete.disabled = false;
+      plgSystemWebauthnHandleCreationError(
+        Joomla.JText._('PLG_SYSTEM_WEBAUTHN_ERR_NOT_DELETED')
+        + ' -- ' + xhr.status + ' ' + xhr.statusText
+      );
+    }
+  });
+
+  return false;
+}
+
+/**
+ * Converts a simple object containing query string parameters to a single, escaped query string.
+ * This method is a necessary evil since Joomla.request can only accept data as a string.
+ *
+ * @param    object   {object}  A plain object containing the query parameters to pass
+ * @param    prefix   {string}  Prefix for array-type parameters
+ *
+ * @returns  {string}
+ */
+function plgSystemWebauthnInterpolateParameters(object, prefix) {
+  prefix = prefix || '';
+  var encodedString = '';
+
+  for (var prop in object) {
+    if (object.hasOwnProperty(prop)) {
+      if (encodedString.length > 0) {
+        encodedString += '&';
+      }
+
+      if (typeof object[prop] !== 'object') {
+        if (prefix === '') {
+          encodedString += encodeURIComponent(prop) + '=' + encodeURIComponent(object[prop]);
+        } else {
+          encodedString +=
+            encodeURIComponent(prefix) + '[' + encodeURIComponent(prop) + ']=' + encodeURIComponent(
+            object[prop]);
+        }
+
+        continue;
+      }
+
+      // Objects need special handling
+      encodedString += plgSystemWebauthnInterpolateParameters(object[prop], prop);
+    }
+  }
+  return encodedString;
+}
diff --git a/build/media_source/plg_system_webauthn/scss/button.scss b/build/media_source/plg_system_webauthn/scss/button.scss
new file mode 100644
index 0000000000000..46c0af047e256
--- /dev/null
+++ b/build/media_source/plg_system_webauthn/scss/button.scss
@@ -0,0 +1,30 @@
+/*!
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+button[class*=plg_system_webauthn_login_button] {
+  span[class*=icon] {
+    font-size: 1.25em;
+    vertical-align: sub;
+    display: inline-block;
+    width: 1em;
+    text-align: center;
+  }
+
+  img[class*=icon] {
+    font-size: 1.5em;
+    vertical-align: middle;
+    display: inline-block;
+    width: 1.25em;
+    max-height: 1.25em;
+    text-align: center;
+  }
+
+  span[class*=icon]:not(:last-child) {
+    margin-right: .5em;
+  }
+}
diff --git a/components/com_users/View/Login/HtmlView.php b/components/com_users/View/Login/HtmlView.php
index 147978814b88e..d108025f0921e 100644
--- a/components/com_users/View/Login/HtmlView.php
+++ b/components/com_users/View/Login/HtmlView.php
@@ -70,6 +70,14 @@ class HtmlView extends BaseHtmlView
 	 */
 	protected $tfa = '';
 
+	/**
+	 * Additional buttons to show on the login page
+	 *
+	 * @var    array
+	 * @since  4.0.0
+	 */
+	protected $extraButtons = [];
+
 	/**
 	 * Method to display the view.
 	 *
@@ -105,6 +113,8 @@ public function display($tpl = null)
 		$tfa = AuthenticationHelper::getTwoFactorMethods();
 		$this->tfa = is_array($tfa) && count($tfa) > 1;
 
+		$this->extraButtons = AuthenticationHelper::getLoginButtons('com-users-login__form');
+
 		// Escape strings for HTML output
 		$this->pageclass_sfx = htmlspecialchars($this->params->get('pageclass_sfx'), ENT_COMPAT, 'UTF-8');
 
diff --git a/components/com_users/tmpl/login/default_login.php b/components/com_users/tmpl/login/default_login.php
index 429cb749a8946..9f19b9c6543c8 100644
--- a/components/com_users/tmpl/login/default_login.php
+++ b/components/com_users/tmpl/login/default_login.php
@@ -46,7 +46,7 @@
 	</div>
 	<?php endif; ?>
 
-	<form action="<?php echo Route::_('index.php?option=com_users&task=user.login'); ?>" method="post" class="com-users-login__form form-validate form-horizontal well">
+	<form action="<?php echo Route::_('index.php?option=com_users&task=user.login'); ?>" method="post" class="com-users-login__form form-validate form-horizontal well" id="com-users-login__form">
 
 		<fieldset>
 			<?php echo $this->form->renderFieldset('credentials', ['class' => 'com-users-login__input']); ?>
@@ -68,6 +68,28 @@
 				</div>
 			<?php endif; ?>
 
+			<?php foreach ($this->extraButtons as $button): ?>
+				<div class="com-users-login__submit control-group">
+					<div class="controls">
+						<button type="button"
+						        class="btn btn-secondary <?= $button['class'] ?? '' ?>"
+						        onclick="<?= $button['onclick'] ?>"
+						        title="<?= Text::_($button['label']) ?>"
+						        id="<?= $button['id'] ?>"
+						>
+							<?php if (!empty($button['icon'])): ?>
+								<span class="<?= $button['icon'] ?>"></span>
+							<?php elseif (!empty($button['image'])): ?>
+								<?= HTMLHelper::_('image', $button['image'], Text::_('PLG_SYSTEM_WEBAUTHN_LOGIN_DESC'), [
+									'class' => 'icon',
+								], true) ?>
+							<?php endif; ?>
+							<?= Text::_($button['label']) ?>
+						</button>
+					</div>
+				</div>
+			<?php endforeach; ?>
+
 			<div class="com-users-login__submit control-group">
 				<div class="controls">
 					<button type="submit" class="btn btn-primary">
diff --git a/composer.json b/composer.json
index 98e657dc60621..ca79e5f105592 100644
--- a/composer.json
+++ b/composer.json
@@ -101,6 +101,9 @@
         "maximebf/debugbar": "^1.15",
         "tobscure/json-api": "^0.4.1",
         "willdurand/negotiation": "^2.3",
+        "web-auth/webauthn-lib": "^2.0.0",
+		"zendframework/zend-diactoros": "^2.1.1",
+		"ramsey/uuid": "^3.8.0",
         "ext-json": "*",
         "ext-simplexml": "*"
     },
diff --git a/composer.lock b/composer.lock
index 8419ebd738ca6..c589836223a96 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "bfc6490bb10b548e5d1181cd62a8852a",
+    "content-hash": "5d2df0dde97f5deac4b895501e28d255",
     "packages": [
         {
             "name": "algo26-matthias/idna-convert",
@@ -55,6 +55,61 @@
             ],
             "time": "2016-06-19T18:08:43+00:00"
         },
+        {
+            "name": "beberlei/assert",
+            "version": "v3.2.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/beberlei/assert.git",
+                "reference": "ce139b6bf8f07fb8389d2c8e15b98dc24fdd93c7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/beberlei/assert/zipball/ce139b6bf8f07fb8389d2c8e15b98dc24fdd93c7",
+                "reference": "ce139b6bf8f07fb8389d2c8e15b98dc24fdd93c7",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7"
+            },
+            "require-dev": {
+                "friendsofphp/php-cs-fixer": "*",
+                "phpstan/phpstan-shim": "*",
+                "phpunit/phpunit": ">=6.0.0 <8"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Assert\\": "lib/Assert"
+                },
+                "files": [
+                    "lib/Assert/functions.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-2-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Benjamin Eberlei",
+                    "email": "kontakt@beberlei.de",
+                    "role": "Lead Developer"
+                },
+                {
+                    "name": "Richard Quadling",
+                    "email": "rquadling@gmail.com",
+                    "role": "Collaborator"
+                }
+            ],
+            "description": "Thin assertion library for input validation in business models.",
+            "keywords": [
+                "assert",
+                "assertion",
+                "validation"
+            ],
+            "time": "2019-05-28T15:18:28+00:00"
+        },
         {
             "name": "composer/ca-bundle",
             "version": "1.1.4",
@@ -241,6 +296,75 @@
             ],
             "time": "2017-07-22T12:18:28+00:00"
         },
+        {
+            "name": "fgrosse/phpasn1",
+            "version": "v2.1.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/fgrosse/PHPASN1.git",
+                "reference": "7ebf2a09084a7bbdb7b879c66fdf7ad80461bbe8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/fgrosse/PHPASN1/zipball/7ebf2a09084a7bbdb7b879c66fdf7ad80461bbe8",
+                "reference": "7ebf2a09084a7bbdb7b879c66fdf7ad80461bbe8",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.0.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "~6.3",
+                "satooshi/php-coveralls": "~2.0"
+            },
+            "suggest": {
+                "ext-gmp": "GMP is the preferred extension for big integer calculations",
+                "php-curl": "For loading OID information from the web if they have not bee defined statically"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "FG\\": "lib/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Friedrich Große",
+                    "email": "friedrich.grosse@gmail.com",
+                    "homepage": "https://github.com/FGrosse",
+                    "role": "Author"
+                },
+                {
+                    "name": "All contributors",
+                    "homepage": "https://github.com/FGrosse/PHPASN1/contributors"
+                }
+            ],
+            "description": "A PHP Framework that allows you to encode and decode arbitrary ASN.1 structures using the ITU-T X.690 Encoding Rules.",
+            "homepage": "https://github.com/FGrosse/PHPASN1",
+            "keywords": [
+                "DER",
+                "asn.1",
+                "asn1",
+                "ber",
+                "binary",
+                "decoding",
+                "encoding",
+                "x.509",
+                "x.690",
+                "x509",
+                "x690"
+            ],
+            "time": "2018-12-02T01:34:34+00:00"
+        },
         {
             "name": "fig/link-util",
             "version": "1.0.0",
@@ -348,12 +472,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/application.git",
-                "reference": "cb7e310fef06529063ec6891fdba6c5895c1bd99"
+                "reference": "3d549e0248cd8973f0c5b66fe49f4647c756488d"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/application/zipball/cb7e310fef06529063ec6891fdba6c5895c1bd99",
-                "reference": "cb7e310fef06529063ec6891fdba6c5895c1bd99",
+                "url": "https://api.github.com/repos/joomla-framework/application/zipball/3d549e0248cd8973f0c5b66fe49f4647c756488d",
+                "reference": "3d549e0248cd8973f0c5b66fe49f4647c756488d",
                 "shasum": ""
             },
             "require": {
@@ -404,7 +528,7 @@
                 "framework",
                 "joomla"
             ],
-            "time": "2019-07-14T19:44:25+00:00"
+            "time": "2019-07-17T23:15:23+00:00"
         },
         {
             "name": "joomla/archive",
@@ -464,12 +588,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/authentication.git",
-                "reference": "0f3e8838322869ea2e00ac5cd2780b0346886a70"
+                "reference": "a577eac4c5654e1b347feb36a3991da4fb04d7ab"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/authentication/zipball/0f3e8838322869ea2e00ac5cd2780b0346886a70",
-                "reference": "0f3e8838322869ea2e00ac5cd2780b0346886a70",
+                "url": "https://api.github.com/repos/joomla-framework/authentication/zipball/a577eac4c5654e1b347feb36a3991da4fb04d7ab",
+                "reference": "a577eac4c5654e1b347feb36a3991da4fb04d7ab",
                 "shasum": ""
             },
             "require": {
@@ -508,7 +632,7 @@
                 "framework",
                 "joomla"
             ],
-            "time": "2019-06-19T00:51:06+00:00"
+            "time": "2019-07-17T23:41:23+00:00"
         },
         {
             "name": "joomla/console",
@@ -516,12 +640,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/console.git",
-                "reference": "85fd3b5b46d86f61fa3d129d19cabcabee44bc6c"
+                "reference": "58b6a5545c87cb1eaf82bd9fd703e8c332ca89e3"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/console/zipball/85fd3b5b46d86f61fa3d129d19cabcabee44bc6c",
-                "reference": "85fd3b5b46d86f61fa3d129d19cabcabee44bc6c",
+                "url": "https://api.github.com/repos/joomla-framework/console/zipball/58b6a5545c87cb1eaf82bd9fd703e8c332ca89e3",
+                "reference": "58b6a5545c87cb1eaf82bd9fd703e8c332ca89e3",
                 "shasum": ""
             },
             "require": {
@@ -561,7 +685,7 @@
                 "framework",
                 "joomla"
             ],
-            "time": "2019-07-14T18:55:56+00:00"
+            "time": "2019-07-18T00:30:45+00:00"
         },
         {
             "name": "joomla/controller",
@@ -722,12 +846,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/database.git",
-                "reference": "1752fa13c46f6cac553518ff6cf53b288f05133a"
+                "reference": "60a7df9e4df83c2269fbc229a396cb6a324e417f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/database/zipball/1752fa13c46f6cac553518ff6cf53b288f05133a",
-                "reference": "1752fa13c46f6cac553518ff6cf53b288f05133a",
+                "url": "https://api.github.com/repos/joomla-framework/database/zipball/60a7df9e4df83c2269fbc229a396cb6a324e417f",
+                "reference": "60a7df9e4df83c2269fbc229a396cb6a324e417f",
                 "shasum": ""
             },
             "require": {
@@ -779,7 +903,7 @@
                 "framework",
                 "joomla"
             ],
-            "time": "2019-07-10T16:54:07+00:00"
+            "time": "2019-07-22T20:04:16+00:00"
         },
         {
             "name": "joomla/di",
@@ -787,12 +911,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/di.git",
-                "reference": "55db6dc7ad2e8cb778c224608b8d2c8569e18af5"
+                "reference": "46a30b4e27234e914b826d91d2ee20a820f8ceab"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/di/zipball/55db6dc7ad2e8cb778c224608b8d2c8569e18af5",
-                "reference": "55db6dc7ad2e8cb778c224608b8d2c8569e18af5",
+                "url": "https://api.github.com/repos/joomla-framework/di/zipball/46a30b4e27234e914b826d91d2ee20a820f8ceab",
+                "reference": "46a30b4e27234e914b826d91d2ee20a820f8ceab",
                 "shasum": ""
             },
             "require": {
@@ -831,7 +955,7 @@
                 "ioc",
                 "joomla"
             ],
-            "time": "2019-06-19T01:48:32+00:00"
+            "time": "2019-07-18T00:06:37+00:00"
         },
         {
             "name": "joomla/event",
@@ -839,12 +963,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/event.git",
-                "reference": "dd9f0179ee8a6a68dfe970bc43fe5ed3a712ecee"
+                "reference": "5b854c580bdbad39324e22a6af2c0b68379b9905"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/event/zipball/dd9f0179ee8a6a68dfe970bc43fe5ed3a712ecee",
-                "reference": "dd9f0179ee8a6a68dfe970bc43fe5ed3a712ecee",
+                "url": "https://api.github.com/repos/joomla-framework/event/zipball/5b854c580bdbad39324e22a6af2c0b68379b9905",
+                "reference": "5b854c580bdbad39324e22a6af2c0b68379b9905",
                 "shasum": ""
             },
             "require": {
@@ -880,7 +1004,7 @@
                 "framework",
                 "joomla"
             ],
-            "time": "2019-07-12T00:49:37+00:00"
+            "time": "2019-07-18T00:09:24+00:00"
         },
         {
             "name": "joomla/filesystem",
@@ -989,12 +1113,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/joomla-framework/http.git",
-                "reference": "cb6e8bcad6bbf7be3f1b21b6868116636c97e727"
+                "reference": "91aecbdeee2f38cfe518e568e9d1f09b344c6b25"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/joomla-framework/http/zipball/cb6e8bcad6bbf7be3f1b21b6868116636c97e727",
-                "reference": "cb6e8bcad6bbf7be3f1b21b6868116636c97e727",
+                "url": "https://api.github.com/repos/joomla-framework/http/zipball/91aecbdeee2f38cfe518e568e9d1f09b344c6b25",
+                "reference": "91aecbdeee2f38cfe518e568e9d1f09b344c6b25",
                 "shasum": ""
             },
             "require": {
@@ -1035,7 +1159,7 @@
                 "http",
                 "joomla"
             ],
-            "time": "2019-07-14T18:24:22+00:00"
+            "time": "2019-07-18T00:24:34+00:00"
         },
         {
             "name": "joomla/image",
@@ -2152,6 +2276,206 @@
             ],
             "time": "2018-11-20T15:27:04+00:00"
         },
+        {
+            "name": "ramsey/uuid",
+            "version": "3.8.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ramsey/uuid.git",
+                "reference": "d09ea80159c1929d75b3f9c60504d613aeb4a1e3"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ramsey/uuid/zipball/d09ea80159c1929d75b3f9c60504d613aeb4a1e3",
+                "reference": "d09ea80159c1929d75b3f9c60504d613aeb4a1e3",
+                "shasum": ""
+            },
+            "require": {
+                "paragonie/random_compat": "^1.0|^2.0|9.99.99",
+                "php": "^5.4 || ^7.0",
+                "symfony/polyfill-ctype": "^1.8"
+            },
+            "replace": {
+                "rhumsaa/uuid": "self.version"
+            },
+            "require-dev": {
+                "codeception/aspect-mock": "^1.0 | ~2.0.0",
+                "doctrine/annotations": "~1.2.0",
+                "goaop/framework": "1.0.0-alpha.2 | ^1.0 | ~2.1.0",
+                "ircmaxell/random-lib": "^1.1",
+                "jakub-onderka/php-parallel-lint": "^0.9.0",
+                "mockery/mockery": "^0.9.9",
+                "moontoast/math": "^1.1",
+                "php-mock/php-mock-phpunit": "^0.3|^1.1",
+                "phpunit/phpunit": "^4.7|^5.0|^6.5",
+                "squizlabs/php_codesniffer": "^2.3"
+            },
+            "suggest": {
+                "ext-ctype": "Provides support for PHP Ctype functions",
+                "ext-libsodium": "Provides the PECL libsodium extension for use with the SodiumRandomGenerator",
+                "ext-uuid": "Provides the PECL UUID extension for use with the PeclUuidTimeGenerator and PeclUuidRandomGenerator",
+                "ircmaxell/random-lib": "Provides RandomLib for use with the RandomLibAdapter",
+                "moontoast/math": "Provides support for converting UUID to 128-bit integer (in string form).",
+                "ramsey/uuid-console": "A console application for generating UUIDs with ramsey/uuid",
+                "ramsey/uuid-doctrine": "Allows the use of Ramsey\\Uuid\\Uuid as Doctrine field type."
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "3.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Ramsey\\Uuid\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Marijn Huizendveld",
+                    "email": "marijn.huizendveld@gmail.com"
+                },
+                {
+                    "name": "Thibaud Fabre",
+                    "email": "thibaud@aztech.io"
+                },
+                {
+                    "name": "Ben Ramsey",
+                    "email": "ben@benramsey.com",
+                    "homepage": "https://benramsey.com"
+                }
+            ],
+            "description": "Formerly rhumsaa/uuid. A PHP 5.4+ library for generating RFC 4122 version 1, 3, 4, and 5 universally unique identifiers (UUID).",
+            "homepage": "https://github.com/ramsey/uuid",
+            "keywords": [
+                "guid",
+                "identifier",
+                "uuid"
+            ],
+            "time": "2018-07-19T23:38:55+00:00"
+        },
+        {
+            "name": "spomky-labs/base64url",
+            "version": "v2.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/Spomky-Labs/base64url.git",
+                "reference": "3eb46a1de803f0078962d910e3a2759224a68c61"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/Spomky-Labs/base64url/zipball/3eb46a1de803f0078962d910e3a2759224a68c61",
+                "reference": "3eb46a1de803f0078962d910e3a2759224a68c61",
+                "shasum": ""
+            },
+            "require": {
+                "php": "^7.1"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.0",
+                "phpunit/phpunit": "^7.0"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Base64Url\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Florent Morselli",
+                    "homepage": "https://github.com/Spomky-Labs/base64url/contributors"
+                }
+            ],
+            "description": "Base 64 URL Safe Encoding/Decoding PHP Library",
+            "homepage": "https://github.com/Spomky-Labs/base64url",
+            "keywords": [
+                "base64",
+                "rfc4648",
+                "safe",
+                "url"
+            ],
+            "time": "2018-08-16T15:44:20+00:00"
+        },
+        {
+            "name": "spomky-labs/cbor-php",
+            "version": "v1.0.4",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/Spomky-Labs/cbor-php.git",
+                "reference": "20913abb88d26a936d10b3e6b59608aacf0699c1"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/Spomky-Labs/cbor-php/zipball/20913abb88d26a936d10b3e6b59608aacf0699c1",
+                "reference": "20913abb88d26a936d10b3e6b59608aacf0699c1",
+                "shasum": ""
+            },
+            "require": {
+                "beberlei/assert": "^3.2",
+                "ext-bcmath": "*",
+                "ext-gmp": "*",
+                "php": "^7.1|^8.0",
+                "spomky-labs/base64url": "^1.0|^2.0",
+                "thecodingmachine/safe": "^0.1.13"
+            },
+            "require-dev": {
+                "php-coveralls/php-coveralls": "^2.0",
+                "phpstan/phpstan": "^0.11",
+                "phpstan/phpstan-beberlei-assert": "^0.11.0",
+                "phpstan/phpstan-deprecation-rules": "^0.11",
+                "phpstan/phpstan-phpunit": "^0.11",
+                "phpstan/phpstan-strict-rules": "^0.11",
+                "phpunit/phpunit": "^8.0",
+                "rector/rector": "^0.5",
+                "thecodingmachine/phpstan-safe-rule": "^0.1.2"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "1.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "CBOR\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Florent Morselli",
+                    "homepage": "https://github.com/Spomky"
+                },
+                {
+                    "name": "All contributors",
+                    "homepage": "https://github.com/Spomky-Labs/cbor-php/contributors"
+                }
+            ],
+            "description": "CBOR Encoder/Decoder for PHP",
+            "keywords": [
+                "Concise Binary Object Representation",
+                "RFC7049",
+                "cbor"
+            ],
+            "time": "2019-07-24T15:38:30+00:00"
+        },
         {
             "name": "symfony/console",
             "version": "v4.3.2",
@@ -2440,7 +2764,7 @@
                 },
                 {
                     "name": "Gert de Pagter",
-                    "email": "BackEndTea@gmail.com"
+                    "email": "backendtea@gmail.com"
                 }
             ],
             "description": "Symfony polyfill for ctype functions",
@@ -2891,6 +3215,138 @@
             "homepage": "https://symfony.com",
             "time": "2019-04-06T14:04:46+00:00"
         },
+        {
+            "name": "thecodingmachine/safe",
+            "version": "v0.1.16",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/thecodingmachine/safe.git",
+                "reference": "4e8f840f0a0a2ea167813c3994a7fc527c3c2182"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/thecodingmachine/safe/zipball/4e8f840f0a0a2ea167813c3994a7fc527c3c2182",
+                "reference": "4e8f840f0a0a2ea167813c3994a7fc527c3c2182",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=7.1"
+            },
+            "require-dev": {
+                "phpstan/phpstan": "^0.10.3",
+                "squizlabs/php_codesniffer": "^3.2",
+                "thecodingmachine/phpstan-strict-rules": "^0.10.3"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "dev-master": "0.1-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Safe\\": [
+                        "lib/",
+                        "generated/"
+                    ]
+                },
+                "files": [
+                    "generated/apache.php",
+                    "generated/apc.php",
+                    "generated/apcu.php",
+                    "generated/array.php",
+                    "generated/bzip2.php",
+                    "generated/classobj.php",
+                    "generated/com.php",
+                    "generated/cubrid.php",
+                    "generated/curl.php",
+                    "generated/datetime.php",
+                    "generated/dir.php",
+                    "generated/eio.php",
+                    "generated/errorfunc.php",
+                    "generated/exec.php",
+                    "generated/fileinfo.php",
+                    "generated/filesystem.php",
+                    "generated/filter.php",
+                    "generated/fpm.php",
+                    "generated/ftp.php",
+                    "generated/funchand.php",
+                    "generated/gmp.php",
+                    "generated/gnupg.php",
+                    "generated/hash.php",
+                    "generated/ibase.php",
+                    "generated/ibmDb2.php",
+                    "generated/iconv.php",
+                    "generated/image.php",
+                    "generated/imap.php",
+                    "generated/info.php",
+                    "generated/ingres-ii.php",
+                    "generated/inotify.php",
+                    "generated/json.php",
+                    "generated/ldap.php",
+                    "generated/libevent.php",
+                    "generated/libxml.php",
+                    "generated/lzf.php",
+                    "generated/mailparse.php",
+                    "generated/mbstring.php",
+                    "generated/misc.php",
+                    "generated/msql.php",
+                    "generated/mssql.php",
+                    "generated/mysql.php",
+                    "generated/mysqli.php",
+                    "generated/mysqlndMs.php",
+                    "generated/mysqlndQc.php",
+                    "generated/network.php",
+                    "generated/oci8.php",
+                    "generated/opcache.php",
+                    "generated/openssl.php",
+                    "generated/outcontrol.php",
+                    "generated/password.php",
+                    "generated/pcntl.php",
+                    "generated/pcre.php",
+                    "generated/pdf.php",
+                    "generated/pgsql.php",
+                    "generated/posix.php",
+                    "generated/ps.php",
+                    "generated/pspell.php",
+                    "generated/readline.php",
+                    "generated/rrd.php",
+                    "generated/sem.php",
+                    "generated/session.php",
+                    "generated/shmop.php",
+                    "generated/simplexml.php",
+                    "generated/sockets.php",
+                    "generated/sodium.php",
+                    "generated/solr.php",
+                    "generated/spl.php",
+                    "generated/sqlsrv.php",
+                    "generated/ssdeep.php",
+                    "generated/ssh2.php",
+                    "generated/stats.php",
+                    "generated/stream.php",
+                    "generated/strings.php",
+                    "generated/swoole.php",
+                    "generated/uodbc.php",
+                    "generated/uopz.php",
+                    "generated/url.php",
+                    "generated/var.php",
+                    "generated/xdiff.php",
+                    "generated/xml.php",
+                    "generated/xmlrpc.php",
+                    "generated/yaml.php",
+                    "generated/yaz.php",
+                    "generated/zip.php",
+                    "generated/zlib.php",
+                    "lib/special_cases.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "description": "PHP core functions that throw exceptions instead of returning FALSE on error",
+            "time": "2019-06-25T08:45:33+00:00"
+        },
         {
             "name": "tobscure/json-api",
             "version": "v0.4.1",
@@ -3035,6 +3491,133 @@
             ],
             "time": "2017-01-27T17:16:44+00:00"
         },
+        {
+            "name": "web-auth/cose-lib",
+            "version": "v2.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/web-auth/cose-lib.git",
+                "reference": "5ef35ea258ad2adc28bdd1e063eca34353ebf9d7"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/web-auth/cose-lib/zipball/5ef35ea258ad2adc28bdd1e063eca34353ebf9d7",
+                "reference": "5ef35ea258ad2adc28bdd1e063eca34353ebf9d7",
+                "shasum": ""
+            },
+            "require": {
+                "beberlei/assert": "^3.0",
+                "ext-json": "*",
+                "ext-mbstring": "*",
+                "ext-openssl": "*",
+                "fgrosse/phpasn1": "^2.1",
+                "php": "^7.2",
+                "thecodingmachine/safe": "^0.1"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "v1.0": "1.0.x-dev",
+                    "v1.1": "1.1.x-dev",
+                    "v1.2": "1.2.x-dev",
+                    "v2.0": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Cose\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Florent Morselli",
+                    "homepage": "https://github.com/Spomky"
+                },
+                {
+                    "name": "All contributors",
+                    "homepage": "https://github.com/web-auth/cose/contributors"
+                }
+            ],
+            "description": "CBOR Object Signing and Encryption (COSE) For PHP",
+            "homepage": "https://github.com/web-auth",
+            "keywords": [
+                "COSE",
+                "RFC8152"
+            ],
+            "time": "2019-05-05T16:15:56+00:00"
+        },
+        {
+            "name": "web-auth/webauthn-lib",
+            "version": "v2.0.1",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/web-auth/webauthn-lib.git",
+                "reference": "2ffbe93428a1c53a26f1251b8f80f69a061975cd"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/web-auth/webauthn-lib/zipball/2ffbe93428a1c53a26f1251b8f80f69a061975cd",
+                "reference": "2ffbe93428a1c53a26f1251b8f80f69a061975cd",
+                "shasum": ""
+            },
+            "require": {
+                "beberlei/assert": "^3.0",
+                "ext-json": "*",
+                "ext-mbstring": "*",
+                "ext-openssl": "*",
+                "php": "^7.2",
+                "psr/http-factory": "^1.0",
+                "psr/http-message": "^1.0",
+                "spomky-labs/base64url": "^2.0",
+                "spomky-labs/cbor-php": "^1.0.2",
+                "thecodingmachine/safe": "^0.1",
+                "web-auth/cose-lib": "^2.0"
+            },
+            "suggest": {
+                "php-http/httplug": "For Android SafetyNet support"
+            },
+            "type": "library",
+            "extra": {
+                "branch-alias": {
+                    "v1.0": "1.0.x-dev",
+                    "v1.1": "1.1.x-dev",
+                    "v1.2": "1.2.x-dev",
+                    "v2.0": "2.0.x-dev"
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Webauthn\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Florent Morselli",
+                    "homepage": "https://github.com/Spomky"
+                },
+                {
+                    "name": "All contributors",
+                    "homepage": "https://github.com/web-auth/webauthn-library/contributors"
+                }
+            ],
+            "description": "FIDO2/Webauthn Support For PHP",
+            "homepage": "https://github.com/web-auth",
+            "keywords": [
+                "FIDO2",
+                "fido",
+                "u2f",
+                "webauthn"
+            ],
+            "time": "2019-07-24T15:49:26+00:00"
+        },
         {
             "name": "willdurand/negotiation",
             "version": "v2.3.1",
@@ -3216,16 +3799,16 @@
         },
         {
             "name": "codeception/codeception",
-            "version": "3.0.2",
+            "version": "3.0.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/Codeception/Codeception.git",
-                "reference": "aead7eb0a53b040390a927dc84a0e6e37ffa8a2b"
+                "reference": "feb566a9dc26993611602011ae3834d8e3c1dd7f"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/Codeception/Codeception/zipball/aead7eb0a53b040390a927dc84a0e6e37ffa8a2b",
-                "reference": "aead7eb0a53b040390a927dc84a0e6e37ffa8a2b",
+                "url": "https://api.github.com/repos/Codeception/Codeception/zipball/feb566a9dc26993611602011ae3834d8e3c1dd7f",
+                "reference": "feb566a9dc26993611602011ae3834d8e3c1dd7f",
                 "shasum": ""
             },
             "require": {
@@ -3250,6 +3833,8 @@
             },
             "require-dev": {
                 "codeception/specify": "~0.3",
+                "doctrine/annotations": "^1",
+                "doctrine/orm": "^2",
                 "flow/jsonpath": "~0.2",
                 "monolog/monolog": "~1.8",
                 "pda/pheanstalk": "~3.0",
@@ -3304,7 +3889,7 @@
                 "functional testing",
                 "unit testing"
             ],
-            "time": "2019-06-22T19:16:46+00:00"
+            "time": "2019-07-18T16:21:08+00:00"
         },
         {
             "name": "codeception/phpunit-wrapper",
@@ -6036,16 +6621,16 @@
         },
         {
             "name": "phpunit/php-code-coverage",
-            "version": "7.0.6",
+            "version": "7.0.7",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/php-code-coverage.git",
-                "reference": "d471d0d2b529a67c6a722dd446c4ec90881ac315"
+                "reference": "7743bbcfff2a907e9ee4a25be13d0f8ec5e73800"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/d471d0d2b529a67c6a722dd446c4ec90881ac315",
-                "reference": "d471d0d2b529a67c6a722dd446c4ec90881ac315",
+                "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/7743bbcfff2a907e9ee4a25be13d0f8ec5e73800",
+                "reference": "7743bbcfff2a907e9ee4a25be13d0f8ec5e73800",
                 "shasum": ""
             },
             "require": {
@@ -6054,7 +6639,7 @@
                 "php": "^7.2",
                 "phpunit/php-file-iterator": "^2.0.2",
                 "phpunit/php-text-template": "^1.2.1",
-                "phpunit/php-token-stream": "^3.0.2",
+                "phpunit/php-token-stream": "^3.1.0",
                 "sebastian/code-unit-reverse-lookup": "^1.0.1",
                 "sebastian/environment": "^4.2.2",
                 "sebastian/version": "^2.0.1",
@@ -6084,8 +6669,8 @@
             "authors": [
                 {
                     "name": "Sebastian Bergmann",
-                    "email": "sebastian@phpunit.de",
-                    "role": "lead"
+                    "role": "lead",
+                    "email": "sebastian@phpunit.de"
                 }
             ],
             "description": "Library that provides collection, processing, and rendering functionality for PHP code coverage information.",
@@ -6095,7 +6680,7 @@
                 "testing",
                 "xunit"
             ],
-            "time": "2019-07-08T05:29:42+00:00"
+            "time": "2019-07-25T05:31:54+00:00"
         },
         {
             "name": "phpunit/php-file-iterator",
@@ -6239,16 +6824,16 @@
         },
         {
             "name": "phpunit/php-token-stream",
-            "version": "3.0.2",
+            "version": "3.1.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/php-token-stream.git",
-                "reference": "c4a66b97f040e3e20b3aa2a243230a1c3a9f7c8c"
+                "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/c4a66b97f040e3e20b3aa2a243230a1c3a9f7c8c",
-                "reference": "c4a66b97f040e3e20b3aa2a243230a1c3a9f7c8c",
+                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/e899757bb3df5ff6e95089132f32cd59aac2220a",
+                "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a",
                 "shasum": ""
             },
             "require": {
@@ -6261,7 +6846,7 @@
             "type": "library",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "3.0-dev"
+                    "dev-master": "3.1-dev"
                 }
             },
             "autoload": {
@@ -6284,7 +6869,7 @@
             "keywords": [
                 "tokenizer"
             ],
-            "time": "2019-07-08T05:24:54+00:00"
+            "time": "2019-07-25T05:29:42+00:00"
         },
         {
             "name": "phpunit/phpunit",
@@ -6356,8 +6941,8 @@
             "authors": [
                 {
                     "name": "Sebastian Bergmann",
-                    "email": "sebastian@phpunit.de",
-                    "role": "lead"
+                    "role": "lead",
+                    "email": "sebastian@phpunit.de"
                 }
             ],
             "description": "The PHP Unit Testing framework.",
diff --git a/installation/sql/mysql/joomla.sql b/installation/sql/mysql/joomla.sql
index 1a19ae8598641..871813594ae45 100644
--- a/installation/sql/mysql/joomla.sql
+++ b/installation/sql/mysql/joomla.sql
@@ -690,7 +690,8 @@ INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`,
 (0, 'atum', 'template', 'atum', '', 1, 1, 1, 0, '', '', 0, '0000-00-00 00:00:00', 0, 0),
 (0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, '', '{"logoFile":"","fluidContainer":"0","sidebarLeftWidth":"3","sidebarRightWidth":"3"}', 0, '0000-00-00 00:00:00', 0, 0),
 (0, 'files_joomla', 'file', 'joomla', '', 0, 1, 1, 1, '', '', 0, '0000-00-00 00:00:00', 0, 0),
-(0, 'English (en-GB) Language Pack', 'package', 'pkg_en-GB', '', 0, 1, 1, 1, '', '', 0, '0000-00-00 00:00:00', 0, 0);
+(0, 'English (en-GB) Language Pack', 'package', 'pkg_en-GB', '', 0, 1, 1, 1, '', '', 0, '0000-00-00 00:00:00', 0, 0),
+(0, 'plg_system_webauthn', 'plugin', 'webauthn', 'system', 0, 1, 1, 0, '', '{}', 0, '0000-00-00 00:00:00', 0, 0);
 
 INSERT INTO `#__extensions` (`package_id`, `name`, `type`, `element`, `folder`, `client_id`, `enabled`, `access`, `protected`, `manifest_cache`, `params`, `checked_out`, `checked_out_time`, `ordering`, `state`)
 SELECT `extension_id`, 'English (en-GB)', 'language', 'en-GB', '', 0, 1, 1, 1, '', '', 0, '0000-00-00 00:00:00', 0, 0 FROM `#__extensions` WHERE `name` = 'English (en-GB) Language Pack';
@@ -2206,6 +2207,24 @@ INSERT INTO `#__viewlevels` (`id`, `title`, `ordering`, `rules`) VALUES
 
 -- --------------------------------------------------------
 
+--
+-- Table structure for table `#__webauthn_credentials#__webauthn_credentials`
+--
+
+CREATE TABLE IF NOT EXISTS `#__webauthn_credentials`
+(
+    `id`         VARCHAR(1000)   NOT NULL COMMENT 'Credential ID',
+    `user_id`    BIGINT UNSIGNED NOT NULL COMMENT 'Joomla User ID',
+    `label`      VARCHAR(190)    NOT NULL COMMENT 'Human readable label',
+    `credential` MEDIUMTEXT      NOT NULL COMMENT 'Credential source data, JSON format',
+    PRIMARY KEY (`id`(100)),
+    INDEX (`user_id`(100))
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4
+  DEFAULT COLLATE = utf8mb4_unicode_ci;
+
+-- --------------------------------------------------------
+
 --
 -- Table structure for table `#__workflows`
 --
diff --git a/installation/sql/postgresql/joomla.sql b/installation/sql/postgresql/joomla.sql
index 66fa6571547dc..42d96b2327d56 100644
--- a/installation/sql/postgresql/joomla.sql
+++ b/installation/sql/postgresql/joomla.sql
@@ -703,9 +703,10 @@ INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder",
 (0, 'atum', 'template', 'atum', '', 1, 1, 1, 0, '', '', 0, '1970-01-01 00:00:00', 0, 0),
 (0, 'cassiopeia', 'template', 'cassiopeia', '', 0, 1, 1, 0, '', '{"logoFile":"","fluidContainer":"0","sidebarLeftWidth":"3","sidebarRightWidth":"3"}', 0, '1970-01-01 00:00:00', 0, 0),
 (0, 'files_joomla', 'file', 'joomla', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0),
-(0, 'English (en-GB) Language Pack', 'package', 'pkg_en-GB', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0);
+(0, 'English (en-GB) Language Pack', 'package', 'pkg_en-GB', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0),
+(0, 'plg_system_webauthn', 'plugin', 'webauthn', 'system', 0, 1, 1, 0, '', '{}', 0, '1970-01-01 00:00:00', 8, 0);
 
-INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "manifest_cache", "params", "checked_out", "checked_out_time", "ordering", "state")
+    INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "manifest_cache", "params", "checked_out", "checked_out_time", "ordering", "state")
 SELECT "extension_id", 'English (en-GB)', 'language', 'en-GB', '', 0, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0 FROM "#__extensions" WHERE "name" = 'English (en-GB) Language Pack';
 INSERT INTO "#__extensions" ("package_id", "name", "type", "element", "folder", "client_id", "enabled", "access", "protected", "manifest_cache", "params", "checked_out", "checked_out_time", "ordering", "state")
 SELECT "extension_id", 'English (en-GB)', 'language', 'en-GB', '', 1, 1, 1, 1, '', '', 0, '1970-01-01 00:00:00', 0, 0 FROM "#__extensions" WHERE "name" = 'English (en-GB) Language Pack';
@@ -2212,6 +2213,21 @@ INSERT INTO "#__viewlevels" ("id", "title", "ordering", "rules") VALUES
 
 SELECT setval('#__viewlevels_id_seq', 7, false);
 
+--
+-- Table structure for table "#__webauthn_credentials"
+--
+
+CREATE TABLE IF NOT EXISTS "#__webauthn_credentials"
+(
+    "id"         varchar(1000)    NOT NULL,
+	"user_id"    varchar(128)     NOT NULL,
+    "label"      varchar(190)     NOT NULL,
+    "credential" TEXT             NOT NULL,
+    PRIMARY KEY ("id")
+);
+
+CREATE INDEX "#__webauthn_credentials_user_id" ON "#__webauthn_credentials" ("user_id");
+
 --
 -- Table structure for table "#__workflows"
 --
diff --git a/layouts/plugins/system/webauthn/manage.php b/layouts/plugins/system/webauthn/manage.php
new file mode 100644
index 0000000000000..2429ce62cb2ed
--- /dev/null
+++ b/layouts/plugins/system/webauthn/manage.php
@@ -0,0 +1,127 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\HTML\HTMLHelper;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Layout\FileLayout;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\User;
+use Joomla\CMS\User\UserHelper;
+use Joomla\Plugin\System\Webauthn\Helper\CredentialsCreation;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+
+/**
+ * Passwordless Login management interface
+ *
+ *
+ * Generic data
+ *
+ * @var   FileLayout $this        The Joomla layout renderer
+ * @var   array      $displayData The data in array format. DO NOT USE.
+ *
+ * Layout specific data
+ *
+ * @var   User       $user        The Joomla user whose passwordless login we are managing
+ * @var   bool       $allow_add   Are we allowed to add passwordless login methods
+ * @var   array      $credentials The already stored credentials for the user
+ * @var   string     $error       Any error messages
+ */
+
+/**
+ * Note about the use of short echo tags.
+ *
+ * Starting with PHP 5.4.0, short echo tags are always recognized and parsed regardless of the short_open_tag setting
+ * in your php.ini. Since we only support *much* newer versions of PHP we can use this construct instead of regular
+ * echos to keep the code easier to read.
+ */
+
+// Extract the data. Do not remove until the unset() line.
+extract(array_merge([
+	'user'        => Factory::getApplication()->getIdentity(),
+	'allow_add'   => false,
+	'credentials' => [],
+	'error'       => '',
+], $displayData));
+
+HTMLHelper::_('stylesheet', 'plg_system_webauthn/backend.css', [
+	'relative' => true,
+]);
+
+/**
+ * Why not push these configuration variables directly to JavaScript?
+ *
+ * We need to reload them every time we return from an attempt to authorize an authenticator. Whenever that
+ * happens we push raw HTML to the page. However, any SCRIPT tags in that HTML do not get parsed, i.e. they
+ * do not replace existing values. This causes any retries to fail. By using a data storage object we circumvent
+ * that problem.
+ */
+$randomId    = 'plg_system_webauthn_' . UserHelper::genRandomPassword(32);
+$publicKey   = $allow_add ? base64_encode(CredentialsCreation::createPublicKey($user)) : '{}';
+$postbackURL = base64_encode(rtrim(Uri::base(), '/') . '/index.php?' . Joomla::getToken() . '=1');
+?>
+<div class="plg_system_webauthn" id="plg_system_webauthn-management-interface">
+    <span id="<?= $randomId ?>"
+          data-public_key="<?= $publicKey ?>"
+          data-postback_url="<?= $postbackURL ?>"
+    ></span>
+
+	<?php if (is_string($error) && !empty($error)): ?>
+        <div class="alert alert-danger">
+			<?= htmlentities($error) ?>
+        </div>
+	<?php endif; ?>
+
+    <table class="table table-striped">
+        <thead class="thead-dark">
+        <tr>
+            <th><?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_FIELD_KEYLABEL_LABEL') ?></th>
+            <th><?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_HEADER_ACTIONS_LABEL') ?></th>
+        </tr>
+        </thead>
+        <tbody>
+		<?php foreach ($credentials as $method): ?>
+            <tr data-credential_id="<?= $method['id'] ?>">
+                <td><?= htmlentities($method['label']) ?></td>
+                <td>
+                    <button onclick="return plgSystemWebauthnEditLabel(this, '<?= $randomId ?>');"
+                       class="btn btn-secondary">
+                        <span class="icon-edit icon-white"></span>
+						<?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_EDIT_LABEL') ?>
+                    </button>
+                    <button onclick="return plgSystemWebauthnDelete(this, '<?= $randomId ?>');"
+                       class="btn btn-danger">
+                        <span class="icon-minus-sign icon-white"></span>
+						<?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_DELETE_LABEL') ?>
+                    </button>
+                </td>
+            </tr>
+		<?php endforeach; ?>
+		<?php if (empty($credentials)): ?>
+            <tr>
+                <td colspan="2">
+					<?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_HEADER_NOMETHODS_LABEL') ?>
+                </td>
+            </tr>
+		<?php endif; ?>
+        </tbody>
+    </table>
+
+	<?php if ($allow_add): ?>
+		<p class="plg_system_webauthn-manage-add-container">
+			<button
+				type="button"
+				onclick="plgSystemWebauthnCreateCredentials('<?= $randomId ?>', '#plg_system_webauthn-management-interface'); return false;"
+				class="btn btn-success btn-block">
+				<span class="icon-plus icon-white"></span>
+				<?= Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_ADD_LABEL') ?>
+			</button>
+		</p>
+	<?php endif; ?>
+</div>
diff --git a/libraries/src/Application/AdministratorApplication.php b/libraries/src/Application/AdministratorApplication.php
index 5e805fbe6f481..c2f341dafa17b 100644
--- a/libraries/src/Application/AdministratorApplication.php
+++ b/libraries/src/Application/AdministratorApplication.php
@@ -30,6 +30,22 @@
  */
 class AdministratorApplication extends CMSApplication
 {
+	/**
+	 * List of allowed components for guests and users which do not have the core.login.admin privilege.
+	 *
+	 * By default we allow two core components:
+	 *
+	 * - com_login   Absolutely necessary to let users log into the backend of the site. Do NOT remove!
+	 * - com_ajax    Handle AJAX requests or other administrative callbacks without logging in. Required for
+	 *               passwordless authentication using WebAuthn.
+	 *
+	 * @var array
+	 */
+	protected $allowedUnprivilegedOptions = [
+		'com_login',
+		'com_ajax',
+	];
+
 	/**
 	 * Class constructor.
 	 *
@@ -487,20 +503,37 @@ protected function route()
 	 */
 	public function findOption(): string
 	{
-		$app = Factory::getApplication();
+		/** @var self $app */
+		$app    = Factory::getApplication();
 		$option = strtolower($app->input->get('option'));
-		$user = $app->getIdentity();
+		$user   = $app->getIdentity();
 
+		/**
+		 * Special handling for guest users and authenticated users without the Backend Login privilege.
+		 *
+		 * If the component they are trying to access is in the $this->allowedUnprivilegedOptions array we allow the
+		 * request to go through. Otherwise we force com_login to be loaded, letting the user (re)try authenticating
+		 * with a user account that has the Backend Login privilege.
+		 */
 		if ($user->get('guest') || !$user->authorise('core.login.admin'))
 		{
-			$option = 'com_login';
+			$option = in_array($option, $this->allowedUnprivilegedOptions) ? $option : 'com_login';
 		}
 
+		/**
+		 * If no component is defined in the request we will try to load com_cpanel, the administrator Control Panel
+		 * component. This allows the /administrator URL to display something meaningful after logging in instead of an
+		 * error.
+		 */
 		if (empty($option))
 		{
 			$option = 'com_cpanel';
 		}
 
+		/**
+		 * Force the option to the input object. This is necessary because we might have force-changed the component in
+		 * the two if-blocks above.
+		 */
 		$app->input->set('option', $option);
 
 		return $option;
diff --git a/libraries/src/Helper/AuthenticationHelper.php b/libraries/src/Helper/AuthenticationHelper.php
index 7adafb61d7b12..0fabb814854f7 100644
--- a/libraries/src/Helper/AuthenticationHelper.php
+++ b/libraries/src/Helper/AuthenticationHelper.php
@@ -10,6 +10,8 @@
 
 \defined('JPATH_PLATFORM') or die;
 
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
 use Joomla\CMS\Factory;
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
@@ -57,4 +59,102 @@ public static function getTwoFactorMethods()
 
 		return $options;
 	}
+
+	/**
+	 * Get additional login buttons to add in a login module. These buttons can be used for authentication methods
+	 * external to Joomla such as WebAuthn, login with social media providers, login with third party providers or even
+	 * login with third party Single Sign On (SSO) services.
+	 *
+	 * Button definitions are returned by the onUserLoginButtons event handlers in plugins. By default, only system and
+	 * user plugins are taken into account. The former because they are always loaded. The latter are explicitly loaded
+	 * in this method.
+	 *
+	 * The onUserLoginButtons event handlers must conform to the following method definition:
+	 *
+	 * public function onUserLoginButtons(string $formId): array
+	 *
+	 * The onUserLoginButtons event handlers must return a simple array containing 0 or more button definitions.
+	 *
+	 * Each button definition is a hash array with the following keys:
+	 *
+	 * - label      The translation string used as the label and title of the button
+	 * - onclick    The onclick attribute, used to fire a JavaScript event
+	 * - id         The HTML ID of the button.
+	 * - icon       [optional] A CSS class for an optional icon displayed before the label; has precedence over 'image'
+	 * - image      [optional] An image path for an optional icon displayed before the label
+	 * - class      [optional] CSS class(es) to be added to the button
+	 *
+	 * @param   string  $formId           The HTML ID of the login form container.
+	 *
+	 * @return  array  Button definitions.
+	 *
+	 * @since 4.0.0
+	 */
+	public static function getLoginButtons(string $formId): array
+	{
+		// Get all the User plugins.
+		PluginHelper::importPlugin('user');
+
+		// Trigger the onUserLoginButtons event and return the button definitions.
+		try
+		{
+			/** @var CMSApplication $app */
+			$app = Factory::getApplication();
+		}
+		catch (Exception $e)
+		{
+			return [];
+		}
+
+		$results        = $app->triggerEvent('onUserLoginButtons', [$formId]);
+		$buttons        = [];
+
+		foreach ($results as $result)
+		{
+			// Did we get garbage back from the plugin?
+			if (!is_array($result) || empty($result))
+			{
+				continue;
+			}
+
+			// Did the developer accidentally return a single button definition instead of an array?
+			if (array_key_exists('label', $result))
+			{
+				$result = [$result];
+			}
+
+			// Process each button, making sure it conforms to the required definition
+			foreach ($result as $item)
+			{
+				// Force mandatory fields
+				$button = array_merge([
+					'label'   => '',
+					'icon'    => '',
+					'image'   => '',
+					'class'   => '',
+					'id'      => '',
+					'onclick' => '',
+				], $item);
+
+				// Unset anything that doesn't conform to a button definition
+				foreach (array_keys($button) as $key)
+				{
+					if (!in_array($key, ['label', 'icon', 'image', 'class', 'id', 'onclick']))
+					{
+						unset($button[$key]);
+					}
+				}
+
+				// We need a label and an onclick handler at the bare minimum
+				if (empty($button['label']) || empty($button['onclick']) || empty($button['id']))
+				{
+					continue;
+				}
+
+				$buttons[] = $button;
+			}
+		}
+
+		return $buttons;
+	}
 }
diff --git a/libraries/src/Plugin/CMSPlugin.php b/libraries/src/Plugin/CMSPlugin.php
index 50c86a5cc4513..dd562d9bd28e3 100644
--- a/libraries/src/Plugin/CMSPlugin.php
+++ b/libraries/src/Plugin/CMSPlugin.php
@@ -12,6 +12,7 @@
 
 use Joomla\CMS\Extension\PluginInterface;
 use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
 use Joomla\Event\AbstractEvent;
 use Joomla\Event\DispatcherAwareInterface;
 use Joomla\Event\DispatcherAwareTrait;
diff --git a/modules/mod_login/mod_login.php b/modules/mod_login/mod_login.php
index b51e486dc7f35..489c8c1dc3d16 100644
--- a/modules/mod_login/mod_login.php
+++ b/modules/mod_login/mod_login.php
@@ -9,16 +9,20 @@
 
 defined('_JEXEC') or die;
 
+use Joomla\CMS\Factory;
 use Joomla\CMS\Helper\AuthenticationHelper;
 use Joomla\CMS\Helper\ModuleHelper;
 use Joomla\Module\Login\Site\Helper\LoginHelper;
 
 $params->def('greeting', 1);
 
+// HTML IDs
+$formId           = "login-form-{$module->id}";
 $type             = LoginHelper::getType();
 $return           = LoginHelper::getReturnUrl($params, $type);
 $twofactormethods = AuthenticationHelper::getTwoFactorMethods();
-$user             = $app->getIdentity();
+$extraButtons     = AuthenticationHelper::getLoginButtons($formId);
+$user             = Factory::getUser();
 $layout           = $params->get('layout', 'default');
 
 // Logged users must load the logout sublayout
diff --git a/modules/mod_login/tmpl/default.php b/modules/mod_login/tmpl/default.php
index 26abbf5619400..f48c285b285e6 100644
--- a/modules/mod_login/tmpl/default.php
+++ b/modules/mod_login/tmpl/default.php
@@ -22,11 +22,11 @@
 Text::script('JSHOW');
 Text::script('JHIDE');
 ?>
-<form id="login-form-<?php echo $module->id; ?>" class="mod-login" action="<?php echo Route::_('index.php', true); ?>" method="post">
+<form id="<?= $formId ?>" class="mod-login" action="<?= Route::_('index.php', true); ?>" method="post">
 
 	<?php if ($params->get('pretext')) : ?>
 		<div class="mod-login__pretext pretext">
-			<p><?php echo $params->get('pretext'); ?></p>
+			<p><?= $params->get('pretext'); ?></p>
 		</div>
 	<?php endif; ?>
 
@@ -34,30 +34,30 @@
 		<div class="mod-login__username form-group">
 			<?php if (!$params->get('usetext', 0)) : ?>
 				<div class="input-group">
-					<input id="modlgn-username-<?php echo $module->id; ?>" type="text" name="username" class="form-control" placeholder="<?php echo Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>">
+					<input id="modlgn-username-<?= $module->id ?>" type="text" name="username" class="form-control" placeholder="<?= Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>">
 					<span class="input-group-append">
-						<label for="modlgn-username-<?php echo $module->id; ?>" class="sr-only"><?php echo Text::_('MOD_LOGIN_VALUE_USERNAME'); ?></label>
-						<span class="input-group-text icon-user" title="<?php echo Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>"></span>
+						<label for="modlgn-username-<?= $module->id ?>" class="sr-only"><?= Text::_('MOD_LOGIN_VALUE_USERNAME'); ?></label>
+						<span class="input-group-text icon-user" title="<?= Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>"></span>
 					</span>
 				</div>
 			<?php else : ?>
-				<label for="modlgn-username-<?php echo $module->id; ?>"><?php echo Text::_('MOD_LOGIN_VALUE_USERNAME'); ?></label>
-				<input id="modlgn-username-<?php echo $module->id; ?>" type="text" name="username" class="form-control" placeholder="<?php echo Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>">
+				<label for="modlgn-username-<?= $module->id ?>"><?= Text::_('MOD_LOGIN_VALUE_USERNAME'); ?></label>
+				<input id="modlgn-username-<?= $module->id ?>" type="text" name="username" class="form-control" placeholder="<?= Text::_('MOD_LOGIN_VALUE_USERNAME'); ?>">
 			<?php endif; ?>
 		</div>
 
 		<div class="mod-login__password form-group">
 			<?php if (!$params->get('usetext', 0)) : ?>
 				<div class="input-group">
-					<input id="modlgn-passwd-<?php echo $module->id; ?>" type="password" name="password" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_PASSWORD'); ?>">
+					<input id="modlgn-passwd-<?= $module->id ?>" type="password" name="password" class="form-control" placeholder="<?= Text::_('JGLOBAL_PASSWORD'); ?>">
 					<span class="input-group-append">
-						<span class="sr-only"><?php echo Text::_('JSHOW'); ?></span>
+						<span class="sr-only"><?= Text::_('JSHOW'); ?></span>
 						<span class="input-group-text icon-eye" aria-hidden="true"></span>
 					</span>
 				</div>
 			<?php else : ?>
-				<label for="modlgn-passwd-<?php echo $module->id; ?>"><?php echo Text::_('JGLOBAL_PASSWORD'); ?></label>
-				<input id="modlgn-passwd-<?php echo $module->id; ?>" type="password" name="password" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_PASSWORD'); ?>">
+				<label for="modlgn-passwd-<?= $module->id ?>"><?= Text::_('JGLOBAL_PASSWORD'); ?></label>
+				<input id="modlgn-passwd-<?= $module->id ?>" type="password" name="password" class="form-control" placeholder="<?= Text::_('JGLOBAL_PASSWORD'); ?>">
 			<?php endif; ?>
 		</div>
 
@@ -66,18 +66,18 @@
 				<?php if (!$params->get('usetext', 0)) : ?>
 					<div class="input-group">
 						<span class="input-group-prepend">
-							<span class="input-group-text icon-star" title="<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>"></span>
-							<label for="modlgn-secretkey-<?php echo $module->id; ?>" class="sr-only"><?php echo Text::_('JGLOBAL_SECRETKEY'); ?></label>
+							<span class="input-group-text icon-star" title="<?= Text::_('JGLOBAL_SECRETKEY'); ?>"></span>
+							<label for="modlgn-secretkey-<?= $module->id ?>" class="sr-only"><?= Text::_('JGLOBAL_SECRETKEY'); ?></label>
 						</span>
-						<input id="modlgn-secretkey-<?php echo $module->id; ?>" autocomplete="off" type="text" name="secretkey" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>">
-						<span class="input-group-append" title="<?php echo Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
+						<input id="modlgn-secretkey-<?= $module->id ?>" autocomplete="off" type="text" name="secretkey" class="form-control" placeholder="<?= Text::_('JGLOBAL_SECRETKEY'); ?>">
+						<span class="input-group-append" title="<?= Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
 							<span class="input-group-text icon-help"></span>
 						</span>
 					</div>
 				<?php else : ?>
-					<label for="modlgn-secretkey-<?php echo $module->id; ?>"><?php echo Text::_('JGLOBAL_SECRETKEY'); ?></label>
-					<input id="modlgn-secretkey-<?php echo $module->id; ?>" autocomplete="off" type="text" name="secretkey" class="form-control" placeholder="<?php echo Text::_('JGLOBAL_SECRETKEY'); ?>">
-					<span class="btn width-auto" title="<?php echo Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
+					<label for="modlgn-secretkey-<?= $module->id ?>"><?= Text::_('JGLOBAL_SECRETKEY'); ?></label>
+					<input id="modlgn-secretkey-<?= $module->id ?>" autocomplete="off" type="text" name="secretkey" class="form-control" placeholder="<?= Text::_('JGLOBAL_SECRETKEY'); ?>">
+					<span class="btn width-auto" title="<?= Text::_('JGLOBAL_SECRETKEY_HELP'); ?>">
 						<span class="icon-help"></span>
 					</span>
 				<?php endif; ?>
@@ -86,17 +86,37 @@
 
 		<?php if (PluginHelper::isEnabled('system', 'remember')) : ?>
 			<div class="mod-login__remember form-group">
-				<div id="form-login-remember-<?php echo $module->id; ?>" class="form-check">
+				<div id="form-login-remember-<?= $module->id; ?>" class="form-check">
 					<label class="form-check-label">
 						<input type="checkbox" name="remember" class="form-check-input" value="yes">
-						<?php echo Text::_('MOD_LOGIN_REMEMBER_ME'); ?>
+						<?= Text::_('MOD_LOGIN_REMEMBER_ME'); ?>
 					</label>
 				</div>
 			</div>
 		<?php endif; ?>
 
+		<?php foreach($extraButtons as $button): ?>
+			<div class="mod-login__submit form-group">
+				<button type="button"
+				        class="btn btn-secondary <?= $button['class'] ?? '' ?>"
+				        onclick="<?= $button['onclick'] ?>"
+				        title="<?= Text::_($button['label']) ?>"
+				        id="<?= $button['id'] ?>"
+						>
+					<?php if (!empty($button['icon'])): ?>
+						<span class="<?= $button['icon'] ?>"></span>
+					<?php elseif (!empty($button['image'])): ?>
+						<?= HTMLHelper::_('image', $button['image'], Text::_('PLG_SYSTEM_WEBAUTHN_LOGIN_DESC'), [
+							'class' => 'icon',
+						], true) ?>
+					<?php endif; ?>
+					<?= Text::_($button['label']) ?>
+				</button>
+			</div>
+		<?php endforeach; ?>
+
 		<div class="mod-login__submit form-group">
-			<button type="submit" name="Submit" class="btn btn-primary"><?php echo Text::_('JLOGIN'); ?></button>
+			<button type="submit" name="Submit" class="btn btn-primary"><?= Text::_('JLOGIN'); ?></button>
 		</div>
 
 		<?php
@@ -104,27 +124,27 @@
 			<ul class="mod-login__options list-unstyled">
 			<?php if ($usersConfig->get('allowUserRegistration')) : ?>
 				<li>
-					<a href="<?php echo Route::_('index.php?option=com_users&view=registration'); ?>">
-					<?php echo Text::_('MOD_LOGIN_REGISTER'); ?> <span class="icon-arrow-right"></span></a>
+					<a href="<?= Route::_('index.php?option=com_users&view=registration'); ?>">
+					<?= Text::_('MOD_LOGIN_REGISTER'); ?> <span class="icon-arrow-right"></span></a>
 				</li>
 			<?php endif; ?>
 				<li>
-					<a href="<?php echo Route::_('index.php?option=com_users&view=remind'); ?>">
-					<?php echo Text::_('MOD_LOGIN_FORGOT_YOUR_USERNAME'); ?></a>
+					<a href="<?= Route::_('index.php?option=com_users&view=remind'); ?>">
+					<?= Text::_('MOD_LOGIN_FORGOT_YOUR_USERNAME'); ?></a>
 				</li>
 				<li>
-					<a href="<?php echo Route::_('index.php?option=com_users&view=reset'); ?>">
-					<?php echo Text::_('MOD_LOGIN_FORGOT_YOUR_PASSWORD'); ?></a>
+					<a href="<?= Route::_('index.php?option=com_users&view=reset'); ?>">
+					<?= Text::_('MOD_LOGIN_FORGOT_YOUR_PASSWORD'); ?></a>
 				</li>
 			</ul>
 		<input type="hidden" name="option" value="com_users">
 		<input type="hidden" name="task" value="user.login">
-		<input type="hidden" name="return" value="<?php echo $return; ?>">
-		<?php echo HTMLHelper::_('form.token'); ?>
+		<input type="hidden" name="return" value="<?= $return; ?>">
+		<?= HTMLHelper::_('form.token'); ?>
 	</div>
 	<?php if ($params->get('posttext')) : ?>
 		<div class="mod-login__posttext posttext">
-			<p><?php echo $params->get('posttext'); ?></p>
+			<p><?= $params->get('posttext'); ?></p>
 		</div>
 	<?php endif; ?>
 </form>
diff --git a/plugins/system/webauthn/Webauthn/CredentialRepository.php b/plugins/system/webauthn/Webauthn/CredentialRepository.php
new file mode 100644
index 0000000000000..a999cc042ee5d
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/CredentialRepository.php
@@ -0,0 +1,452 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn;
+
+use Exception;
+use InvalidArgumentException;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Encrypt\Aes;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Database\DatabaseDriver;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use JsonException;
+use RuntimeException;
+use Throwable;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialSourceRepository;
+use Webauthn\PublicKeyCredentialUserEntity;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Handles the storage of WebAuthn credentials in the database
+ *
+ * @since   4.0.0
+ */
+class CredentialRepository implements PublicKeyCredentialSourceRepository
+{
+	/**
+	 * Returns a PublicKeyCredentialSource object given the public key credential ID
+	 *
+	 * @param   string   $publicKeyCredentialId
+	 *
+	 * @return  PublicKeyCredentialSource|null
+	 *
+	 * @since   4.0.0
+	 */
+	public function findOneByCredentialId(string $publicKeyCredentialId): ?PublicKeyCredentialSource
+	{
+		/** @var DatabaseDriver $db */
+		$db           = Factory::getContainer()->get('DatabaseDriver');
+		$credentialId = base64_encode($publicKeyCredentialId);
+		$query        = $db->getQuery(true)
+			->select($db->qn('credential'))
+			->from($db->qn('#__webauthn_credentials'))
+			->where($db->qn('id') . ' = :credentialId')
+			->bind(':credentialId', $credentialId);
+
+		$encrypted = $db->setQuery($query)->loadResult();
+
+		if (empty($encrypted))
+		{
+			return null;
+		}
+
+		$json = $this->decryptCredential($encrypted);
+
+		try
+		{
+			return PublicKeyCredentialSource::createFromArray(json_decode($json, true));
+		}
+		catch (Throwable $e)
+		{
+			return null;
+		}
+	}
+
+	/**
+	 * Returns all PublicKeyCredentialSource objects given a user entity. We only use the `id` property of the user
+	 * entity, cast to integer, as the Joomla user ID by which records are keyed in the database table.
+	 *
+	 * @return PublicKeyCredentialSource[]
+	 *
+	 * @since  4.0.0
+	 */
+	public function findAllForUserEntity(PublicKeyCredentialUserEntity $publicKeyCredentialUserEntity): array
+	{
+		/** @var DatabaseDriver $db */
+		$db         = Factory::getContainer()->get('DatabaseDriver');
+		$userHandle = $publicKeyCredentialUserEntity->getId();
+		$query      = $db->getQuery(true)
+			->select('*')
+			->from($db->qn('#__webauthn_credentials'))
+			->where($db->qn('user_id') . ' = :user_id')
+			->bind(':user_id', $userHandle);
+
+		try
+		{
+			$records = $db->setQuery($query)->loadAssocList();
+		}
+		catch (Exception $e)
+		{
+			return [];
+		}
+
+		$records = array_map(function ($record) {
+			try
+			{
+				$json = $this->decryptCredential($record['credential']);
+				$data = json_decode($json, true);
+			}
+			catch (JsonException $e)
+			{
+				return null;
+			}
+
+			if (empty($data))
+			{
+				return null;
+			}
+
+			try
+			{
+				return PublicKeyCredentialSource::createFromArray($data);
+			}
+			catch (InvalidArgumentException $e)
+			{
+				return null;
+			}
+		}, $records);
+
+		return array_filter($records, function ($record) {
+			return !is_null($record) && is_object($record) && ($record instanceof PublicKeyCredentialSource);
+		});
+	}
+
+	/**
+	 * Add or update an attested credential for a given user.
+	 *
+	 * @param   PublicKeyCredentialSource  $publicKeyCredentialSource  The public key credential source to store
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredentialSource): void
+	{
+		// Default values for saving a new credential source
+		$credentialId = base64_encode($publicKeyCredentialSource->getPublicKeyCredentialId());
+		$user         = Factory::getApplication()->getIdentity();
+		$o            = (object) [
+			'id'         => $credentialId,
+			'user_id'    => $this->getHandleFromUserId($user->id),
+			'label'      => Text::sprintf('PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR_LABEL', Joomla::formatDate('now')),
+			'credential' => json_encode($publicKeyCredentialSource),
+		];
+		$update = false;
+
+		/** @var DatabaseDriver $db */
+		$db     = Factory::getContainer()->get('DatabaseDriver');
+
+		// Try to find an existing record
+		try
+		{
+			$query     = $db->getQuery(true)
+				->select('*')
+				->from($db->qn('#__webauthn_credentials'))
+				->where($db->qn('id') . ' = :credentialId')
+				->bind(':credentialId', $credentialId);
+			$oldRecord = $db->setQuery($query)->loadObject();
+
+			if (is_null($oldRecord))
+			{
+				throw new Exception('This is a new record');
+			}
+
+			/**
+			 * Sanity check. The existing credential source must have the same user handle as the one I am trying to
+			 * save. Otherwise something fishy is going on.
+			 */
+			if ($oldRecord->user_id != $publicKeyCredentialSource->getUserHandle())
+			{
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREDENTIAL_ID_ALREADY_IN_USE'));
+			}
+
+			$o->user_id = $oldRecord->user_id;
+			$o->label   = $oldRecord->label;
+			$update     = true;
+		}
+		catch (Exception $e)
+		{
+		}
+
+		$o->credential = $this->encryptCredential($o->credential);
+
+		if ($update)
+		{
+			$db->updateObject('#__webauthn_credentials', $o, ['id']);
+
+			return;
+		}
+
+		/**
+		 * This check is deliberately skipped for updates. When logging in the underlying library will try to save the
+		 * credential source. This is necessary to update the last known authenticator signature counter which prevents
+		 * replay attacks. When we are saving a new record, though, we have to make sure we are not a guest user. Hence
+		 * the check below.
+		 */
+		if ((is_null($user) || $user->guest))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CANT_STORE_FOR_GUEST'));
+		}
+
+		$db->insertObject('#__webauthn_credentials', $o);
+	}
+
+	/**
+	 * Get all credential information for a given user ID. This is meant to only be used for displaying records.
+	 *
+	 * @param   int  $user_id  The user ID
+	 *
+	 * @return  array
+	 *
+	 * @since   4.0.0
+	 */
+	public function getAll(int $user_id): array
+	{
+		/** @var DatabaseDriver $db */
+		$db         = Factory::getContainer()->get('DatabaseDriver');
+		$userHandle = $this->getHandleFromUserId($user_id);
+		$query      = $db->getQuery(true)
+			->select('*')
+			->from($db->qn('#__webauthn_credentials'))
+			->where($db->qn('user_id') . ' = :user_id')
+			->bind(':user_id', $userHandle);
+
+		try
+		{
+			$results = $db->setQuery($query)->loadAssocList();
+		}
+		catch (Exception $e)
+		{
+			return [];
+		}
+
+		if (empty($results))
+		{
+			return [];
+		}
+
+		return $results;
+	}
+
+	/**
+	 * Do we have stored credentials under the specified Credential ID?
+	 *
+	 * @param   string  $credentialId
+	 *
+	 * @return  bool
+	 *
+	 * @since   4.0.0
+	 */
+	public function has(string $credentialId): bool
+	{
+		/** @var DatabaseDriver $db */
+		$db           = Factory::getContainer()->get('DatabaseDriver');
+		$credentialId = base64_encode($credentialId);
+		$query        = $db->getQuery(true)
+			->select('COUNT(*)')
+			->from($db->qn('#__webauthn_credentials'))
+			->where($db->qn('id') . ' = :credentialId')
+			->bind(':credentialId', $credentialId);
+
+		try
+		{
+			$count = $db->setQuery($query)->loadResult();
+
+			return $count > 0;
+		}
+		catch (Exception $e)
+		{
+			return false;
+		}
+	}
+
+	/**
+	 * Update the human readable label of a credential
+	 *
+	 * @param   string  $credentialId  The credential ID
+	 * @param   string  $label         The human readable label to set
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public function setLabel(string $credentialId, string $label): void
+	{
+		/** @var DatabaseDriver $db */
+		$db           = Factory::getContainer()->get('DatabaseDriver');
+		$credentialId = base64_encode($credentialId);
+		$o            = (object) [
+			'id'    => $credentialId,
+			'label' => $label,
+		];
+
+		$db->updateObject('#__webauthn_credentials', $o, ['id'], false);
+	}
+
+	/**
+	 * Remove stored credentials
+	 *
+	 * @param   string  $credentialId  The credentials ID to remove
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public function remove(string $credentialId): void
+	{
+		if (!$this->has($credentialId))
+		{
+			return;
+		}
+
+		/** @var DatabaseDriver $db */
+		$db           = Factory::getContainer()->get('DatabaseDriver');
+		$credentialId = base64_encode($credentialId);
+		$query        = $db->getQuery(true)
+			->delete($db->qn('#__webauthn_credentials'))
+			->where($db->qn('id') . ' = :credentialId')
+			->bind(':credentialId', $credentialId);
+
+		$db->setQuery($query)->execute();
+	}
+
+	/**
+	 * Return the user handle for the stored credential given its ID.
+	 *
+	 * The user handle must not be personally identifiable. Per https://w3c.github.io/webauthn/#user-handle it is
+	 * acceptable to have a salted hash with a salt private to our server, e.g. Joomla's secret. The only immutable
+	 * information in Joomla is the user ID so that's what we will be using.
+	 *
+	 * @param   string  $credentialId
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	public function getUserHandleFor(string $credentialId): string
+	{
+		$publicKeyCredentialSource = $this->findOneByCredentialId($credentialId);
+
+		if (empty($publicKeyCredentialSource))
+		{
+			return '';
+		}
+
+		return $publicKeyCredentialSource->getUserHandle();
+	}
+
+	/**
+	 * Return a user handle given an integer Joomla user ID. We use the HMAC-SHA-256 of the user ID with the site's
+	 * secret as the key. Using it instead of SHA-512 is on purpose! WebAuthn only allows user handles up to 64 bytes
+	 * long.
+	 *
+	 * @param   int  $id  The user ID to convert
+	 *
+	 * @return  string  The user handle (HMAC-SHA-256 of the user ID)
+	 *
+	 * @since   4.0.0
+	 */
+	public function getHandleFromUserId(int $id): string
+	{
+		$key  = $this->getEncryptionKey();
+		$data = sprintf('%010u', $id);
+
+		return hash_hmac('sha256', $data, $key, false);
+	}
+
+	/**
+	 * Encrypt the credential source before saving it to the database
+	 *
+	 * @param   string   $credential  The unencrypted, JSON-encoded credential source
+	 *
+	 * @return  string  The encrypted credential source, base64 encoded
+	 *
+	 * @since   4.0.0
+	 */
+	private function encryptCredential(string $credential): string
+	{
+		$key = $this->getEncryptionKey();
+
+		if (empty($key))
+		{
+			return $credential;
+		}
+
+		$aes = new Aes($key, 256);
+
+		return $aes->encryptString($credential);
+	}
+
+	/**
+	 * Decrypt the credential source if it was already encrypted in the database
+	 *
+	 * @param   string  $credential  The encrypted credential source, base64 encoded
+	 *
+	 * @return  string  The decrypted, JSON-encoded credential source
+	 *
+	 * @since   4.0.0
+	 */
+	private function decryptCredential(string $credential): string
+	{
+		$key = $this->getEncryptionKey();
+
+		if (empty($key))
+		{
+			return $credential;
+		}
+
+		// Was the credential stored unencrypted (e.g. the site's secret was empty)?
+		if ((strpos($credential, '{') !== false) && (strpos($credential, '"publicKeyCredentialId"') !== false))
+		{
+			return $credential;
+		}
+
+		$aes = new Aes($key, 256);
+
+		return $aes->decryptString($credential);
+	}
+
+	/**
+	 * Get the site's secret, used as an encryption key
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	private function getEncryptionKey(): string
+	{
+		try
+		{
+			$app    = Factory::getApplication();
+			$secret = $app->getConfig()->get('secret', '');
+		}
+		catch (Exception $e)
+		{
+			$secret = '';
+		}
+
+		return $secret;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/Exception/AjaxNonCmsAppException.php b/plugins/system/webauthn/Webauthn/Exception/AjaxNonCmsAppException.php
new file mode 100644
index 0000000000000..85e3e9c0bb832
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/Exception/AjaxNonCmsAppException.php
@@ -0,0 +1,22 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\Exception;
+
+use RuntimeException;
+
+/**
+ * Exception indicating that the Joomla application object is not a CMSApplication subclass.
+ *
+ * @since   4.0.0
+ */
+class AjaxNonCmsAppException extends RuntimeException
+{
+
+}
diff --git a/plugins/system/webauthn/Webauthn/Helper/CredentialsCreation.php b/plugins/system/webauthn/Webauthn/Helper/CredentialsCreation.php
new file mode 100644
index 0000000000000..07de28f3a26b7
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/Helper/CredentialsCreation.php
@@ -0,0 +1,365 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\Helper;
+
+use CBOR\Decoder;
+use CBOR\OtherObject\OtherObjectManager;
+use CBOR\Tag\TagObjectManager;
+use Cose\Algorithm\Manager;
+use Cose\Algorithm\Signature\ECDSA;
+use Cose\Algorithm\Signature\EdDSA;
+use Cose\Algorithm\Signature\RSA;
+use Cose\Algorithms;
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Crypt\Crypt;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\User;
+use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use RuntimeException;
+use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport;
+use Webauthn\AttestationStatement\AttestationObjectLoader;
+use Webauthn\AttestationStatement\AttestationStatementSupportManager;
+use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport;
+use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
+use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
+use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
+use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
+use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
+use Webauthn\AuthenticatorAttestationResponse;
+use Webauthn\AuthenticatorAttestationResponseValidator;
+use Webauthn\AuthenticatorSelectionCriteria;
+use Webauthn\PublicKeyCredentialCreationOptions;
+use Webauthn\PublicKeyCredentialDescriptor;
+use Webauthn\PublicKeyCredentialLoader;
+use Webauthn\PublicKeyCredentialParameters;
+use Webauthn\PublicKeyCredentialRpEntity;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialUserEntity;
+use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
+use Zend\Diactoros\ServerRequestFactory;
+
+/**
+ * Helper class to aid in credentials creation (link an authenticator to a user account)
+ *
+ * @since   4.0.0
+ */
+abstract class CredentialsCreation
+{
+	/**
+	 * Create a public key for credentials creation. The result is a JSON string which can be used in Javascript code
+	 * with navigator.credentials.create().
+	 *
+	 * @param   User  $user The Joomla user to create the public key for
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	public static function createPublicKey(User $user): string
+	{
+		/** @var CMSApplication $app */
+		try
+		{
+			$app      = Factory::getApplication();
+			$siteName = $app->getConfig()->get('sitename');
+		}
+		catch (Exception $e)
+		{
+			$siteName = 'Joomla! Site';
+		}
+
+		// Credentials repository
+		$repository = new CredentialRepository();
+
+		// Relaying Party -- Our site
+		$rpEntity = new PublicKeyCredentialRpEntity(
+			$siteName,
+			Uri::getInstance()->toString(['host']),
+			self::getSiteIcon()
+		);
+
+		// User Entity
+		$userEntity = new PublicKeyCredentialUserEntity(
+			$user->username,
+			$repository->getHandleFromUserId($user->id),
+			$user->name,
+			self::getAvatar($user, 64)
+		);
+
+		// Challenge
+		try
+		{
+			$challenge = random_bytes(32);
+		}
+		catch (Exception $e)
+		{
+			$challenge = Crypt::genRandomBytes(32);
+		}
+
+		// Public Key Credential Parameters
+		$publicKeyCredentialParametersList = [
+			new PublicKeyCredentialParameters('public-key', Algorithms::COSE_ALGORITHM_ES256),
+		];
+
+		// Timeout: 60 seconds (given in milliseconds)
+		$timeout = 60000;
+
+		// Devices to exclude (already set up authenticators)
+		$excludedPublicKeyDescriptors = [];
+		$records                      = $repository->findAllForUserEntity($userEntity);
+
+		/** @var PublicKeyCredentialSource $record */
+		foreach ($records as $record)
+		{
+			$excludedPublicKeyDescriptors[] = new PublicKeyCredentialDescriptor($record->getType(), $record->getCredentialPublicKey());
+		}
+
+		// Authenticator Selection Criteria (we used default values)
+		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria();
+
+		// Extensions (not yet supported by the library)
+		$extensions = new AuthenticationExtensionsClientInputs();
+
+		// Attestation preference
+		$attestationPreference = PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE;
+
+		// Public key credential creation options
+		$publicKeyCredentialCreationOptions = new PublicKeyCredentialCreationOptions(
+			$rpEntity,
+			$userEntity,
+			$challenge,
+			$publicKeyCredentialParametersList,
+			$timeout,
+			$excludedPublicKeyDescriptors,
+			$authenticatorSelectionCriteria,
+			$attestationPreference,
+			$extensions
+		);
+
+		// Save data in the session
+		Joomla::setSessionVar('publicKeyCredentialCreationOptions', base64_encode(serialize($publicKeyCredentialCreationOptions)), 'plg_system_webauthn');
+		Joomla::setSessionVar('registration_user_id', $user->id, 'plg_system_webauthn');
+
+		return json_encode($publicKeyCredentialCreationOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+	}
+
+	/**
+	 * Validate the authentication data returned by the device and return the public key credential source on success.
+	 *
+	 * An exception will be returned on error. Also, under very rare conditions, you may receive NULL instead of
+	 * a PublicKeyCredentialSource object which means that something was off in the returned data from the browser.
+	 *
+	 * @param   string  $data  The JSON-encoded data returned by the browser during the authentication flow
+	 *
+	 * @return  PublicKeyCredentialSource|null
+	 *
+	 * @since   4.0.0
+	 */
+	public static function validateAuthenticationData(string $data): ?PublicKeyCredentialSource
+	{
+		// Retrieve the PublicKeyCredentialCreationOptions object created earlier and perform sanity checks
+		$encodedOptions = Joomla::getSessionVar('publicKeyCredentialCreationOptions', null, 'plg_system_webauthn');
+
+		if (empty($encodedOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
+		}
+
+		try
+		{
+			$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
+		}
+		catch (Exception $e)
+		{
+			$publicKeyCredentialCreationOptions = null;
+		}
+
+		if (!is_object($publicKeyCredentialCreationOptions) || !($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialCreationOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
+		}
+
+		// Retrieve the stored user ID and make sure it's the same one in the request.
+		$storedUserId = Joomla::getSessionVar('registration_user_id', 0, 'plg_system_webauthn');
+
+		try
+		{
+			$myUser = Factory::getApplication()->getIdentity();
+		}
+		catch (Exception $e)
+		{
+			$dummyUserId = 0;
+			$myUser      = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($dummyUserId);
+		}
+
+		$myUserId = $myUser->id;
+
+		if (($myUser->guest) || ($myUserId != $storedUserId))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER'));
+		}
+
+		// Cose Algorithm Manager
+		$coseAlgorithmManager               = new Manager();
+		$coseAlgorithmManager->add(new ECDSA\ES256());
+		$coseAlgorithmManager->add(new ECDSA\ES512());
+		$coseAlgorithmManager->add(new EdDSA\EdDSA());
+		$coseAlgorithmManager->add(new RSA\RS1());
+		$coseAlgorithmManager->add(new RSA\RS256());
+		$coseAlgorithmManager->add(new RSA\RS512());
+
+		// Create a CBOR Decoder object
+		$otherObjectManager = new OtherObjectManager();
+		$tagObjectManager   = new TagObjectManager();
+		$decoder            = new Decoder($tagObjectManager, $otherObjectManager);
+
+		// The token binding handler
+		$tokenBindingHandler = new TokenBindingNotSupportedHandler();
+
+		// Attestation Statement Support Manager
+		$attestationStatementSupportManager = new AttestationStatementSupportManager();
+		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
+		$attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport($decoder));
+		//$attestationStatementSupportManager->add(new AndroidSafetyNetAttestationStatementSupport(HttpFactory::getHttp(), 'GOOGLE_SAFETYNET_API_KEY', new RequestFactory()));
+		$attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport($decoder));
+		$attestationStatementSupportManager->add(new TPMAttestationStatementSupport());
+		$attestationStatementSupportManager->add(new PackedAttestationStatementSupport($decoder, $coseAlgorithmManager));
+
+		// Attestation Object Loader
+		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager, $decoder);
+
+		// Public Key Credential Loader
+		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader, $decoder);
+
+		// Credential Repository
+		$credentialRepository = new CredentialRepository();
+
+		// Extension output checker handler
+		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
+
+		// Authenticator Attestation Response Validator
+		$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
+			$attestationStatementSupportManager,
+			$credentialRepository,
+			$tokenBindingHandler,
+			$extensionOutputCheckerHandler
+		);
+
+		// Any Throwable from this point will bubble up to the GUI
+
+		// We init the PSR-7 request object using Diactoros
+		$request = ServerRequestFactory::fromGlobals();
+
+		// Load the data
+		$publicKeyCredential = $publicKeyCredentialLoader->load(base64_decode($data));
+		$response            = $publicKeyCredential->getResponse();
+
+		// Check if the response is an Authenticator Attestation Response
+		if (!$response instanceof AuthenticatorAttestationResponse)
+		{
+			throw new RuntimeException('Not an authenticator attestation response');
+		}
+
+		// Check the response against the request
+		$authenticatorAttestationResponseValidator->check($response, $publicKeyCredentialCreationOptions, $request);
+
+		/**
+		 * Everything is OK here. You can get the Public Key Credential Source. This object should be persisted using
+		 * the Public Key Credential Source repository.
+		 */
+		$publicKeyCredentialSource = PublicKeyCredentialSource::createFromPublicKeyCredential(
+			$publicKeyCredential,
+			$publicKeyCredentialCreationOptions->getUser()->getId()
+		);
+
+		return $publicKeyCredentialSource;
+	}
+
+	/**
+	 * Try to find the site's favicon in the site's root, images, media, templates or current template directory.
+	 *
+	 * @return  string|null
+	 *
+	 * @since   4.0.0
+	 */
+	protected static function getSiteIcon(): ?string
+	{
+		$filenames = [
+			'apple-touch-icon.png',
+			'apple_touch_icon.png',
+			'favicon.ico',
+			'favicon.png',
+			'favicon.gif',
+			'favicon.bmp',
+			'favicon.jpg',
+			'favicon.svg',
+		];
+
+		try
+		{
+			$paths = [
+				'/',
+				'/images/',
+				'/media/',
+				'/templates/',
+				'/templates/' . Factory::getApplication()->getTemplate(),
+			];
+		}
+		catch (Exception $e)
+		{
+			return null;
+		}
+
+		foreach ($paths as $path)
+		{
+			foreach ($filenames as $filename)
+			{
+				$relFile  = $path . $filename;
+				$filePath = JPATH_BASE . $relFile;
+
+				if (is_file($filePath))
+				{
+					break 2;
+				}
+
+				$relFile = null;
+			}
+		}
+
+		if (is_null($relFile))
+		{
+			return null;
+		}
+
+		return rtrim(Uri::base(), '/') . '/' . ltrim($relFile, '/');
+	}
+
+	/**
+	 * Get the user's avatar (through Gravatar)
+	 *
+	 * @param   User  $user  The Joomla user object
+	 * @param   int   $size  The dimensions of the image to fetch (default: 64 pixels)
+	 *
+	 * @return  string  The URL to the user's avatar
+	 *
+	 * @since   4.0.0
+	 */
+	public static function getAvatar(User $user, int $size = 64)
+	{
+		$scheme = Uri::getInstance()->getScheme();
+		$subdomain = ($scheme == 'https') ? 'secure' : 'www';
+
+		return sprintf('%s://%s.gravatar.com/avatar/%s.jpg?s=%u&d=mm', $scheme, $subdomain, md5($user->email), $size);
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/Helper/Joomla.php b/plugins/system/webauthn/Webauthn/Helper/Joomla.php
new file mode 100644
index 0000000000000..d1b6064a9ab66
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/Helper/Joomla.php
@@ -0,0 +1,681 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\Helper;
+
+// Protect from unauthorized access
+use DateTimeZone;
+use Exception;
+use JLoader;
+use Joomla\CMS\Application\BaseApplication;
+use Joomla\CMS\Application\CliApplication;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Authentication\Authentication;
+use Joomla\CMS\Authentication\AuthenticationResponse;
+use Joomla\CMS\Date\Date;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Layout\FileLayout;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\CMS\User\User;
+use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\CMS\User\UserHelper;
+use Joomla\Registry\Registry;
+use RuntimeException;
+
+defined('_JEXEC') or die();
+
+/**
+ * A helper class for abstracting core features in Joomla! 3.4 and later, including 4.x
+ */
+abstract class Joomla
+{
+	/**
+	 * A fake session storage for CLI apps. Since CLI applications cannot have a session we are using a Registry object
+	 * we manage internally.
+	 *
+	 * @var     Registry
+	 * @since   4.0.0
+	 */
+	protected static $fakeSession = null;
+
+	/**
+	 * Are we inside the administrator application
+	 *
+	 * @var     bool
+	 * @since   4.0.0
+	 */
+	protected static $isAdmin = null;
+
+	/**
+	 * Are we inside a CLI application
+	 *
+	 * @var     bool
+	 * @since   4.0.0
+	 */
+	protected static $isCli = null;
+
+	/**
+	 * Which plugins have already registered a text file logger. Prevents double registration of a log file.
+	 *
+	 * @var     array
+	 * @since   4.0.0
+	 */
+	protected static $registeredLoggers = [];
+
+	/**
+	 * The current Joomla Document type
+	 *
+	 * @var     §string|null
+	 * @since   4.0.0
+	 */
+	protected static $joomlaDocumentType = null;
+
+	/**
+	 * Are we inside an administrator page?
+	 *
+	 * @param   CMSApplication  $app  The current CMS application which tells us if we are inside an admin page
+	 *
+	 * @return  bool
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public static function isAdminPage(CMSApplication $app = null): bool
+	{
+		if (is_null(self::$isAdmin))
+		{
+			if (is_null($app))
+			{
+				$app = Factory::getApplication();
+			}
+
+			self::$isAdmin = $app->isClient('administrator');
+		}
+
+		return self::$isAdmin;
+	}
+
+	/**
+	 * Are we inside a CLI application
+	 *
+	 * @param   CMSApplication  $app  The current CMS application which tells us if we are inside an admin page
+	 *
+	 * @return  bool
+	 *
+	 * @since   4.0.0
+	 */
+	public static function isCli(CMSApplication $app = null): bool
+	{
+		if (is_null(self::$isCli))
+		{
+			if (is_null($app))
+			{
+				try
+				{
+					$app = Factory::getApplication();
+				}
+				catch (Exception $e)
+				{
+					$app = null;
+				}
+			}
+
+			if (is_null($app))
+			{
+				self::$isCli = true;
+			}
+
+			if (is_object($app))
+			{
+				self::$isCli = $app instanceof \Exception;
+
+				if (class_exists('Joomla\\CMS\\Application\\CliApplication'))
+				{
+					self::$isCli = self::$isCli || $app instanceof CliApplication;
+				}
+			}
+		}
+
+		return self::$isCli;
+	}
+
+	/**
+	 * Is the current user allowed to edit the social login configuration of $user? To do so I must either be editing my
+	 * own account OR I have to be a Super User.
+	 *
+	 * @param   User  $user  The user you want to know if we're allowed to edit
+	 *
+	 * @return  bool
+	 *
+	 * @since   4.0.0
+	 */
+	public static function canEditUser(User $user = null): bool
+	{
+		// I can edit myself
+		if (empty($user))
+		{
+			return true;
+		}
+
+		// Guests can't have social logins associated
+		if ($user->guest)
+		{
+			return false;
+		}
+
+		// Get the currently logged in used
+		try
+		{
+			$myUser = Factory::getApplication()->getIdentity();
+		}
+		catch (Exception $e)
+		{
+			// Cannot get the application; no user, therefore no edit privileges.
+			return false;
+		}
+
+		// Same user? I can edit myself
+		if ($myUser->id == $user->id)
+		{
+			return true;
+		}
+
+		// To edit a different user I must be a Super User myself. If I'm not, I can't edit another user!
+		if (!$myUser->authorise('core.admin'))
+		{
+			return false;
+		}
+
+		// I am a Super User editing another user. That's allowed.
+		return true;
+	}
+
+	/**
+	 * Helper method to render a JLayout.
+	 *
+	 * @param   string  $layoutFile   Dot separated path to the layout file, relative to base path (plugins/system/webauthn/layout)
+	 * @param   object  $displayData  Object which properties are used inside the layout file to build displayed output
+	 * @param   string  $includePath  Additional path holding layout files
+	 * @param   mixed   $options      Optional custom options to load. Registry or array format. Set 'debug'=>true to output debug information.
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	public static function renderLayout(string $layoutFile, $displayData = null, string $includePath = '', array $options = []): string
+	{
+		$basePath = JPATH_SITE . '/plugins/system/webauthn/layout';
+		$layout   = new FileLayout($layoutFile, $basePath, $options);
+
+		if (!empty($includePath))
+		{
+			$layout->addIncludePath($includePath);
+		}
+
+		return $layout->render($displayData);
+	}
+
+	/**
+	 * Set a variable in the user session.
+	 *
+	 * This method cannot be replaced with a call to Factory::getSession->set(). This method takes into account running
+	 * under CLI, using a fake session storage. In the end of the day this plugin doesn't work under CLI but being able
+	 * to fake session storage under CLI means that we don't have to add gnarly if-blocks everywhere in the code to make
+	 * sure it doesn't break CLI either!
+	 *
+	 * @param   string  $name       The name of the variable to set
+	 * @param   string  $value      (optional) The value to set it to, default is null
+	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name. Default: 'default'
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public static function setSessionVar(string $name, ?string $value = null, string $namespace = 'default'): void
+	{
+		$qualifiedKey = "$namespace.$name";
+
+		if (self::isCli())
+		{
+			self::getFakeSession()->set($qualifiedKey, $value);
+
+			return;
+		}
+
+		if (version_compare(JVERSION, '3.99999.99999', 'lt'))
+		{
+			Factory::getSession()->set($name, $value, $namespace);
+
+			return;
+		}
+
+		Factory::getSession()->set($qualifiedKey, $value);
+	}
+
+	/**
+	 * Get a variable from the user session
+	 *
+	 * This method cannot be replaced with a call to Factory::getSession->get(). This method takes into account running
+	 * under CLI, using a fake session storage. In the end of the day this plugin doesn't work under CLI but being able
+	 * to fake session storage under CLI means that we don't have to add gnarly if-blocks everywhere in the code to make
+	 * sure it doesn't break CLI either!
+	 *
+	 * @param   string  $name       The name of the variable to set
+	 * @param   string  $default    (optional) The default value to return if the variable does not exit, default: null
+	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name. Default: 'default'
+	 *
+	 * @return  mixed
+	 *
+	 * @since   4.0.0
+	 */
+	public static function getSessionVar(string $name, ?string $default = null, string $namespace = 'default')
+	{
+		$qualifiedKey = "$namespace.$name";
+
+		if (self::isCli())
+		{
+			return self::getFakeSession()->get("$namespace.$name", $default);
+		}
+
+		if (version_compare(JVERSION, '3.99999.99999', 'lt'))
+		{
+			return Factory::getSession()->get($name, $default, $namespace);
+		}
+
+		return Factory::getSession()->get($qualifiedKey, $default);
+	}
+
+	/**
+	 * Unset a variable from the user session
+	 *
+	 * This method cannot be replaced with a call to Factory::getSession->set(). This method takes into account running
+	 * under CLI, using a fake session storage. In the end of the day this plugin doesn't work under CLI but being able
+	 * to fake session storage under CLI means that we don't have to add gnarly if-blocks everywhere in the code to make
+	 * sure it doesn't break CLI either!
+	 *
+	 * @param   string  $name       The name of the variable to unset
+	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name. Default: 'default'
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public static function unsetSessionVar(string $name, string $namespace = 'default'): void
+	{
+		self::setSessionVar($name, null, $namespace);
+	}
+
+	/**
+	 * Get a fake session registry for CLI applications
+	 *
+	 * @return  Registry
+	 *
+	 * @since   4.0.0
+	 */
+	protected static function getFakeSession(): Registry
+	{
+		if (!is_object(self::$fakeSession))
+		{
+			self::$fakeSession = new Registry();
+		}
+
+		return self::$fakeSession;
+	}
+
+	/**
+	 * Return the session token. This method goes through our session abstraction to prevent a fatal exception if it's
+	 * accidentally called under CLI.
+	 *
+	 * @return  mixed
+	 *
+	 * @since   4.0.0
+	 */
+	public static function getToken(): string
+	{
+		// For CLI apps we implement our own fake token system
+		if (self::isCli())
+		{
+			$token = self::getSessionVar('session.token');
+
+			// Create a token
+			if (is_null($token))
+			{
+				$token = UserHelper::genRandomPassword(32);
+
+				self::setSessionVar('session.token', $token);
+			}
+
+			return (string) $token;
+		}
+
+		// Web application, go through the regular Joomla! API.
+		return Factory::getSession()->getToken();
+	}
+
+	/**
+	 * Writes a log message to the debug log
+	 *
+	 * @param   string       $plugin     The Social Login plugin which generated this log message
+	 * @param   string       $message    The message to write to the log
+	 * @param   int          $priority   Log message priority, default is Log::DEBUG
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public static function log(string $plugin, string $message, $priority = Log::DEBUG): void
+	{
+		Log::add($message, $priority, 'webauthn.' . $plugin);
+	}
+
+	/**
+	 * Register a debug log file writer for a Social Login plugin.
+	 *
+	 * @param   string  $plugin  The Social Login plugin for which to register a debug log file writer
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	public static function addLogger(string $plugin): void
+	{
+		// Make sure this logger is not already registered
+		if (in_array($plugin, self::$registeredLoggers))
+		{
+			return;
+		}
+
+		self::$registeredLoggers[] = $plugin;
+
+		// We only log errors unless Site Debug is enabled
+		$logLevels = Log::ERROR | Log::CRITICAL | Log::ALERT | Log::EMERGENCY;
+
+		if (defined('JDEBUG') && JDEBUG)
+		{
+			$logLevels = Log::ALL;
+		}
+
+		// Add a formatted text logger
+		Log::addLogger([
+			'text_file' => "webauthn_{$plugin}.php",
+			'text_entry_format' => '{DATETIME}	{PRIORITY} {CLIENTIP}	{MESSAGE}'
+		], $logLevels, [
+			"webauthn.{$plugin}"
+		]);
+	}
+
+	/**
+	 * Logs in a user to the site, bypassing the authentication plugins.
+	 *
+	 * @param   int              $userId  The user ID to log in
+	 * @param   BaseApplication  $app     The application we are running in. Skip to auto-detect (recommended).
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public static function loginUser(int $userId, BaseApplication $app = null): void
+	{
+		// Trick the class auto-loader into loading the necessary classes
+		JLoader::import('joomla.user.authentication');
+		JLoader::import('joomla.plugin.helper');
+		JLoader::import('joomla.user.helper');
+		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
+
+		// Fake a successful login message
+		if (!is_object($app))
+		{
+			$app = Factory::getApplication();
+		}
+
+		$isAdmin = $app->isClient('administrator');
+		$user    = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
+
+		// Does the user account have a pending activation?
+		if (!empty($user->activation))
+		{
+			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
+		}
+
+		// Is the user account blocked?
+		if ($user->block)
+		{
+			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
+		}
+
+		$statusSuccess = Authentication::STATUS_SUCCESS;
+
+		$response                = self::getAuthenticationResponseObject();
+		$response->status        = $statusSuccess;
+		$response->username      = $user->username;
+		$response->fullname      = $user->name;
+		$response->error_message = '';
+		$response->language      = $user->getParam('language');
+		$response->type          = 'Passwordless';
+
+		if ($isAdmin)
+		{
+			$response->language = $user->getParam('admin_language');
+		}
+
+		/**
+		 * Set up the login options.
+		 *
+		 * The 'remember' element forces the use of the Remember Me feature when logging in with Webauthn, as the
+		 * users would expect.
+		 *
+		 * The 'action' element is actually required by plg_user_joomla. It is the core ACL action the logged in user
+		 * must be allowed for the login to succeed. Please note that front-end and back-end logins use a different
+		 * action. This allows us to provide the social login button on both front- and back-end and be sure that if a
+		 * used with no backend access tries to use it to log in Joomla! will just slap him with an error message about
+		 * insufficient privileges - the same thing that'd happen if you tried to use your front-end only username and
+		 * password in a back-end login form.
+		 */
+		$options = [
+			'remember' => true,
+			'action'   => 'core.login.site',
+		];
+
+		if (Joomla::isAdminPage())
+		{
+			$options['action'] = 'core.login.admin';
+		}
+
+		// Run the user plugins. They CAN block login by returning boolean false and setting $response->error_message.
+		PluginHelper::importPlugin('user');
+
+		$results = $app->triggerEvent('onUserLogin', [(array) $response, $options]);
+
+		// If there is no boolean FALSE result from any plugin the login is successful.
+		if (in_array(false, $results, true) == false)
+		{
+			// Set the user in the session, letting Joomla! know that we are logged in.
+			Factory::getSession()->set('user', $user);
+
+			// Trigger the onUserAfterLogin event
+			$options['user']         = $user;
+			$options['responseType'] = $response->type;
+
+			// The user is successfully logged in. Run the after login events
+			$app->triggerEvent('onUserAfterLogin', [$options]);
+
+			return;
+		}
+
+		// If we are here the plugins marked a login failure. Trigger the onUserLoginFailure Event.
+		$app->triggerEvent('onUserLoginFailure', [(array) $response]);
+
+		// Log the failure
+		Log::add($response->error_message, Log::WARNING, 'jerror');
+
+		// Throw an exception to let the caller know that the login failed
+		throw new RuntimeException($response->error_message);
+	}
+
+	/**
+	 * Returns a (blank) Joomla! authentication response
+	 *
+	 * @return  AuthenticationResponse
+	 *
+	 * @since   4.0.0
+	 */
+	public static function getAuthenticationResponseObject(): AuthenticationResponse
+	{
+		// Force the class auto-loader to load the JAuthentication class
+		JLoader::import('joomla.user.authentication');
+		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
+
+		return new AuthenticationResponse();
+	}
+
+	/**
+	 * Have Joomla! process a login failure
+	 *
+	 * @param   AuthenticationResponse  $response    The Joomla! auth response object
+	 * @param   BaseApplication         $app         The application we are running in. Skip to auto-detect (recommended).
+	 * @param   string                  $logContext  Logging context (plugin name). Default: system.
+	 *
+	 * @return  bool
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public static function processLoginFailure(AuthenticationResponse $response, BaseApplication $app = null, string $logContext = 'system')
+	{
+		// Import the user plugin group.
+		PluginHelper::importPlugin('user');
+
+		if (!is_object($app))
+		{
+			$app = Factory::getApplication();
+		}
+
+		// Trigger onUserLoginFailure Event.
+		Joomla::log($logContext, "Calling onUserLoginFailure plugin event");
+		$app->triggerEvent('onUserLoginFailure', array((array) $response));
+
+		// If status is success, any error will have been raised by the user plugin
+		$expectedStatus = Authentication::STATUS_SUCCESS;
+
+		if ($response->status !== $expectedStatus)
+		{
+			Joomla::log($logContext, "The login failure has been logged in Joomla's error log");
+
+			// Everything logged in the 'jerror' category ends up being enqueued in the application message queue.
+			Log::add($response->error_message, Log::WARNING, 'jerror');
+		}
+		else
+		{
+			Joomla::log($logContext, "The login failure was caused by a third party user plugin but it did not return any further information. Good luck figuring this one out...", Log::WARNING);
+		}
+
+		return false;
+	}
+
+	/**
+	 * Format a date for display.
+	 *
+	 * The $tzAware parameter defines whether the formatted date will be timezone-aware. If set to false the formatted
+	 * date will be rendered in the UTC timezone. If set to true the code will automatically try to use the logged in
+	 * user's timezone or, if none is set, the site's default timezone (Server Timezone). If set to a positive integer
+	 * the same thing will happen but for the specified user ID instead of the currently logged in user.
+	 *
+	 * @param   string|\DateTime  $date     The date to format
+	 * @param   string            $format   The format string, default is Joomla's DATE_FORMAT_LC6 (usually "Y-m-d H:i:s")
+	 * @param   bool|int          $tzAware  Should the format be timezone aware? See notes above.
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	public static function formatDate($date, ?string $format = null, bool $tzAware = true): string
+	{
+		$utcTimeZone = new DateTimeZone('UTC');
+		$jDate       = new Date($date, $utcTimeZone);
+
+		// Which timezone should I use?
+		$tz = null;
+
+		if ($tzAware !== false)
+		{
+			$userId = is_bool($tzAware) ? null : (int) $tzAware;
+
+			try
+			{
+				$tzDefault = Factory::getApplication()->get('offset');
+			}
+			catch (\Exception $e)
+			{
+				$tzDefault = 'GMT';
+			}
+
+			$user = Factory::getUser($userId);
+			$tz   = $user->getParam('timezone', $tzDefault);
+		}
+
+		if (!empty($tz))
+		{
+			try
+			{
+				$userTimeZone = new DateTimeZone($tz);
+
+				$jDate->setTimezone($userTimeZone);
+			}
+			catch (\Exception $e)
+			{
+				// Nothing. Fall back to UTC.
+			}
+		}
+
+		if (empty($format))
+		{
+			$format = Text::_('DATE_FORMAT_LC6');
+		}
+
+		return $jDate->format($format, true);
+	}
+
+	/**
+	 * Returns the current Joomla document type.
+	 *
+	 * The error catching is necessary because the application document object or even the application object itself may
+	 * have not yet been initialized. For example, a system plugin running inside a custom application object which does
+	 * not create a document object or which does not go through Joomla's Factory to create the application object. In
+	 * practice these are CLI and custom web applications used for maintenance and third party service callbacks. They
+	 * end up loading the system plugins but either don't go through Factory or at least don't create a document object.
+	 *
+	 * @return  string
+	 *
+	 * @since   4.0.0
+	 */
+	public static function getDocumentType(): string
+	{
+		if (is_null(self::$joomlaDocumentType))
+		{
+			try
+			{
+				/** @var CMSApplication $app */
+				$app      = Factory::getApplication();
+				$document = $app->getDocument();
+			}
+			catch (Exception $e)
+			{
+				$document = null;
+			}
+
+			self::$joomlaDocumentType = (is_null($document)) ? 'error' : $document->getType();
+		}
+
+		return self::$joomlaDocumentType;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AdditionalLoginButtons.php b/plugins/system/webauthn/Webauthn/PluginTraits/AdditionalLoginButtons.php
new file mode 100644
index 0000000000000..1f05a88bee550
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AdditionalLoginButtons.php
@@ -0,0 +1,198 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Exception;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Helper\AuthenticationHelper;
+use Joomla\CMS\HTML\HTMLHelper;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\UserHelper;
+use Joomla\Plugin\System\Webauthn\Helper\Integration;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Inserts Webauthn buttons into login modules
+ *
+ * @since   4.0.0
+ */
+trait AdditionalLoginButtons
+{
+	/**
+	 * Do I need to I inject buttons? Automatically detected (i.e. disabled if I'm already logged in).
+	 *
+	 * @var     bool|null
+	 * @since   4.0.0
+	 */
+	protected $allowButtonDisplay = null;
+
+	/**
+	 * Have I already injected CSS and JavaScript? Prevents double inclusion of the same files.
+	 *
+	 * @var     bool
+	 * @since   4.0.0
+	 */
+	private $injectedCSSandJS = false;
+
+	/**
+	 * Should I allow this plugin to add a WebAuthn login button?
+	 *
+	 * @return  bool
+	 *
+	 * @since   4.0.0
+	 */
+	private function mustDisplayButton(): bool
+	{
+		if (is_null($this->allowButtonDisplay))
+		{
+			$this->allowButtonDisplay = false;
+
+			/**
+			 * Do not add a WebAuthn login button if we are already logged in
+			 */
+			try
+			{
+				if (!Factory::getApplication()->getIdentity()->guest)
+				{
+					return false;
+				}
+			}
+			catch (Exception $e)
+			{
+				return false;
+			}
+
+			/**
+			 * Don't try to show a button if we can't figure out if this is a front- or backend page (it's probably a
+			 * CLI or custom application).
+			 */
+			try
+			{
+				$isAdminPage = Joomla::isAdminPage();
+			}
+			catch (Exception $e)
+			{
+				return false;
+			}
+
+			/**
+			 * Only display a button on HTML output
+			 */
+			if (Joomla::getDocumentType() != 'html')
+			{
+				return false;
+			}
+
+			/**
+			 * WebAuthn only works on HTTPS. This is a security-related limitation of the W3C Web Authentication
+			 * specification, not an issue with this plugin :)
+			 */
+			if (!Uri::getInstance()->isSsl())
+			{
+				return false;
+			}
+
+			// All checks passed; we should allow displaying a WebAuthn login button
+			$this->allowButtonDisplay = true;
+		}
+
+		return $this->allowButtonDisplay;
+	}
+
+	/**
+	 * Creates additional login buttons
+	 *
+	 * @param   string  $form             The HTML ID of the form we are enclosed in
+	 *
+	 * @return  array
+	 *
+	 * @throws  Exception
+	 *
+	 * @see AuthenticationHelper::getLoginButtons()
+	 *
+	 * @since   4.0.0
+	 */
+	public function onUserLoginButtons(string $form): array
+	{
+		// If we determined we should not inject a button return early
+		if (!$this->mustDisplayButton())
+		{
+			return [];
+		}
+
+		// Load the language files
+		$this->loadLanguage();
+
+		// Load necessary CSS and Javascript files
+		$this->addLoginCSSAndJavascript();
+
+		// Return URL
+		$uri = new Uri(Uri::base() . 'index.php');
+		$uri->setVar(Joomla::getToken(), '1');
+
+		// Unique ID for this button (allows display of multiple modules on the page)
+		$randomId = 'plg_system_webauthn-' . UserHelper::genRandomPassword(12) . '-' . UserHelper::genRandomPassword(8);
+
+		// Set up the JavaScript callback
+		$url = $uri->toString();
+		$onClick = "return plgSystemWebauthnLogin('{$form}', '{$url}')";
+
+		return [
+			[
+				'label'   => 'PLG_SYSTEM_WEBAUTHN_LOGIN_LABEL',
+				'onclick' => $onClick,
+				'id'      => $randomId,
+				'image'   => 'plg_system_webauthn/webauthn-black.png',
+				'class'   => 'plg_system_webauthn_login_button',
+			],
+		];
+	}
+
+	/**
+	 * Injects the WebAuthn CSS and Javascript for frontend logins, but only once per page load.
+	 *
+	 * @return  void
+	 *
+	 * @since   4.0.0
+	 */
+	private function addLoginCSSAndJavascript(): void
+	{
+		if ($this->injectedCSSandJS)
+		{
+			return;
+		}
+
+		// Set the "don't load again" flag
+		$this->injectedCSSandJS = true;
+
+		// Load the CSS
+		HTMLHelper::_('stylesheet', 'plg_system_webauthn/button.css', [
+			'relative' => true,
+		]);
+
+		// Load the JavaScript
+		HTMLHelper::_('script', 'plg_system_webauthn/login.js', [
+			'relative'  => true,
+		]);
+
+		// Load language strings client-side
+		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_CANNOT_FIND_USERNAME');
+		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_EMPTY_USERNAME');
+		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_INVALID_USERNAME');
+
+		// Store the current URL as the default return URL after login (or failure)
+		Joomla::setSessionVar('returnUrl', Uri::current(), 'plg_system_webauthn');
+	}
+
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandler.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandler.php
new file mode 100644
index 0000000000000..ca70dac4eb21e
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandler.php
@@ -0,0 +1,172 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Joomla\Plugin\System\Webauthn\Exception\AjaxNonCmsAppException;
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Uri\Uri;
+use RuntimeException;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Allows the plugin to handle AJAX requests in the backend of the site, where com_ajax is not available when we are not
+ * logged in.
+ *
+ * @since   4.0.0
+ */
+trait AjaxHandler
+{
+	/**
+	 * Processes the callbacks from the passwordless login views.
+	 *
+	 * Note: this method is called from Joomla's com_ajax or, in the case of backend logins, through the special
+	 * onAfterInitialize handler we have created to work around com_ajax usage limitations in the backend.
+	 *
+	 * @return  void
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthn(): void
+	{
+		// Load the language files
+		$this->loadLanguage();
+
+		/** @var CMSApplication $app */
+		$app   = Factory::getApplication();
+		$input = $app->input;
+
+		// Get the return URL from the session
+		$returnURL = Joomla::getSessionVar('returnUrl', Uri::base(), 'plg_system_webauthn');
+		$result = null;
+
+		try
+		{
+			Joomla::log('system', "Received AJAX callback.");
+
+			if (!($app instanceof CMSApplication))
+			{
+				throw new AjaxNonCmsAppException();
+			}
+
+			$input    = $app->input;
+			$akaction = $input->getCmd('akaction');
+			$token    = Joomla::getToken();
+
+			if ($input->getInt($token, 0) != 1)
+			{
+				throw new RuntimeException(Text::_('JERROR_ALERTNOAUTHOR'));
+			}
+
+			// Empty action? No bueno.
+			if (empty($akaction))
+			{
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_AJAX_INVALIDACTION'));
+			}
+
+			// Call the plugin event onAjaxWebauthnSomething where Something is the akaction param.
+			$eventName = 'onAjaxWebauthn' . ucfirst($akaction);
+
+			$results = $app->triggerEvent($eventName, []);
+			$result = null;
+
+			foreach ($results as $r)
+			{
+				if (is_null($r))
+				{
+					continue;
+				}
+
+				$result = $r;
+
+				break;
+			}
+		}
+		catch (AjaxNonCmsAppException $e)
+		{
+			Joomla::log('system', "This is not a CMS application", Log::NOTICE);
+
+			$result = null;
+		}
+		catch (Exception $e)
+		{
+			Joomla::log('system', "Callback failure, redirecting to $returnURL.");
+			Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
+			$app->enqueueMessage($e->getMessage(), 'error');
+			$app->redirect($returnURL);
+
+			return;
+		}
+
+		if (!is_null($result))
+		{
+			switch ($input->getCmd('encoding', 'json'))
+			{
+				default:
+				case 'json':
+					Joomla::log('system', "Callback complete, returning JSON.");
+					echo json_encode($result);
+
+					break;
+
+				case 'jsonhash':
+					Joomla::log('system', "Callback complete, returning JSON inside ### markers.");
+					echo '###' . json_encode($result) . '###';
+
+					break;
+
+				case 'raw':
+					Joomla::log('system', "Callback complete, returning raw response.");
+					echo $result;
+
+					break;
+
+				case 'redirect':
+					$modifiers = '';
+
+					if (isset($result['message']))
+					{
+						$type = isset($result['type']) ? $result['type'] : 'info';
+						$app->enqueueMessage($result['message'], $type);
+
+						$modifiers = " and setting a system message of type $type";
+					}
+
+					if (isset($result['url']))
+					{
+						Joomla::log('system', "Callback complete, performing redirection to {$result['url']}{$modifiers}.");
+						$app->redirect($result['url']);
+					}
+
+
+					Joomla::log('system', "Callback complete, performing redirection to {$result}{$modifiers}.");
+					$app->redirect($result);
+
+					return;
+					break;
+			}
+
+			$app->close(200);
+		}
+
+		Joomla::log('system', "Null response from AJAX callback, redirecting to $returnURL");
+		Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
+
+		$app->redirect($returnURL);
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerChallenge.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerChallenge.php
new file mode 100644
index 0000000000000..5b186b46d672c
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerChallenge.php
@@ -0,0 +1,146 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\UserHelper;
+use Throwable;
+use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
+use Webauthn\PublicKeyCredentialDescriptor;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialUserEntity;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Ajax handler for akaction=challenge
+ *
+ * Generates the public key and challenge which is used by the browser when logging in with Webauthn. This is the bit
+ * which prevents tampering with the login process and replay attacks.
+ *
+ * @since   4.0.0
+ */
+trait AjaxHandlerChallenge
+{
+	/**
+	 * Returns the public key set for the user and a unique challenge in a Public Key Credential Request encoded as
+	 * JSON.
+	 *
+	 * @return  string  A JSON-encoded object or JSON-encoded false if the username is invalid or no credentials stored
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthnChallenge()
+	{
+		// Load the language files
+		$this->loadLanguage();
+
+		// Initialize objects
+		$input      = Factory::getApplication()->input;
+		$repository = new CredentialRepository();
+
+		// Retrieve data from the request
+		$username  = $input->getUsername('username', '');
+		$returnUrl = base64_encode(Joomla::getSessionVar('returnUrl', Uri::current(), 'plg_system_webauthn'));
+		$returnUrl = $input->getBase64('returnUrl', $returnUrl);
+		$returnUrl = base64_decode($returnUrl);
+
+		// For security reasons the post-login redirection URL must be internal to the site.
+		if (!Uri::isInternal($returnUrl))
+		{
+			// If the URL wasn't internal redirect to the site's root.
+			$returnUrl = Uri::base();
+		}
+
+		Joomla::setSessionVar('returnUrl', $returnUrl, 'plg_system_webauthn');
+
+		// Do I have a username?
+		if (empty($username))
+		{
+			return json_encode(false);
+		}
+
+		// Is the username valid?
+		try
+		{
+			$user_id = UserHelper::getUserId($username);
+		}
+		catch (Exception $e)
+		{
+			$user_id = 0;
+		}
+
+		if ($user_id <= 0)
+		{
+			return json_encode(false);
+		}
+
+		// Load the saved credentials into an array of PublicKeyCredentialDescriptor objects
+		try
+		{
+			$userEntity  = new PublicKeyCredentialUserEntity('', $repository->getHandleFromUserId($user_id), '');
+			$credentials = $repository->findAllForUserEntity($userEntity);
+		}
+		catch (Exception $e)
+		{
+			return json_encode(false);
+		}
+
+		// No stored credentials?
+		if (empty($credentials))
+		{
+			return json_encode(false);
+		}
+
+		$registeredPublicKeyCredentialDescriptors = [];
+
+		/** @var PublicKeyCredentialSource $record */
+		foreach ($credentials as $record)
+		{
+			try
+			{
+				$registeredPublicKeyCredentialDescriptors[] = $record->getPublicKeyCredentialDescriptor();
+			}
+			catch (Throwable $e)
+			{
+				continue;
+			}
+		}
+
+		// Extensions
+		$extensions = new AuthenticationExtensionsClientInputs();
+
+		// Public Key Credential Request Options
+		$publicKeyCredentialRequestOptions = new PublicKeyCredentialRequestOptions(
+			random_bytes(32),
+			60000,
+			Uri::getInstance()->toString(['host']),
+			$registeredPublicKeyCredentialDescriptors,
+			PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,
+			$extensions
+		);
+
+		// Save in session. This is used during the verification stage to prevent replay attacks.
+		Joomla::setSessionVar('publicKeyCredentialRequestOptions', base64_encode(serialize($publicKeyCredentialRequestOptions)), 'plg_system_webauthn');
+		Joomla::setSessionVar('userHandle', $repository->getHandleFromUserId($user_id), 'plg_system_webauthn');
+		Joomla::setSessionVar('userId', $user_id, 'plg_system_webauthn');
+
+		// Return the JSON encoded data to the caller
+		return json_encode($publicKeyCredentialRequestOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerCreate.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerCreate.php
new file mode 100644
index 0000000000000..79cc373a63ade
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerCreate.php
@@ -0,0 +1,119 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use Joomla\Plugin\System\Webauthn\Helper\CredentialsCreation;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\User\UserFactoryInterface;
+use RuntimeException;
+use Webauthn\AttestedCredentialData;
+use Webauthn\PublicKeyCredentialSource;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Ajax handler for akaction=create
+ *
+ * Handles the browser postback for the credentials creation flow
+ *
+ * @since   4.0.0
+ */
+trait AjaxHandlerCreate
+{
+	/**
+	 * Handle the callback to add a new WebAuthn authenticator
+	 *
+	 * @return  string
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthnCreate(): string
+	{
+		// Load the language files
+		$this->loadLanguage();
+
+		/**
+		 * Fundamental sanity check: this callback is only allowed after a Public Key has been created server-side and
+		 * the user it was created for matches the current user.
+		 *
+		 * This is also checked in the validateAuthenticationData() so why check here? In case we have the wrong user
+		 * I need to fail early with a Joomla error page instead of falling through the code and possibly displaying
+		 * someone else's Webauthn configuration thus mitigating a major privacy and security risk. So, please, DO NOT
+		 * remove this sanity check!
+		 */
+		$storedUserId = Joomla::getSessionVar('registration_user_id', 0, 'plg_system_webauthn');
+		$thatUser     = empty($storedUserId) ? Factory::getApplication()->getIdentity() : Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($storedUserId);
+		$myUser = Factory::getApplication()->getIdentity();
+
+		if ($thatUser->guest || ($thatUser->id != $myUser->id))
+		{
+			// Unset the session variables used for registering authenticators (security precaution).
+			Joomla::unsetSessionVar('registration_user_id', 'plg_system_webauthn');
+			Joomla::unsetSessionVar('publicKeyCredentialCreationOptions', 'plg_system_webauthn');
+
+			// Politely tell the presumed hacker trying to abuse this callback to go away.
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER'));
+		}
+
+		// Get the credentials repository object. It's outside the try-catch because I also need it to display the GUI.
+		$credentialRepository = new CredentialRepository();
+
+		// Try to validate the browser data. If there's an error I won't save anything and pass the message to the GUI.
+		try
+		{
+			/** @var CMSApplication $app */
+			$app   = Factory::getApplication();
+			$input = $app->input;
+
+			// Retrieve the data sent by the device
+			$data = $input->get('data', '', 'raw');
+
+			$publicKeyCredentialSource = CredentialsCreation::validateAuthenticationData($data);
+
+			if (!is_object($publicKeyCredentialSource) || !($publicKeyCredentialSource instanceof PublicKeyCredentialSource))
+			{
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_ATTESTED_DATA'));
+			}
+
+			$credentialRepository->saveCredentialSource($publicKeyCredentialSource);
+		}
+		catch (Exception $e)
+		{
+			$error                  = $e->getMessage();
+			$publicKeyCredentialSource = null;
+		}
+
+		// Unset the session variables used for registering authenticators (security precaution).
+		Joomla::unsetSessionVar('registration_user_id', 'plg_system_webauthn');
+		Joomla::unsetSessionVar('publicKeyCredentialCreationOptions', 'plg_system_webauthn');
+
+		// Render the GUI and return it
+		$layoutParameters = [
+			'user'        => $thatUser,
+			'allow_add'   => $thatUser->id == $myUser->id,
+			'credentials' => $credentialRepository->getAll($thatUser->id),
+		];
+
+		if (isset($error) && !empty($error))
+		{
+			$layoutParameters['error'] = $error;
+		}
+
+		return Joomla::renderLayout('plugins.system.webauthn.manage', $layoutParameters);
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerDelete.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerDelete.php
new file mode 100644
index 0000000000000..9fe9f9f64a07d
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerDelete.php
@@ -0,0 +1,91 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Factory;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Ajax handler for akaction=savelabel
+ *
+ * Deletes a security key
+ */
+trait AjaxHandlerDelete
+{
+	/**
+	 * Handle the callback to remove an authenticator
+	 *
+	 * @return  bool
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthnDelete(): bool
+	{
+		// Load the language files
+		$this->loadLanguage();
+
+		// Initialize objects
+		/** @var CMSApplication $app */
+		$app        = Factory::getApplication();
+		$input      = $app->input;
+		$repository = new CredentialRepository();
+
+		// Retrieve data from the request
+		$credential_id = $input->getBase64('credential_id', '');
+
+		// Is this a valid credential?
+		if (empty($credential_id))
+		{
+			return false;
+		}
+
+		$credential_id = base64_decode($credential_id);
+
+		if (empty($credential_id) || !$repository->has($credential_id))
+		{
+			return false;
+		}
+
+		// Make sure I am editing my own key
+		try
+		{
+			$credential_handle = $repository->getUserHandleFor($credential_id);
+			$my_handle         = $repository->getHandleFromUserId($app->getIdentity()->id);
+		}
+		catch (Exception $e)
+		{
+			return false;
+		}
+
+		if ($credential_handle !== $my_handle)
+		{
+			return false;
+		}
+
+		// Delete the record
+		try
+		{
+			$repository->remove($credential_id);
+		}
+		catch (Exception $e)
+		{
+			return false;
+		}
+
+		return true;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerLogin.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerLogin.php
new file mode 100644
index 0000000000000..7d3545f16615a
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerLogin.php
@@ -0,0 +1,256 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use CBOR\Decoder;
+use CBOR\OtherObject\OtherObjectManager;
+use CBOR\Tag\TagObjectManager;
+use Cose\Algorithm\Manager;
+use Cose\Algorithm\Signature\ECDSA;
+use Cose\Algorithm\Signature\EdDSA;
+use Cose\Algorithm\Signature\RSA;
+use Exception;
+use Joomla\CMS\Authentication\Authentication;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use RuntimeException;
+use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport;
+use Webauthn\AttestationStatement\AttestationObjectLoader;
+use Webauthn\AttestationStatement\AttestationStatementSupportManager;
+use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport;
+use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
+use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
+use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
+use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
+use Webauthn\AuthenticatorAssertionResponse;
+use Webauthn\AuthenticatorAssertionResponseValidator;
+use Webauthn\PublicKeyCredentialLoader;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
+use Zend\Diactoros\ServerRequestFactory;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Ajax handler for akaction=login
+ *
+ * Verifies the response received from the browser and logs in the user
+ */
+trait AjaxHandlerLogin
+{
+	/**
+	 * Returns the public key set for the user and a unique challenge in a Public Key Credential Request encoded as
+	 * JSON.
+	 *
+	 * @return  string  A JSON-encoded object or JSON-encoded false if the username is invalid or no credentials stored
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthnLogin(): void
+	{
+		// Load the language files
+		$this->loadLanguage();
+
+		$returnUrl = Joomla::getSessionVar('returnUrl', Uri::base(), 'plg_system_webauthn');
+		$userId    = Joomla::getSessionVar('userId', 0, 'plg_system_webauthn');
+
+		try
+		{
+			// Sanity check
+			if (empty($userId))
+			{
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			}
+
+			// Make sure the user exists
+			$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
+
+			if ($user->id != $userId)
+			{
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			}
+
+			// Validate the authenticator response
+			$this->validateResponse();
+
+			// Login the user
+			Joomla::log('system', "Logging in the user", Log::INFO);
+			Joomla::loginUser((int) $userId);
+		}
+		catch (\Throwable $e)
+		{
+			Joomla::setSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
+			Joomla::setSessionVar('userHandle', null, 'plg_system_webauthn');
+
+			$response                = Joomla::getAuthenticationResponseObject();
+			$response->status        = Authentication::STATUS_UNKNOWN;
+			$response->error_message = $e->getMessage();
+
+			Joomla::log('system', sprintf("Received login failure. Message: %s", $e->getMessage()), Log::ERROR);
+
+			// This also enqueues the login failure message for display after redirection. Look for JLog in that method.
+			Joomla::processLoginFailure($response, null, 'system');
+		}
+		finally
+		{
+			/**
+			 * This code needs to run no matter if the login succeeded or failed. It prevents replay attacks and takes
+			 * the user back to the page they started from.
+			 */
+
+			// Remove temporary information for security reasons
+			Joomla::setSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
+			Joomla::setSessionVar('userHandle', null, 'plg_system_webauthn');
+			Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
+			Joomla::setSessionVar('userId', null, 'plg_system_webauthn');
+
+			// Redirect back to the page we were before.
+			Factory::getApplication()->redirect($returnUrl);
+		}
+	}
+
+	/**
+	 * Validate the authenticator response sent to us by the browser.
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	private function validateResponse(): void
+	{
+		// Initialize objects
+		$input                = Factory::getApplication()->input;
+		$credentialRepository = new CredentialRepository();
+
+		// Retrieve data from the request and session
+		$data = $input->getBase64('data', '');
+		$data = base64_decode($data);
+
+		if (empty($data))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		$publicKeyCredentialRequestOptions = $this->getPKCredentialRequestOptions();
+
+		// Cose Algorithm Manager
+		$coseAlgorithmManager = new Manager();
+		$coseAlgorithmManager->add(new ECDSA\ES256());
+		$coseAlgorithmManager->add(new ECDSA\ES512());
+		$coseAlgorithmManager->add(new EdDSA\EdDSA());
+		$coseAlgorithmManager->add(new RSA\RS1());
+		$coseAlgorithmManager->add(new RSA\RS256());
+		$coseAlgorithmManager->add(new RSA\RS512());
+
+		// Create a CBOR Decoder object
+		$otherObjectManager = new OtherObjectManager();
+		$tagObjectManager   = new TagObjectManager();
+		$decoder            = new Decoder($tagObjectManager, $otherObjectManager);
+
+		// Attestation Statement Support Manager
+		$algorithmManager                   = new Manager();
+		$attestationStatementSupportManager = new AttestationStatementSupportManager();
+		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport());
+		$attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport($decoder));
+		//$attestationStatementSupportManager->add(new AndroidSafetyNetAttestationStatementSupport(HttpFactory::getHttp(), 'GOOGLE_SAFETYNET_API_KEY', new RequestFactory()));
+		$attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport($decoder));
+		$attestationStatementSupportManager->add(new TPMAttestationStatementSupport());
+		$attestationStatementSupportManager->add(new PackedAttestationStatementSupport($decoder, $coseAlgorithmManager));
+
+		// Attestation Object Loader
+		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager, $decoder);
+
+		// Public Key Credential Loader
+		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader, $decoder);
+
+		// The token binding handler
+		$tokenBindingHandler = new TokenBindingNotSupportedHandler();
+
+		// Extension Output Checker Handler
+		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler();
+
+		// Authenticator Assertion Response Validator
+		$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
+			$credentialRepository,
+			$decoder,
+			$tokenBindingHandler,
+			$extensionOutputCheckerHandler,
+			$coseAlgorithmManager
+		);
+
+		// We init the Symfony Request object
+		$request = ServerRequestFactory::fromGlobals();
+
+		// Load the data
+		$publicKeyCredential = $publicKeyCredentialLoader->load($data);
+		$response            = $publicKeyCredential->getResponse();
+
+		// Check if the response is an Authenticator Assertion Response
+		if (!$response instanceof AuthenticatorAssertionResponse)
+		{
+			throw new \RuntimeException('Not an authenticator assertion response');
+		}
+
+		// Check the response against the attestation request
+		$userHandle = Joomla::getSessionVar('userHandle', null, 'plg_system_webauthn');
+		/** @var AuthenticatorAssertionResponse $authenticatorAssertionResponse */
+		$authenticatorAssertionResponse = $publicKeyCredential->getResponse();
+		$authenticatorAssertionResponseValidator->check(
+			$publicKeyCredential->getRawId(),
+			$authenticatorAssertionResponse,
+			$publicKeyCredentialRequestOptions,
+			$request,
+			$userHandle
+		);
+	}
+
+	/**
+	 * Retrieve the public key credential request options saved in the session. If they do not exist or are corrupt it
+	 * is a hacking attempt and we politely tell the hacker to go away.
+	 *
+	 * @return  PublicKeyCredentialRequestOptions
+	 *
+	 * @since   4.0.0
+	 */
+	private function getPKCredentialRequestOptions(): PublicKeyCredentialRequestOptions
+	{
+		$encodedOptions = Joomla::getSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
+
+		if (empty($encodedOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		try
+		{
+			$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
+		}
+		catch (Exception $e)
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		if (!is_object($publicKeyCredentialCreationOptions) ||
+		!($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialRequestOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		return $publicKeyCredentialCreationOptions;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerSaveLabel.php b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerSaveLabel.php
new file mode 100644
index 0000000000000..630d074cf231d
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/AjaxHandlerSaveLabel.php
@@ -0,0 +1,98 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\CredentialRepository;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Factory;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Ajax handler for akaction=savelabel
+ *
+ * Stores a new label for a security key
+ *
+ * @since   4.0.0
+ */
+trait AjaxHandlerSaveLabel
+{
+	/**
+	 * Handle the callback to rename an authenticator
+	 *
+	 * @return  bool
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onAjaxWebauthnSavelabel(): bool
+	{
+		// Initialize objects
+		/** @var CMSApplication $app */
+		$app        = Factory::getApplication();
+		$input      = $app->input;
+		$repository = new CredentialRepository();
+
+		// Retrieve data from the request
+		$credential_id = $input->getBase64('credential_id', '');
+		$new_label     = $input->getString('new_label', '');
+
+		// Is this a valid credential?
+		if (empty($credential_id))
+		{
+			return false;
+		}
+
+		$credential_id = base64_decode($credential_id);
+
+		if (empty($credential_id) || !$repository->has($credential_id))
+		{
+			return false;
+		}
+
+		// Make sure I am editing my own key
+		try
+		{
+			$credential_handle = $repository->getUserHandleFor($credential_id);
+			$my_handle         = $repository->getHandleFromUserId($app->getIdentity()->id);
+		}
+		catch (Exception $e)
+		{
+			return false;
+		}
+
+		if ($credential_handle !== $my_handle)
+		{
+			return false;
+		}
+
+		// Make sure the new label is not empty
+		if (empty($new_label))
+		{
+			return false;
+		}
+
+		// Save the new label
+		try
+		{
+			$repository->setLabel($credential_id, $new_label);
+		}
+		catch (Exception $e)
+		{
+			return false;
+		}
+
+		return true;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/UserDeletion.php b/plugins/system/webauthn/Webauthn/PluginTraits/UserDeletion.php
new file mode 100644
index 0000000000000..0aebb37c2a2a4
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/UserDeletion.php
@@ -0,0 +1,69 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseDriver;
+use Joomla\Utilities\ArrayHelper;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Delete all WebAuthn credentials for a particular user
+ *
+ * @since   4.0.0
+ */
+trait UserDeletion
+{
+	/**
+	 * Remove all passwordless credential information for the given user ID.
+	 *
+	 * This method is called after user data is deleted from the database.
+	 *
+	 * @param   array   $user     Holds the user data
+	 * @param   bool    $success  True if user was successfully stored in the database
+	 * @param   string  $msg      Message
+	 *
+	 * @return  bool
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onUserAfterDelete(array $user, bool $success, ?string $msg): bool
+	{
+		if (!$success)
+		{
+			return false;
+		}
+
+		$userId = ArrayHelper::getValue($user, 'id', 0, 'int');
+
+		if ($userId)
+		{
+			Joomla::log('system', "Removing WebAuthn Passwordless Login information for deleted user #{$userId}");
+
+			/** @var DatabaseDriver $db */
+			$db = Factory::getContainer()->get('DatabaseDriver');
+
+			$query = $db->getQuery(true)
+				->delete($db->qn('#__webauthn_credentials'))
+				->where($db->qn('user_id') . ' = :userId')
+				->bind(':userId', $userId);
+
+			$db->setQuery($query)->execute();
+		}
+
+		return true;
+	}
+}
diff --git a/plugins/system/webauthn/Webauthn/PluginTraits/UserProfileFields.php b/plugins/system/webauthn/Webauthn/PluginTraits/UserProfileFields.php
new file mode 100644
index 0000000000000..07a4b946b7af8
--- /dev/null
+++ b/plugins/system/webauthn/Webauthn/PluginTraits/UserProfileFields.php
@@ -0,0 +1,99 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Exception;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Form\Form;
+use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Registry\Registry;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+/**
+ * Add extra fields in the User Profile page.
+ *
+ * This class only injects the custom form fields. The actual interface is rendered through JFormFieldWebauthn.
+ *
+ * @see JFormFieldWebauthn::getInput()
+ *
+ * @since   4.0.0
+ */
+trait UserProfileFields
+{
+	/**
+	 * Adds additional fields to the user editing form
+	 *
+	 * @param   Form  $form  The form to be altered.
+	 * @param   mixed  $data  The associated data for the form.
+	 *
+	 * @return  boolean
+	 *
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	public function onContentPrepareForm(Form $form, $data)
+	{
+		// Check we are manipulating a valid form.
+		if (!($form instanceof Form))
+		{
+			return true;
+		}
+
+		$name = $form->getName();
+
+		if (!in_array($name, ['com_admin.profile', 'com_users.user', 'com_users.profile', 'com_users.registration']))
+		{
+			return true;
+		}
+
+		// Get the user ID
+		$id = null;
+
+		if (is_array($data))
+		{
+			$id = isset($data['id']) ? $data['id'] : null;
+		}
+		elseif (is_object($data) && is_null($data) && ($data instanceof Registry))
+		{
+			$id = $data->get('id');
+		}
+		elseif (is_object($data) && !is_null($data))
+		{
+			$id = isset($data->id) ? $data->id : null;
+		}
+
+		$user = empty($id) ? Factory::getApplication()->getIdentity() : Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($id);
+
+		// Make sure the loaded user is the correct one
+		if ($user->id != $id)
+		{
+			return true;
+		}
+
+		// Make sure I am either editing myself OR I am a Super User
+		if (!Joomla::canEditUser($user))
+		{
+			return true;
+		}
+
+		// Add the fields to the form.
+		Joomla::log('system', 'Injecting WebAuthn Passwordless Login fields in user profile edit page');
+		Form::addFormPath(dirname(__FILE__) . '/../../fields');
+		$this->loadLanguage();
+		$form->loadFile('webauthn', false);
+
+		return true;
+	}
+
+}
diff --git a/plugins/system/webauthn/fields/webauthn.php b/plugins/system/webauthn/fields/webauthn.php
new file mode 100644
index 0000000000000..ef89311c9ac83
--- /dev/null
+++ b/plugins/system/webauthn/fields/webauthn.php
@@ -0,0 +1,68 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+// Prevent direct access
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Form\FormField;
+use Joomla\CMS\HTML\HTMLHelper;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\User\UserFactoryInterface;
+
+defined('_JEXEC') or die;
+
+class JFormFieldWebauthn extends FormField
+{
+	/**
+	 * Element name
+	 *
+	 * @var    string
+	 *
+	 * @since  4.0.0
+	 */
+	protected $_name = 'Webauthn';
+
+	/**
+	 * Returns the input field's HTML
+	 *
+	 * @return  string
+	 * @throws  Exception
+	 *
+	 * @since   4.0.0
+	 */
+	function getInput()
+	{
+		$user_id = $this->form->getData()->get('id', null);
+
+		if (is_null($user_id))
+		{
+			return Text::_('PLG_SYSTEM_WEBAUTHN_ERR_NOUSER');
+		}
+
+		HTMLHelper::_('script', 'plg_system_webauthn/management.js', [
+			'relative'  => true,
+			'framework' => true,
+		]);
+
+		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_NO_BROWSER_SUPPORT', true);
+		Text::script('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_SAVE_LABEL', true);
+		Text::script('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_CANCEL_LABEL', true);
+		Text::script('PLG_SYSTEM_WEBAUTHN_MSG_SAVED_LABEL', true);
+		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_LABEL_NOT_SAVED', true);
+
+		$app                  = Factory::getApplication();
+		$credentialRepository = new \Joomla\Plugin\System\Webauthn\CredentialRepository();
+
+		return Joomla::renderLayout('plugins.system.webauthn.manage', [
+			'user'        => Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($user_id),
+			'allow_add'   => $user_id == $app->getIdentity()->id,
+			'credentials' => $credentialRepository->getAll($user_id),
+		]);
+	}
+}
diff --git a/plugins/system/webauthn/fields/webauthn.xml b/plugins/system/webauthn/fields/webauthn.xml
new file mode 100644
index 0000000000000..e5d07498248fb
--- /dev/null
+++ b/plugins/system/webauthn/fields/webauthn.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<form>
+	<fields name="webauthn" addfieldpath="plugins/system/webauthn/fields">
+		<fieldset name="webauthn"
+			label="PLG_SYSTEM_WEBAUTHN_HEADER"
+		>
+			<field
+				name="webauthn"
+				type="webauthn"
+				label="PLG_SYSTEM_WEBAUTHN_FIELD_LABEL"
+				description="PLG_SYSTEM_WEBAUTHN_FIELD_DESC"
+				required="false"
+				readonly="false"
+				default=""
+			/>
+		</fieldset>
+	</fields>
+</form>
\ No newline at end of file
diff --git a/plugins/system/webauthn/webauthn.php b/plugins/system/webauthn/webauthn.php
new file mode 100644
index 0000000000000..f498fe76e60a8
--- /dev/null
+++ b/plugins/system/webauthn/webauthn.php
@@ -0,0 +1,83 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.updatenotification
+ *
+ * @copyright   Copyright (C) 2005 - 2019 Open Source Matters, Inc. All rights reserved.
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AdditionalLoginButtons;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandler;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerChallenge;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerCreate;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerDelete;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerLogin;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerSaveLabel;
+use Joomla\Plugin\System\Webauthn\PluginTraits\ButtonsInUserPage;
+use Joomla\Plugin\System\Webauthn\PluginTraits\UserDeletion;
+use Joomla\Plugin\System\Webauthn\PluginTraits\UserProfileFields;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+// Register a PSR-4 autoloader for this plugin's classes if necessary
+if (!class_exists('Joomla\\Plugin\\System\\Webauthn\\Helper\\Joomla', true))
+{
+	JLoader::registerNamespace('Joomla\\Plugin\\System\\Webauthn', __DIR__ . '/Webauthn', false, false, 'psr4');
+}
+
+/**
+ * WebAuthn Passwordless Login plugin
+ *
+ * The plugin features are broken down into Traits for the sole purpose of making an otherwise supermassive class
+ * somewhat manageable. You can find the Traits inside the Webauthn/PluginTraits folder.
+ *
+ * @since  4.0.0
+ */
+class plgSystemWebauthn extends CMSPlugin
+{
+	// AJAX request handlers
+	use AjaxHandler;
+	use AjaxHandlerCreate;
+	use AjaxHandlerSaveLabel;
+	use AjaxHandlerDelete;
+	use AjaxHandlerChallenge;
+	use AjaxHandlerLogin;
+
+	// Custom user profile fields
+	use UserProfileFields;
+
+	// Handle user profile deletion
+	use UserDeletion;
+
+	// Add WebAuthn buttons
+	use AdditionalLoginButtons;
+
+	/**
+	 * Constructor. Loads the language files as well.
+	 *
+	 * @param   object  &$subject  The object to observe
+	 * @param   array   $config    An optional associative array of configuration settings.
+	 *                             Recognized key values include 'name', 'group', 'params', 'language'
+	 *                             (this list is not meant to be comprehensive).
+	 *
+	 * @since  4.0.0
+	 */
+	public function __construct($subject, array $config = [])
+	{
+		parent::__construct($subject, $config);
+
+		/**
+		 * Note: Do NOT try to load the language in the constructor. This is called before Joomla initializes the
+		 * application language. Therefore the temporary Joomla language object and all loaded strings in it will be
+		 * destroyed on application initialization. As a result we need to call loadLanguage() in each method
+		 * individually, even though all methods make use of language strings.
+		 */
+
+		// Register a debug log file writer
+		Joomla::addLogger('system');
+	}
+}
diff --git a/plugins/system/webauthn/webauthn.xml b/plugins/system/webauthn/webauthn.xml
new file mode 100644
index 0000000000000..50edb206b0ed8
--- /dev/null
+++ b/plugins/system/webauthn/webauthn.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="utf-8"?>
+<extension version="4.0.0" type="plugin" group="system" method="upgrade">
+    <name>PLG_SYSTEM_WEBAUTHN</name>
+    <version>4.0.0</version>
+    <creationDate>2019-07-02</creationDate>
+
+    <author>Joomla! Project</author>
+    <authorEmail>admin@joomla.org</authorEmail>
+    <authorUrl>www.joomla.org</authorUrl>
+
+    <copyright>Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.</copyright>
+    <license>GNU General Public License version 2 or later; see LICENSE.txt</license>
+
+    <description>PLG_SYSTEM_WEBAUTHN_DESCRIPTION</description>
+
+    <files>
+        <filename plugin="webauthn">webauthn.php</filename>
+        <folder>fields</folder>
+        <folder>Webauthn</folder>
+    </files>
+
+    <languages folder="language">
+        <language tag="en-GB">en-GB/en-GB.plg_system_webauthn.ini</language>
+        <language tag="en-GB">en-GB/en-GB.plg_system_webauthn.sys.ini</language>
+    </languages>
+
+    <config>
+        <fields name="params">
+            <fieldset name="basic">
+				<!-- TODO Select a preset image -->
+				<!-- TODO Enter a class name for an icon -->
+				<!-- TODO Custom button class name -->
+            </fieldset>
+        </fields>
+    </config>
+
+</extension>