diff --git a/hypha/apply/users/forms.py b/hypha/apply/users/forms.py
index 9a5a97031b..8c30835fbc 100644
--- a/hypha/apply/users/forms.py
+++ b/hypha/apply/users/forms.py
@@ -36,6 +36,8 @@ def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.user_settings = AuthSettings.load(request_or_site=self.request)
         self.extra_text = self.user_settings.extra_text
+        # Enable passkey autofill (conditional mediation) on the username field
+        self.fields["username"].widget.attrs["autocomplete"] = "username webauthn"
         if self.user_settings.consent_show:
             self.fields["consent"] = forms.BooleanField(
                 label=self.user_settings.consent_text,
@@ -55,7 +57,9 @@ class PasswordlessAuthForm(forms.Form):
         label=_("Email address"),
         required=True,
         max_length=254,
-        widget=forms.EmailInput(attrs={"autofocus": True, "autocomplete": "email"}),
+        widget=forms.EmailInput(
+            attrs={"autofocus": True, "autocomplete": "username webauthn"}
+        ),
     )
 
     if settings.SESSION_COOKIE_AGE <= settings.SESSION_COOKIE_AGE_LONG:
diff --git a/hypha/apply/users/middleware.py b/hypha/apply/users/middleware.py
index 07414f48fb..e632226ce4 100644
--- a/hypha/apply/users/middleware.py
+++ b/hypha/apply/users/middleware.py
@@ -103,7 +103,11 @@ def __call__(self, request):
         # code to execute before the view
         user = request.user
         if user.is_authenticated:
-            if user.social_auth.exists() or user.is_verified():
+            if (
+                user.social_auth.exists()
+                or user.is_verified()
+                or request.session.get("passkey_authenticated")
+            ):
                 return self._accept(request)
 
             # Allow rounds and lab detail pages
diff --git a/hypha/apply/users/migrations/0030_passkeys.py b/hypha/apply/users/migrations/0030_passkeys.py
new file mode 100644
index 0000000000..703ff3eff6
--- /dev/null
+++ b/hypha/apply/users/migrations/0030_passkeys.py
@@ -0,0 +1,46 @@
+# Generated by Django 5.2.12 on 2026-03-23 21:24
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("users", "0029_alter_confirmaccesstoken_options_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Passkey",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("name", models.CharField(blank=True, max_length=255)),
+                ("credential_id", models.CharField(max_length=2048, unique=True)),
+                ("public_key", models.CharField(max_length=2048)),
+                ("sign_count", models.PositiveBigIntegerField(default=0)),
+                ("transports", models.JSONField(blank=True, default=list)),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("last_used_at", models.DateTimeField(blank=True, null=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="passkeys",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-created_at"],
+            },
+        ),
+    ]
diff --git a/hypha/apply/users/models.py b/hypha/apply/users/models.py
index 2653b1ea94..a61ffc3269 100644
--- a/hypha/apply/users/models.py
+++ b/hypha/apply/users/models.py
@@ -470,3 +470,32 @@ class Meta:
         ordering = ("modified",)
         verbose_name = _("Confirm Access Token")
         verbose_name_plural = _("Confirm Access Tokens")
+
+
+class Passkey(models.Model):
+    """Stores a WebAuthn passkey credential for a user.
+
+    credential_id and public_key are stored as base64url-encoded strings,
+    matching the convention used by django-two-factor-auth's WebAuthn plugin.
+    """
+
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="passkeys",
+    )
+    name = models.CharField(max_length=255, blank=True)
+    # base64url-encoded credential id (unique per authenticator)
+    credential_id = models.CharField(max_length=2048, unique=True)
+    # base64url-encoded public key
+    public_key = models.CharField(max_length=2048)
+    sign_count = models.PositiveBigIntegerField(default=0)
+    transports = models.JSONField(default=list, blank=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+    last_used_at = models.DateTimeField(null=True, blank=True)
+
+    class Meta:
+        ordering = ["-created_at"]
+
+    def __str__(self):
+        return self.name or f"Passkey {self.pk}"
diff --git a/hypha/apply/users/passkey_views.py b/hypha/apply/users/passkey_views.py
new file mode 100644
index 0000000000..fb6facca73
--- /dev/null
+++ b/hypha/apply/users/passkey_views.py
@@ -0,0 +1,338 @@
+import base64
+import json
+import logging
+
+from django.conf import settings
+from django.contrib.auth import login
+from django.contrib.auth.decorators import login_required
+from django.core.exceptions import PermissionDenied
+from django.db import transaction
+from django.http import JsonResponse
+from django.shortcuts import get_object_or_404, render, resolve_url
+from django.utils import timezone
+from django.utils.http import url_has_allowed_host_and_scheme
+from django.utils.translation import gettext_lazy as _
+from django.views.decorators.http import require_GET, require_POST
+from django_ratelimit.decorators import ratelimit
+from webauthn import (
+    generate_authentication_options,
+    generate_registration_options,
+    options_to_json,
+    verify_authentication_response,
+    verify_registration_response,
+)
+from webauthn.helpers import base64url_to_bytes, bytes_to_base64url
+from webauthn.helpers.exceptions import InvalidAuthenticationResponse
+from webauthn.helpers.structs import (
+    AuthenticationCredential,
+    AuthenticatorAssertionResponse,
+    AuthenticatorAttestationResponse,
+    AuthenticatorSelectionCriteria,
+    PublicKeyCredentialDescriptor,
+    RegistrationCredential,
+    ResidentKeyRequirement,
+    UserVerificationRequirement,
+)
+
+from .models import Passkey
+
+logger = logging.getLogger(__name__)
+
+SESSION_CHALLENGE_KEY_REGISTER = "webauthn_challenge_register"
+SESSION_CHALLENGE_KEY_AUTH = "webauthn_challenge_auth"
+
+
+def _get_rp_id(request):
+    rp_id = getattr(settings, "WEBAUTHN_RP_ID", None)
+    if rp_id:
+        return rp_id
+    return request.get_host().split(":")[0]
+
+
+def _get_rp_name():
+    return getattr(settings, "WEBAUTHN_RP_NAME", None) or settings.ORG_LONG_NAME
+
+
+def _get_origin(request):
+    origin = getattr(settings, "WEBAUTHN_ORIGIN", None)
+    if origin:
+        return origin
+    scheme = "https" if request.is_secure() else "http"
+    return f"{scheme}://{request.get_host()}"
+
+
+def _store_challenge(request, challenge: bytes, key: str):
+    request.session[key] = base64.b64encode(challenge).decode()
+
+
+def _load_challenge(request, key: str) -> bytes:
+    encoded = request.session.pop(key, None)
+    if not encoded:
+        raise PermissionDenied("No active WebAuthn challenge.")
+    return base64.b64decode(encoded)
+
+
+# ---------------------------------------------------------------------------
+# Registration — requires an authenticated user
+# ---------------------------------------------------------------------------
+
+
+MAX_PASSKEYS_PER_USER = 10
+
+
+@login_required
+@require_POST
+@ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_register_begin(request):
+    user = request.user
+    existing_passkeys = list(user.passkeys.all())
+    if len(existing_passkeys) >= MAX_PASSKEYS_PER_USER:
+        return JsonResponse(
+            {
+                "error": _("Maximum of {max} passkeys allowed").format(
+                    max=MAX_PASSKEYS_PER_USER
+                )
+            },
+            status=400,
+        )
+    existing = [
+        PublicKeyCredentialDescriptor(
+            id=base64url_to_bytes(pk.credential_id),
+        )
+        for pk in existing_passkeys
+    ]
+    options = generate_registration_options(
+        rp_id=_get_rp_id(request),
+        rp_name=_get_rp_name(),
+        user_id=str(user.pk).encode(),
+        user_name=user.email,
+        user_display_name=user.get_full_name() or user.email,
+        authenticator_selection=AuthenticatorSelectionCriteria(
+            resident_key=ResidentKeyRequirement.REQUIRED,
+            user_verification=UserVerificationRequirement.REQUIRED,
+        ),
+        exclude_credentials=existing,
+    )
+    _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_REGISTER)
+    return JsonResponse(json.loads(options_to_json(options)))
+
+
+@login_required
+@require_POST
+@ratelimit(key="user", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_register_complete(request):
+    try:
+        data = json.loads(request.body)
+    except (json.JSONDecodeError, ValueError):
+        return JsonResponse({"error": _("Invalid JSON")}, status=400)
+
+    try:
+        challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_REGISTER)
+    except PermissionDenied:
+        return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
+
+    try:
+        credential = RegistrationCredential(
+            id=data["id"],
+            raw_id=base64url_to_bytes(data["rawId"]),
+            response=AuthenticatorAttestationResponse(
+                client_data_json=base64url_to_bytes(data["response"]["clientDataJSON"]),
+                attestation_object=base64url_to_bytes(
+                    data["response"]["attestationObject"]
+                ),
+                transports=data["response"].get("transports", []),
+            ),
+        )
+        verification = verify_registration_response(
+            credential=credential,
+            expected_challenge=challenge,
+            expected_rp_id=_get_rp_id(request),
+            expected_origin=_get_origin(request),
+            require_user_verification=True,
+        )
+    except Exception:
+        logger.warning(
+            "Passkey registration verification failed for user %s",
+            request.user.pk,
+            exc_info=True,
+        )
+        return JsonResponse({"error": _("Verification failed")}, status=400)
+
+    name = (data.get("name") or "").strip()[:128] or timezone.now().strftime(
+        "Passkey %Y-%m-%d"
+    )
+    try:
+        Passkey.objects.create(
+            user=request.user,
+            name=name,
+            credential_id=bytes_to_base64url(verification.credential_id),
+            public_key=bytes_to_base64url(verification.credential_public_key),
+            sign_count=verification.sign_count,
+            transports=data["response"].get("transports", []),
+        )
+    except Exception:
+        logger.warning(
+            "Failed to save passkey for user %s", request.user.pk, exc_info=True
+        )
+        return JsonResponse({"error": _("Could not save passkey")}, status=500)
+    logger.info("Passkey registered for user %s (name=%r)", request.user.pk, name)
+    return JsonResponse({"status": "ok"})
+
+
+# ---------------------------------------------------------------------------
+# Authentication — public (no session required)
+# ---------------------------------------------------------------------------
+
+
+@require_POST
+@ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_auth_begin(request):
+    options = generate_authentication_options(
+        rp_id=_get_rp_id(request),
+        user_verification=UserVerificationRequirement.REQUIRED,
+    )
+    _store_challenge(request, options.challenge, SESSION_CHALLENGE_KEY_AUTH)
+    return JsonResponse(json.loads(options_to_json(options)))
+
+
+@require_POST
+@ratelimit(key="ip", rate=settings.DEFAULT_RATE_LIMIT, method="POST")
+def passkey_auth_complete(request):
+    try:
+        data = json.loads(request.body)
+    except (json.JSONDecodeError, ValueError):
+        return JsonResponse({"error": _("Invalid JSON")}, status=400)
+
+    try:
+        challenge = _load_challenge(request, SESSION_CHALLENGE_KEY_AUTH)
+    except PermissionDenied:
+        return JsonResponse({"error": _("No active WebAuthn challenge")}, status=400)
+
+    try:
+        credential_id_b64 = bytes_to_base64url(base64url_to_bytes(data["rawId"]))
+        raw_user_handle = data["response"].get("userHandle")
+        user_handle_bytes = (
+            base64url_to_bytes(raw_user_handle) if raw_user_handle else None
+        )
+    except Exception:
+        return JsonResponse({"error": _("Invalid credential")}, status=400)
+
+    try:
+        with transaction.atomic():
+            passkey = (
+                Passkey.objects.select_related("user")
+                .select_for_update()
+                .get(credential_id=credential_id_b64)
+            )
+
+            if user_handle_bytes is not None:
+                if user_handle_bytes != str(passkey.user.pk).encode():
+                    raise InvalidAuthenticationResponse("User handle mismatch")
+
+            credential = AuthenticationCredential(
+                id=data["id"],
+                raw_id=base64url_to_bytes(data["rawId"]),
+                response=AuthenticatorAssertionResponse(
+                    client_data_json=base64url_to_bytes(
+                        data["response"]["clientDataJSON"]
+                    ),
+                    authenticator_data=base64url_to_bytes(
+                        data["response"]["authenticatorData"]
+                    ),
+                    signature=base64url_to_bytes(data["response"]["signature"]),
+                    user_handle=user_handle_bytes,
+                ),
+            )
+            verification = verify_authentication_response(
+                credential=credential,
+                expected_challenge=challenge,
+                expected_rp_id=_get_rp_id(request),
+                expected_origin=_get_origin(request),
+                credential_public_key=base64url_to_bytes(passkey.public_key),
+                credential_current_sign_count=passkey.sign_count,
+                require_user_verification=True,
+            )
+
+            passkey.sign_count = verification.new_sign_count
+            passkey.last_used_at = timezone.now()
+            passkey.save(update_fields=["sign_count", "last_used_at"])
+
+            user = passkey.user
+    except Passkey.DoesNotExist:
+        return JsonResponse({"error": _("Unknown credential")}, status=400)
+    except InvalidAuthenticationResponse as exc:
+        if "sign count" in str(exc).lower():
+            logger.error(
+                "Passkey sign count regression — possible cloned authenticator"
+                " (credential=%s): %s",
+                credential_id_b64,
+                exc,
+            )
+        else:
+            logger.warning(
+                "Passkey authentication verification failed for credential %s: %s",
+                credential_id_b64,
+                exc,
+            )
+        return JsonResponse({"error": _("Verification failed")}, status=400)
+    except Exception:
+        logger.warning(
+            "Passkey authentication verification failed for credential %s",
+            credential_id_b64,
+            exc_info=True,
+        )
+        return JsonResponse({"error": _("Verification failed")}, status=400)
+    user.backend = settings.CUSTOM_AUTH_BACKEND
+    login(request, user)
+    request.session["passkey_authenticated"] = True
+
+    if data.get("remember_me"):
+        request.session.set_expiry(settings.SESSION_COOKIE_AGE_LONG)
+
+    next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
+    if not url_has_allowed_host_and_scheme(
+        next_url,
+        allowed_hosts={request.get_host()},
+        require_https=request.is_secure(),
+    ):
+        next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
+    return JsonResponse({"status": "ok", "redirect_url": next_url})
+
+
+# ---------------------------------------------------------------------------
+# Passkey management — account page
+# ---------------------------------------------------------------------------
+
+
+@login_required
+@require_GET
+def passkey_list(request):
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
+
+
+@login_required
+@require_POST
+def passkey_delete(request, pk):
+    passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+    logger.info(
+        "Passkey deleted by user %s (passkey=%s, name=%r)",
+        request.user.pk,
+        pk,
+        passkey.name,
+    )
+    passkey.delete()
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
+
+
+@login_required
+@require_POST
+def passkey_rename(request, pk):
+    passkey = get_object_or_404(Passkey, pk=pk, user=request.user)
+    name = request.POST.get("name", "").strip()[:128]
+    if name:
+        passkey.name = name
+        passkey.save(update_fields=["name"])
+    passkeys = request.user.passkeys.all()
+    return render(request, "users/partials/passkey-list.html", {"passkeys": passkeys})
diff --git a/hypha/apply/users/templates/users/account.html b/hypha/apply/users/templates/users/account.html
index b3561c7feb..cd7e1e18d6 100644
--- a/hypha/apply/users/templates/users/account.html
+++ b/hypha/apply/users/templates/users/account.html
@@ -1,5 +1,5 @@
 {% extends 'base-apply.html' %}
-{% load i18n users_tags wagtailcore_tags heroicons %}
+{% load i18n users_tags wagtailcore_tags heroicons static %}
 
 {% block title %}{% trans "Account" %}{% endblock %}
 
@@ -86,13 +86,26 @@ <h3 class="mb-2 text-sm font-semibold">
             </h3>
             <p class="card-actions">
                 {% if default_device %}
-                    <a class="btn btn-primary" href="{% url 'users:backup_tokens' %}">{% trans "Backup codes" %}</a>
-                    <a class="btn btn-warning" href="{% url 'two_factor:disable' %}">{% trans "Disable 2FA" %}</a>
+                    <a class="btn btn-secondary btn-outline" href="{% url 'users:backup_tokens' %}">{% trans "Backup codes" %}</a>
+                    <a class="btn btn-warning btn-outline" href="{% url 'two_factor:disable' %}">{% trans "Disable 2FA" %}</a>
                 {% else %}
-                    <a class="btn btn-primary" href="{% url 'two_factor:setup' %}">{% trans "Enable 2FA" %}</a>
+                    <a class="btn btn-secondary btn-outline" href="{% url 'two_factor:setup' %}">{% trans "Enable 2FA" %}</a>
                 {% endif %}
             </p>
 
+            <h3 class="mt-6 mb-2 text-sm font-semibold">{% trans "Passkeys" %}</h3>
+            <p class="mb-2 text-sm text-fg-muted">
+                {% trans "With passkeys you can use your fingerprint, face, or screen lock to login securely without a password." %}
+            </p>
+
+            <div
+                hx-get="{% url 'users:passkey_list' %}"
+                hx-trigger="load"
+                hx-swap="innerHTML"
+            >
+                <div class="w-full h-8 rounded animate-pulse bg-base-300"></div>
+            </div>
+
             {# Remove the comment block tags below when such need arises. e.g. adding new providers #}
             {% comment %}
             {% can_use_oauth as show_oauth_link %}
@@ -108,3 +121,7 @@ <h3 class="mb-2 text-base">{% trans "Manage OAuth" %}</h3>
         </div>
     </div>
 {% endblock %}
+
+{% block extra_js %}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+{% endblock %}
diff --git a/hypha/templates/includes/org_login_button.html b/hypha/apply/users/templates/users/includes/org_login_button.html
similarity index 100%
rename from hypha/templates/includes/org_login_button.html
rename to hypha/apply/users/templates/users/includes/org_login_button.html
diff --git a/hypha/apply/users/templates/users/includes/passkey_login_button.html b/hypha/apply/users/templates/users/includes/passkey_login_button.html
new file mode 100644
index 0000000000..2efeada156
--- /dev/null
+++ b/hypha/apply/users/templates/users/includes/passkey_login_button.html
@@ -0,0 +1,20 @@
+{% load i18n heroicons %}
+<button
+    type="button"
+    id="btn-passkey-login"
+    class="btn btn-secondary btn-outline"
+    data-passkey-ui
+    data-begin-url="{% url 'users:passkey_auth_begin' %}"
+    data-complete-url="{% url 'users:passkey_auth_complete' %}"
+    data-next-url="{{ redirect_url|default:'' }}"
+    hidden
+    onclick="hypha.passkeys.authenticate()"
+>
+    {% heroicon_mini "key" size=18 class="opacity-80" aria_hidden=true %}
+    {% trans "Log in with passkey" %}
+</button>
+<p id="passkey-auth-error"
+   class="mt-2 text-sm text-error"
+   data-error-begin="{% trans "Failed to begin authentication" %}"
+   data-error-auth="{% trans "Authentication failed" %}"
+   hidden></p>
diff --git a/hypha/templates/includes/password_login_button.html b/hypha/apply/users/templates/users/includes/password_login_button.html
similarity index 100%
rename from hypha/templates/includes/password_login_button.html
rename to hypha/apply/users/templates/users/includes/password_login_button.html
diff --git a/hypha/templates/includes/passwordless_login_button.html b/hypha/apply/users/templates/users/includes/passwordless_login_button.html
similarity index 100%
rename from hypha/templates/includes/passwordless_login_button.html
rename to hypha/apply/users/templates/users/includes/passwordless_login_button.html
diff --git a/hypha/templates/includes/user_menu.html b/hypha/apply/users/templates/users/includes/user_menu.html
similarity index 97%
rename from hypha/templates/includes/user_menu.html
rename to hypha/apply/users/templates/users/includes/user_menu.html
index 6e1f049280..462fd66d76 100644
--- a/hypha/templates/includes/user_menu.html
+++ b/hypha/apply/users/templates/users/includes/user_menu.html
@@ -95,7 +95,7 @@
 {% else %}
     <a
         class="btn btn-outline btn-secondary"
-        href="{{ APPLY_SITE.root_url }}{% url 'users:passwordless_login_signup' %}{% if redirect_url %}?next={{ redirect_url }}{% endif %}"
+        href="{% url 'users:passwordless_login_signup' %}{% if redirect_url %}?next={{ redirect_url }}{% endif %}"
     >
         {% heroicon_micro "user" class="inline align-text-bottom size-4 me-1" aria_hidden=true %}
         {% trans "Log in" %} {% if ENABLE_PUBLIC_SIGNUP %} {% trans " or Sign up" %} {% endif %}
diff --git a/hypha/apply/users/templates/users/login.html b/hypha/apply/users/templates/users/login.html
index 0bab347af5..868e983ce6 100644
--- a/hypha/apply/users/templates/users/login.html
+++ b/hypha/apply/users/templates/users/login.html
@@ -1,10 +1,10 @@
 {% extends "base-apply.html" %}
-{% load i18n wagtailcore_tags heroicons %}
+{% load i18n wagtailcore_tags heroicons static %}
 
 {% block title %}{% trans "Log in" %}{% endblock %}
 
 {% block content %}
-    <div class="my-5 max-w-2xl">
+    <div class="my-5 max-w-3xl">
         <div class="px-4 pt-4">
             {% if wizard.steps.current == 'token' %}
                 {% if device.method == 'call' %}
@@ -90,10 +90,11 @@ <h1 class="mb-4 text-h1">
                     <div class="my-8 max-w-xs divider text-fg-muted">{% translate "OR" %}</div>
 
                     <section class="flex-wrap card-actions">
+                        {% include "users/includes/passwordless_login_button.html" %}
+                        {% include "users/includes/passkey_login_button.html" %}
                         {% if GOOGLE_OAUTH2 %}
-                            {% include "includes/org_login_button.html" %}
+                            {% include "users/includes/org_login_button.html" %}
                         {% endif %}
-                        {% include "includes/passwordless_login_button.html" %}
                     </section>
 
                 {% else %}
@@ -142,6 +143,12 @@ <h1 class="mb-4 text-h1">
 
 {% block extra_js %}
     {{ block.super }}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+    <script>
+        document.addEventListener("DOMContentLoaded", function () {
+            hypha.passkeys.initUI();
+        });
+    </script>
     {# Fix copy of dynamic fields label #}
     <script>
         var labelOtpToken = document.querySelector("label[for=id_token-otp_token]");
diff --git a/hypha/apply/users/templates/users/partials/passkey-list.html b/hypha/apply/users/templates/users/partials/passkey-list.html
new file mode 100644
index 0000000000..8c95dcacf8
--- /dev/null
+++ b/hypha/apply/users/templates/users/partials/passkey-list.html
@@ -0,0 +1,79 @@
+{% load i18n heroicons %}
+<div id="passkey-list">
+    {% if passkeys %}
+        <ul class="flex flex-col gap-2">
+            {% for passkey in passkeys %}
+                <li class="flex gap-2 items-center p-2 rounded border bg-base-100">
+                    {% heroicon_micro "key" class="size-4 text-fg-muted" aria_hidden=true %}
+                    <form
+                        x-data="{ pkcurrent: '{{ passkey.name|escapejs }}', pkinput: '{{ passkey.name|escapejs }}' }"
+                        hx-post="{% url 'users:passkey_rename' passkey.pk %}"
+                        hx-target="#passkey-list"
+                        hx-swap="outerHTML"
+                        class="flex flex-1 gap-2 items-center"
+                    >
+                        {% csrf_token %}
+                        <input
+                            type="text"
+                            name="name"
+                            x-model="pkinput"
+                            maxlength="128"
+                            class="flex-1 input input-xs input-ghost"
+                            aria-label="{% trans 'Passkey name' %}"
+                            data-tippy-content="{% trans 'Click to edit name' %}"
+                            required
+                        />
+                        <button type="submit" class="transition-all duration-500 btn btn-ghost btn-xs" :class="pkcurrent == pkinput ? 'text-success cursor-default border-transparent shadow-none hover:bg-transparent' : 'border-primary text-primary'" title="{% trans 'Save name' %}">
+                            {% heroicon_micro "check" class="size-4" aria_hidden=true %}
+                        </button>
+                    </form>
+                    <span class="text-xs text-fg-muted" title="{{ passkey.created_at|date:'Y-m-d' }}">
+                        {% if passkey.last_used_at %}
+                            {% blocktrans with when=passkey.last_used_at|timesince %}Used {{ when }} ago{% endblocktrans %}
+                        {% else %}
+                            {% trans "Never used" %}
+                        {% endif %}
+                    </span>
+                    <form
+                        hx-post="{% url 'users:passkey_delete' passkey.pk %}"
+                        hx-target="#passkey-list"
+                        hx-swap="outerHTML"
+                        hx-confirm="{% trans 'Delete this passkey?' %}"
+                    >
+                        {% csrf_token %}
+                        <button type="submit" class="btn btn-ghost btn-xs text-error" title="{% trans 'Delete passkey' %}">
+                            {% heroicon_micro "trash" class="size-3" aria_hidden=true %}
+                        </button>
+                    </form>
+                </li>
+            {% endfor %}
+        </ul>
+    {% else %}
+        <p class="text-sm text-fg-muted">{% trans "No passkeys registered." %}</p>
+    {% endif %}
+
+    <form
+        class="flex gap-2 mt-3"
+        data-begin-url="{% url 'users:passkey_register_begin' %}"
+        data-complete-url="{% url 'users:passkey_register_complete' %}"
+        data-error-server="{% trans "Server error" %}"
+        data-error-register="{% trans "Registration failed" %}"
+        data-error-duplicate="{% trans "This authenticator already has a passkey registered. Try a different authenticator or device." %}"
+        onsubmit="hypha.passkeys.register(this); return false;"
+    >
+        <input
+            type="text"
+            name="name"
+            maxlength="128"
+            class="flex-1 input input-sm"
+            placeholder="{% trans "e.g. MacBook Touch ID" %}"
+            aria-label="{% trans "Passkey name" %}"
+            required
+        />
+        <button type="submit" class="btn btn-sm btn-secondary btn-outline">
+            {% heroicon_micro "plus" class="size-3" aria_hidden=true %}
+            {% trans "Add passkey" %}
+        </button>
+    </form>
+    <p id="passkey-error" class="mt-2 text-sm text-error" hidden></p>
+</div>
diff --git a/hypha/apply/users/templates/users/passwordless_login_signup.html b/hypha/apply/users/templates/users/passwordless_login_signup.html
index 20c88f8433..6ab1d88846 100644
--- a/hypha/apply/users/templates/users/passwordless_login_signup.html
+++ b/hypha/apply/users/templates/users/passwordless_login_signup.html
@@ -1,12 +1,12 @@
 {% extends base_template %}
-{% load i18n wagtailcore_tags heroicons %}
+{% load i18n wagtailcore_tags heroicons static %}
 
 {% block title %}
     {% trans "Log in" %}{% if ENABLE_PUBLIC_SIGNUP %} {% trans "or" %} {% trans "Sign up" %}{% endif %}
 {% endblock %}
 
 {% block content %}
-    <div class="my-5 max-w-2xl">
+    <div class="my-5 max-w-3xl">
 
         <section class="px-5 pt-4">
             <form class="form form--user-login" method="post" hx-post="./" hx-swap="outerHTML transition:true" hx-target="#main">
@@ -50,13 +50,22 @@ <h1 class="mb-4 text-h1">
                 <div class="my-8 max-w-xs divider text-fg-muted">{% translate "OR" %}</div>
 
                 <section class="flex-wrap card-actions">
+                    {% include "users/includes/password_login_button.html" %}
+                    {% include "users/includes/passkey_login_button.html" %}
                     {% if GOOGLE_OAUTH2 %}
-                        {% include "includes/org_login_button.html" %}
+                        {% include "users/includes/org_login_button.html" %}
                     {% endif %}
-
-                    {% include "includes/password_login_button.html" %}
                 </section>
             </form>
         </section>
     </div>
 {% endblock %}
+
+{% block extra_js %}
+    <script src="{% static 'js/passkeys.js' %}"></script>
+    <script>
+        document.addEventListener("DOMContentLoaded", function () {
+            hypha.passkeys.initUI();
+        });
+    </script>
+{% endblock %}
diff --git a/hypha/apply/users/tests/test_passkey_views.py b/hypha/apply/users/tests/test_passkey_views.py
new file mode 100644
index 0000000000..09901a0e11
--- /dev/null
+++ b/hypha/apply/users/tests/test_passkey_views.py
@@ -0,0 +1,627 @@
+"""Tests for WebAuthn passkey views (passkey_views.py)."""
+
+import base64
+import json
+from unittest.mock import MagicMock, patch
+
+from django.conf import settings
+from django.test import TestCase, override_settings
+from django.urls import reverse
+from webauthn.helpers import bytes_to_base64url
+from webauthn.helpers.exceptions import InvalidAuthenticationResponse
+
+from ..models import Passkey
+from ..passkey_views import (
+    MAX_PASSKEYS_PER_USER,
+    SESSION_CHALLENGE_KEY_AUTH,
+    SESSION_CHALLENGE_KEY_REGISTER,
+)
+from .factories import UserFactory
+
+AUTH_BEGIN_URL = reverse("users:passkey_auth_begin")
+AUTH_COMPLETE_URL = reverse("users:passkey_auth_complete")
+REGISTER_BEGIN_URL = reverse("users:passkey_register_begin")
+REGISTER_COMPLETE_URL = reverse("users:passkey_register_complete")
+PASSKEY_LIST_URL = reverse("users:passkey_list")
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+def make_passkey(
+    user, credential_id=None, public_key=None, name="Test Passkey", **kwargs
+):
+    """Create a Passkey for a user with sensible defaults."""
+    kwargs.setdefault("sign_count", 0)
+    kwargs.setdefault("transports", ["internal"])
+    return Passkey.objects.create(
+        user=user,
+        name=name,
+        # base64url of b"test-cred-id" and b"test-pubkey"
+        credential_id=credential_id or bytes_to_base64url(b"test-cred-id"),
+        public_key=public_key or bytes_to_base64url(b"test-pubkey"),
+        **kwargs,
+    )
+
+
+def set_challenge(client, key, challenge_bytes=b"test-challenge"):
+    """Store a base64-encoded WebAuthn challenge in the test client session."""
+    session = client.session
+    session[key] = base64.b64encode(challenge_bytes).decode()
+    session.save()
+
+
+# ---------------------------------------------------------------------------
+# Registration begin
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyRegisterBegin(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 302)
+
+    def test_requires_post(self):
+        response = self.client.get(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_registration_options(self):
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertIn("challenge", data)
+        self.assertIn("rp", data)
+        self.assertIn("user", data)
+
+    def test_stores_challenge_in_session(self):
+        self.client.post(REGISTER_BEGIN_URL)
+        self.assertIn(SESSION_CHALLENGE_KEY_REGISTER, self.client.session)
+
+    def test_returns_400_when_max_passkeys_reached(self):
+        for i in range(MAX_PASSKEYS_PER_USER):
+            make_passkey(
+                self.user, credential_id=bytes_to_base64url(f"cred{i}".encode())
+            )
+        response = self.client.post(REGISTER_BEGIN_URL)
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+
+# ---------------------------------------------------------------------------
+# Registration complete
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyRegisterComplete(TestCase):
+    CHALLENGE = b"test-challenge-register"
+
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def _set_challenge(self):
+        set_challenge(self.client, SESSION_CHALLENGE_KEY_REGISTER, self.CHALLENGE)
+
+    def _payload(self, name="My Key"):
+        return {
+            "id": bytes_to_base64url(b"new-cred"),
+            "rawId": bytes_to_base64url(b"new-cred"),
+            "name": name,
+            "response": {
+                "clientDataJSON": bytes_to_base64url(b"clientdata"),
+                "attestationObject": bytes_to_base64url(b"attestation"),
+                "transports": ["internal"],
+            },
+            "type": "public-key",
+        }
+
+    def test_requires_login(self):
+        self.client.logout()
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 302)
+
+    def test_invalid_json_returns_400(self):
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data="not-valid-json",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_missing_challenge_returns_400(self):
+        # No challenge placed in session
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_successful_registration_saves_passkey(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"saved-cred-id",
+            credential_public_key=b"saved-pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name="My Key")),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["status"], "ok")
+        self.assertEqual(self.user.passkeys.count(), 1)
+        self.assertEqual(self.user.passkeys.first().name, "My Key")
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_name_is_truncated_to_128_chars(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        long_name = "x" * 200
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name=long_name)),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(self.user.passkeys.first().name, "x" * 128)
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_empty_name_gets_date_default(self, mock_verify):
+        mock_verify.return_value = MagicMock(
+            credential_id=b"cred",
+            credential_public_key=b"pubkey",
+            sign_count=0,
+        )
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload(name="")),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        passkey = self.user.passkeys.first()
+        self.assertTrue(passkey.name.startswith("Passkey "))
+
+    @patch("hypha.apply.users.passkey_views.verify_registration_response")
+    def test_verification_failure_returns_400_and_saves_nothing(self, mock_verify):
+        mock_verify.side_effect = Exception("crypto error")
+        self._set_challenge()
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+        self.assertEqual(self.user.passkeys.count(), 0)
+
+    def test_challenge_is_consumed_and_cannot_be_replayed(self):
+        """The registration challenge must be single-use."""
+        self._set_challenge()
+        # First call consumes the challenge (will fail verification, that's OK)
+        self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        # Second call with the same payload must fail with "no challenge" error
+        response = self.client.post(
+            REGISTER_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("challenge", response.json()["error"].lower())
+
+
+# ---------------------------------------------------------------------------
+# Authentication begin
+# ---------------------------------------------------------------------------
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyAuthBegin(TestCase):
+    def test_requires_post(self):
+        response = self.client.get(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_authentication_options(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+        data = response.json()
+        self.assertIn("challenge", data)
+        self.assertIn("rpId", data)
+
+    def test_stores_challenge_in_session(self):
+        self.client.post(AUTH_BEGIN_URL)
+        self.assertIn(SESSION_CHALLENGE_KEY_AUTH, self.client.session)
+
+    def test_accessible_without_login(self):
+        response = self.client.post(AUTH_BEGIN_URL)
+        self.assertEqual(response.status_code, 200)
+
+
+# ---------------------------------------------------------------------------
+# Authentication complete
+# ---------------------------------------------------------------------------
+
+CRED_ID = bytes_to_base64url(b"auth-cred-id")
+PUBKEY = bytes_to_base64url(b"auth-pubkey")
+
+
+@override_settings(RATELIMIT_ENABLE=False)
+class TestPasskeyAuthComplete(TestCase):
+    CHALLENGE = b"test-challenge-auth"
+
+    def setUp(self):
+        self.user = UserFactory()
+        self.passkey = make_passkey(
+            self.user,
+            credential_id=CRED_ID,
+            public_key=PUBKEY,
+            sign_count=0,
+        )
+
+    def _set_challenge(self):
+        set_challenge(self.client, SESSION_CHALLENGE_KEY_AUTH, self.CHALLENGE)
+
+    def _payload(self, **overrides):
+        payload = {
+            "id": CRED_ID,
+            "rawId": CRED_ID,
+            "response": {
+                "clientDataJSON": bytes_to_base64url(b"clientdata"),
+                "authenticatorData": bytes_to_base64url(b"authdata"),
+                "signature": bytes_to_base64url(b"sig"),
+            },
+            "type": "public-key",
+        }
+        payload.update(overrides)
+        return payload
+
+    def test_requires_post(self):
+        response = self.client.get(AUTH_COMPLETE_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_invalid_json_returns_400(self):
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data="not-json",
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_missing_challenge_returns_400(self):
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_unknown_credential_returns_400(self):
+        self._set_challenge()
+        unknown_id = bytes_to_base64url(b"no-such-cred")
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload(id=unknown_id, rawId=unknown_id)),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_logs_in_user(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["status"], "ok")
+        self.assertIn("redirect_url", response.json())
+        self.assertEqual(int(self.client.session["_auth_user_id"]), self.user.pk)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_sets_passkey_session_flag(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertTrue(self.client.session.get("passkey_authenticated"))
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_updates_sign_count(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=42)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.passkey.refresh_from_db()
+        self.assertEqual(self.passkey.sign_count, 42)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_successful_auth_updates_last_used_at(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.passkey.refresh_from_db()
+        self.assertIsNotNone(self.passkey.last_used_at)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_open_redirect_falls_back_to_login_redirect(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        payload = self._payload()
+        payload["next"] = "https://evil.example.com/steal"
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        redirect_url = response.json()["redirect_url"]
+        self.assertNotIn("evil.example.com", redirect_url)
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_valid_next_url_is_passed_through(self, mock_verify):
+        mock_verify.return_value = MagicMock(new_sign_count=1)
+        self._set_challenge()
+        payload = self._payload()
+        payload["next"] = "/apply/"
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(response.json()["redirect_url"], "/apply/")
+
+    def test_user_handle_mismatch_returns_400(self):
+        """A userHandle that doesn't match the passkey owner must be rejected."""
+        other_user = UserFactory()
+        # Encode other_user's pk as the handle — view decodes and compares against
+        # str(passkey.user.pk).encode(), which is this user's pk.
+        wrong_handle = bytes_to_base64url(str(other_user.pk).encode())
+        self._set_challenge()
+        payload = self._payload()
+        payload["response"]["userHandle"] = wrong_handle
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(payload),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    @patch("hypha.apply.users.passkey_views.verify_authentication_response")
+    def test_verification_failure_returns_400(self, mock_verify):
+        mock_verify.side_effect = InvalidAuthenticationResponse("bad signature")
+        self._set_challenge()
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("error", response.json())
+
+    def test_challenge_is_consumed_and_cannot_be_replayed(self):
+        """The auth challenge must be single-use (popped from session)."""
+        self._set_challenge()
+        # First call pops the challenge
+        self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        # Second call must fail because challenge is gone
+        response = self.client.post(
+            AUTH_COMPLETE_URL,
+            data=json.dumps(self._payload()),
+            content_type="application/json",
+        )
+        self.assertEqual(response.status_code, 400)
+        self.assertIn("challenge", response.json()["error"].lower())
+
+
+# ---------------------------------------------------------------------------
+# Passkey list
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyList(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 302)
+
+    def test_requires_get(self):
+        response = self.client.post(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 405)
+
+    def test_returns_200_with_no_passkeys(self):
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertEqual(response.status_code, 200)
+
+    def test_shows_own_passkeys(self):
+        make_passkey(self.user, name="My MacBook")
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertContains(response, "My MacBook")
+
+    def test_does_not_show_other_users_passkeys(self):
+        other = UserFactory()
+        make_passkey(other, name="Someone Elses Key")
+        response = self.client.get(PASSKEY_LIST_URL)
+        self.assertNotContains(response, "Someone Elses Key")
+
+
+# ---------------------------------------------------------------------------
+# Passkey delete
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyDelete(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 302)
+
+    def test_deletes_own_passkey(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertFalse(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_cannot_delete_other_users_passkey(self):
+        other = UserFactory()
+        passkey = make_passkey(other)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertEqual(response.status_code, 404)
+        self.assertTrue(Passkey.objects.filter(pk=passkey.pk).exists())
+
+    def test_returns_updated_passkey_list_partial(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_delete", args=[passkey.pk])
+        response = self.client.post(url)
+        self.assertTemplateUsed(response, "users/partials/passkey-list.html")
+
+
+# ---------------------------------------------------------------------------
+# Passkey rename
+# ---------------------------------------------------------------------------
+
+
+class TestPasskeyRename(TestCase):
+    def setUp(self):
+        self.user = UserFactory()
+        self.client.force_login(self.user)
+
+    def test_requires_login(self):
+        self.client.logout()
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "New Name"})
+        self.assertEqual(response.status_code, 302)
+
+    def test_renames_own_passkey(self):
+        passkey = make_passkey(self.user, name="Old Name")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "New Name"})
+        self.assertEqual(response.status_code, 200)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "New Name")
+
+    def test_cannot_rename_other_users_passkey(self):
+        other = UserFactory()
+        passkey = make_passkey(other, name="Original")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "Hacked Name"})
+        self.assertEqual(response.status_code, 404)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+    def test_whitespace_only_name_is_ignored(self):
+        passkey = make_passkey(self.user, name="Original")
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "   "})
+        self.assertEqual(response.status_code, 200)
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Original")
+
+    def test_name_is_trimmed(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        self.client.post(url, {"name": "  Trimmed  "})
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "Trimmed")
+
+    def test_name_is_truncated_to_128_chars(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        self.client.post(url, {"name": "x" * 200})
+        passkey.refresh_from_db()
+        self.assertEqual(passkey.name, "x" * 128)
+
+    def test_returns_updated_passkey_list_partial(self):
+        passkey = make_passkey(self.user)
+        url = reverse("users:passkey_rename", args=[passkey.pk])
+        response = self.client.post(url, {"name": "Updated"})
+        self.assertTemplateUsed(response, "users/partials/passkey-list.html")
+
+
+# ---------------------------------------------------------------------------
+# Middleware — passkey_authenticated session flag bypasses ENFORCE_TWO_FACTOR
+# ---------------------------------------------------------------------------
+
+
+@override_settings(ENFORCE_TWO_FACTOR=True)
+class TestPasskeyMiddlewareBypass(TestCase):
+    def test_passkey_session_flag_bypasses_2fa_enforcement(self):
+        user = UserFactory()
+        self.client.force_login(user)
+        session = self.client.session
+        session["passkey_authenticated"] = True
+        session.save()
+
+        # The middleware should let the request through — account page is always accessible.
+        response = self.client.get(reverse("users:account"), follow=True)
+        self.assertNotContains(response, "Permission Denied")
+
+    def test_without_passkey_flag_unverified_user_is_blocked(self):
+        user = UserFactory()
+        self.client.force_login(user)
+        # No passkey_authenticated flag and no OTP device
+
+        response = self.client.get(settings.LOGIN_REDIRECT_URL, follow=True)
+        self.assertContains(response, "Permission Denied")
diff --git a/hypha/apply/users/urls.py b/hypha/apply/users/urls.py
index 23d51f75f2..47c0907a65 100644
--- a/hypha/apply/users/urls.py
+++ b/hypha/apply/users/urls.py
@@ -6,6 +6,15 @@
 
 from hypha.elevate.views import elevate as elevate_view
 
+from .passkey_views import (
+    passkey_auth_begin,
+    passkey_auth_complete,
+    passkey_delete,
+    passkey_list,
+    passkey_register_begin,
+    passkey_register_complete,
+    passkey_rename,
+)
 from .views import (
     AccountView,
     ActivationView,
@@ -39,6 +48,17 @@
     ),
     path("login/", LoginView.as_view(), name="login"),
     path("logout/", auth_views.LogoutView.as_view(next_page="/"), name="logout"),
+    # Passkey authentication — public (no login required)
+    path(
+        "passkeys/auth/begin/",
+        passkey_auth_begin,
+        name="passkey_auth_begin",
+    ),
+    path(
+        "passkeys/auth/complete/",
+        passkey_auth_complete,
+        name="passkey_auth_complete",
+    ),
 ]
 
 account_urls = [
@@ -115,6 +135,28 @@
         name="activate",
     ),
     path("hijack/", hijack_view, name="hijack"),
+    # Passkey management
+    path("passkeys/", passkey_list, name="passkey_list"),
+    path(
+        "passkeys/register/begin/",
+        passkey_register_begin,
+        name="passkey_register_begin",
+    ),
+    path(
+        "passkeys/register/complete/",
+        passkey_register_complete,
+        name="passkey_register_complete",
+    ),
+    path(
+        "passkeys/<int:pk>/delete/",
+        passkey_delete,
+        name="passkey_delete",
+    ),
+    path(
+        "passkeys/<int:pk>/rename/",
+        passkey_rename,
+        name="passkey_rename",
+    ),
     path("activate/", create_password, name="activate_password"),
     path("oauth", oauth, name="oauth"),
     # 2FA
diff --git a/hypha/settings/base.py b/hypha/settings/base.py
index 161a6dfbaa..8eda2bb0ba 100644
--- a/hypha/settings/base.py
+++ b/hypha/settings/base.py
@@ -30,9 +30,21 @@
 # DEFAULT_RATE_LIMIT is used by login, password, 2FA, etc
 DEFAULT_RATE_LIMIT = env.str("DEFAULT_RATE_LIMIT", "5/m")
 
-# IF Hypha should enforce 2FA for all users.
+# If Hypha should enforce 2FA for all users.
+# Users that login with passkeys are excluded since that is even more secure.
 ENFORCE_TWO_FACTOR = env.bool("ENFORCE_TWO_FACTOR", False)
 
+# WebAuthn / Passkey settings.
+# WEBAUTHN_RP_ID: the relying party domain, e.g. "example.com" (no port, no scheme).
+#   Defaults to the request host if not set. OBS! Do not use default in production!
+# WEBAUTHN_ORIGIN: the full origin, e.g. "https://example.com".
+#   Defaults to the request origin if not set.
+# WEBAUTHN_RP_NAME: display name shown in the browser passkey UI.
+#   Defaults to ORG_LONG_NAME.
+WEBAUTHN_RP_ID = env.str("WEBAUTHN_RP_ID", None)
+WEBAUTHN_RP_NAME = env.str("WEBAUTHN_RP_NAME", None)
+WEBAUTHN_ORIGIN = env.str("WEBAUTHN_ORIGIN", None)
+
 # Set the allowed file extension for all uploads fields.
 FILE_ALLOWED_EXTENSIONS = [
     "doc",
diff --git a/hypha/static_src/javascript/passkeys.js b/hypha/static_src/javascript/passkeys.js
new file mode 100644
index 0000000000..be99503a2e
--- /dev/null
+++ b/hypha/static_src/javascript/passkeys.js
@@ -0,0 +1,246 @@
+/**
+ * WebAuthn passkey support using native browser APIs.
+ *
+ * Uses the stable native APIs available in all major browsers since March 2025:
+ *   - PublicKeyCredential.parseCreationOptionsFromJSON()
+ *   - PublicKeyCredential.parseRequestOptionsFromJSON()
+ *   - PublicKeyCredential.prototype.toJSON()
+ *
+ * Availability is checked via window.PublicKeyCredential && navigator.credentials,
+ * which covers platform authenticators (Touch ID, Windows Hello, Face ID) as well
+ * as roaming authenticators (security keys) and cross-device auth (QR code).
+ */
+
+window.hypha = window.hypha || {};
+
+window.hypha.passkeys = (function () {
+  let _conditionalAbortController = null;
+  function getCsrfToken() {
+    const hxheaders = document.body.getAttribute("hx-headers") || "{}";
+    const headers = JSON.parse(hxheaders);
+    return headers["X-CSRFToken"] || "";
+  }
+
+  function getRememberMe() {
+    const el =
+      document.getElementById("id_auth-remember_me") ||
+      document.getElementById("id_remember_me");
+    return el ? el.checked : false;
+  }
+
+  function jsonPost(url, body) {
+    return fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "X-CSRFToken": getCsrfToken(),
+      },
+      body: JSON.stringify(body),
+    });
+  }
+
+  /**
+   * Show passkey-related UI elements only when the platform supports them.
+   * Call this on DOMContentLoaded — elements with data-passkey-ui are hidden
+   * by default and revealed here.
+   */
+  async function initUI() {
+    const webAuthnAvailable = !!(
+      window.PublicKeyCredential && navigator.credentials
+    );
+
+    const conditionalOk = await (
+      window.PublicKeyCredential?.isConditionalMediationAvailable?.() ??
+      Promise.resolve(false)
+    ).catch(() => false);
+
+    if (webAuthnAvailable) {
+      document
+        .querySelectorAll("[data-passkey-ui]")
+        .forEach((el) => el.removeAttribute("hidden"));
+    }
+
+    if (conditionalOk) {
+      _startConditionalMediation();
+    }
+  }
+
+  /**
+   * Register a new passkey for the currently authenticated user.
+   * Called from the account page "Add passkey" form (onsubmit).
+   * @param {HTMLFormElement} formEl  The <form> element containing a [name=name] input.
+   */
+  async function register(formEl) {
+    const beginUrl = formEl?.dataset.beginUrl;
+    const completeUrl = formEl?.dataset.completeUrl;
+    if (!beginUrl || !completeUrl) return;
+
+    const nameInput = formEl?.querySelector("[name=name]");
+    const errorEl = document.getElementById("passkey-error");
+    const submitBtn = formEl?.querySelector("[type=submit]");
+
+    try {
+      if (submitBtn) submitBtn.disabled = true;
+      if (errorEl) errorEl.hidden = true;
+
+      // Step 1: fetch registration options from server
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok) {
+        const err = await beginResp.json();
+        throw new Error(
+          err.error || formEl?.dataset.errorServer || "Server error"
+        );
+      }
+      const options = await beginResp.json();
+
+      // Step 2: trigger native OS passkey creation UI (Touch ID / Windows Hello / …)
+      const credential = await navigator.credentials.create({
+        publicKey: PublicKeyCredential.parseCreationOptionsFromJSON(options),
+      });
+
+      // Step 3: send the signed response to the server
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        name: nameInput?.value.trim() || "",
+      });
+      if (!completeResp.ok) {
+        const err = await completeResp.json();
+        throw new Error(
+          err.error || formEl?.dataset.errorRegister || "Registration failed"
+        );
+      }
+
+      // Reload to show the new passkey in the list
+      window.location.reload();
+    } catch (err) {
+      // NotAllowedError means the user dismissed the native OS dialog — not an error.
+      if (err.name === "NotAllowedError") {
+        // user cancelled — do nothing
+      } else if (err.name === "InvalidStateError") {
+        if (errorEl) {
+          errorEl.textContent =
+            formEl?.dataset.errorDuplicate ||
+            "This authenticator already has a passkey registered. Try a different authenticator or device.";
+          errorEl.hidden = false;
+        }
+      } else if (errorEl) {
+        errorEl.textContent = err.message;
+        errorEl.hidden = false;
+      }
+    } finally {
+      if (submitBtn) submitBtn.disabled = false;
+    }
+  }
+
+  /**
+   * Authenticate with a passkey via an explicit button click on the login page.
+   */
+  async function authenticate() {
+    // Abort any in-progress conditional mediation before starting explicit auth.
+    if (_conditionalAbortController) {
+      _conditionalAbortController.abort();
+      _conditionalAbortController = null;
+    }
+
+    const btn = document.getElementById("btn-passkey-login");
+    const beginUrl = btn?.dataset.beginUrl;
+    const completeUrl = btn?.dataset.completeUrl;
+    if (!beginUrl || !completeUrl) return;
+
+    const nextUrl = btn?.dataset.nextUrl || "";
+    const errorEl = document.getElementById("passkey-auth-error");
+
+    try {
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok)
+        throw new Error(
+          errorEl?.dataset.errorBegin || "Failed to begin authentication"
+        );
+      const authOptions = await beginResp.json();
+
+      // Triggers native OS passkey selection UI
+      const credential = await navigator.credentials.get({
+        publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
+      });
+
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        next: nextUrl,
+        remember_me: getRememberMe(),
+      });
+      if (!completeResp.ok) {
+        const err = await completeResp.json();
+        throw new Error(
+          err.error || errorEl?.dataset.errorAuth || "Authentication failed"
+        );
+      }
+      const data = await completeResp.json();
+      const redirectUrl = new URL(
+        data.redirect_url || "/",
+        window.location.origin
+      );
+      window.location.href =
+        redirectUrl.origin === window.location.origin
+          ? redirectUrl.pathname + redirectUrl.search + redirectUrl.hash
+          : "/";
+    } catch (err) {
+      // NotAllowedError / AbortError = user dismissed the native UI.
+      if (err.name !== "NotAllowedError" && err.name !== "AbortError") {
+        if (errorEl) {
+          errorEl.textContent = err.message;
+          errorEl.hidden = false;
+        }
+      }
+    }
+  }
+
+  /**
+   * Internal: start conditional mediation (passkey autofill on the login page).
+   * The email input needs autocomplete="username webauthn" for this to work.
+   */
+  async function _startConditionalMediation() {
+    const btn = document.getElementById("btn-passkey-login");
+    const beginUrl = btn?.dataset.beginUrl;
+    const completeUrl = btn?.dataset.completeUrl;
+    if (!beginUrl || !completeUrl) return;
+
+    _conditionalAbortController = new AbortController();
+
+    try {
+      const beginResp = await jsonPost(beginUrl, {});
+      if (!beginResp.ok) return;
+      const authOptions = await beginResp.json();
+
+      // mediation:"conditional" shows registered passkeys in the browser
+      // autofill dropdown next to the email field — no explicit user gesture needed.
+      const credential = await navigator.credentials.get({
+        publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
+        mediation: "conditional",
+        signal: _conditionalAbortController.signal,
+      });
+
+      if (!credential) return;
+
+      const nextUrl = btn?.dataset.nextUrl || "";
+      const completeResp = await jsonPost(completeUrl, {
+        ...credential.toJSON(),
+        next: nextUrl,
+        remember_me: getRememberMe(),
+      });
+      if (!completeResp.ok) return;
+      const data = await completeResp.json();
+      const redirectUrl = new URL(
+        data.redirect_url || "/",
+        window.location.origin
+      );
+      window.location.href =
+        redirectUrl.origin === window.location.origin
+          ? redirectUrl.pathname + redirectUrl.search + redirectUrl.hash
+          : "/";
+    } catch (_err) {
+      // Expected: aborted when user submits the password form normally.
+    }
+  }
+
+  return { initUI, register, authenticate };
+})();
diff --git a/hypha/templates/base-apply.html b/hypha/templates/base-apply.html
index 89b3bd160c..b53581de0e 100644
--- a/hypha/templates/base-apply.html
+++ b/hypha/templates/base-apply.html
@@ -44,7 +44,7 @@
                 {% endif %}
 
                 {% if request.path != '/auth/' and request.path != '/login/' %}
-                    {% include "includes/user_menu.html" %}
+                    {% include "users/includes/user_menu.html" %}
                 {% endif %}
 
                 <button
diff --git a/pyproject.toml b/pyproject.toml
index 84f182542b..5210e84652 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -54,6 +54,7 @@ dependencies = [
     "svgwrite~=1.4.3",
     "wagtail-modeladmin~=2.2.0",
     "wagtail~=7.0.5",
+    "webauthn~=2.2.0",
     "whitenoise~=6.11.0",
     "xhtml2pdf~=0.2.17",
 ]
diff --git a/requirements/dev.txt b/requirements/dev.txt
index ccf27791b6..4f7245ebb3 100644
--- a/requirements/dev.txt
+++ b/requirements/dev.txt
@@ -35,6 +35,7 @@ asn1crypto==1.5.1 \
     #   oscrypto
     #   pyhanko
     #   pyhanko-certvalidator
+    #   webauthn
 async-timeout==5.0.1 ; python_full_version < '3.11.3' \
     --hash=sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c \
     --hash=sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3
@@ -108,6 +109,45 @@ bracex==2.6 \
     --hash=sha256:0b0049264e7340b3ec782b5cb99beb325f36c3782a32e36e876452fd49a09952 \
     --hash=sha256:98f1347cd77e22ee8d967a30ad4e310b233f7754dbf31ff3fceb76145ba47dc7
     # via wcmatch
+cbor2==5.9.0 \
+    --hash=sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e \
+    --hash=sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9 \
+    --hash=sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57 \
+    --hash=sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f \
+    --hash=sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313 \
+    --hash=sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560 \
+    --hash=sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7 \
+    --hash=sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743 \
+    --hash=sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b \
+    --hash=sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a \
+    --hash=sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a \
+    --hash=sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7 \
+    --hash=sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b \
+    --hash=sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31 \
+    --hash=sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba \
+    --hash=sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec \
+    --hash=sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f \
+    --hash=sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b \
+    --hash=sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363 \
+    --hash=sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e \
+    --hash=sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422 \
+    --hash=sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975 \
+    --hash=sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4 \
+    --hash=sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4 \
+    --hash=sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea \
+    --hash=sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3 \
+    --hash=sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073 \
+    --hash=sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551 \
+    --hash=sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2 \
+    --hash=sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0 \
+    --hash=sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc \
+    --hash=sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9 \
+    --hash=sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5 \
+    --hash=sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf \
+    --hash=sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8 \
+    --hash=sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd \
+    --hash=sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27
+    # via webauthn
 celery==5.6.3 \
     --hash=sha256:0808f42f80909c4d5833202360ffafb2a4f83f4d8e23e1285d926610e9a7afa6 \
     --hash=sha256:177006bd2054b882e9f01be59abd8529e88879ef50d7918a7050c5a9f4e12912
@@ -499,6 +539,8 @@ cryptography==48.0.0 \
     #   pyhanko
     #   pyhanko-certvalidator
     #   pyjwt
+    #   pyopenssl
+    #   webauthn
 cssselect2==0.9.0 \
     --hash=sha256:6a99e5f91f9a016a304dd929b0966ca464bcfda15177b6fb4a118fc0fb5d9563 \
     --hash=sha256:759aa22c216326356f65e62e791d66160a0f9c91d1424e8d8adc5e74dddfc6fb
@@ -1756,6 +1798,10 @@ pymdown-extensions==10.21.2 \
     # via
     #   mkdocs-material
     #   mkdocstrings
+pyopenssl==26.0.0 \
+    --hash=sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81 \
+    --hash=sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc
+    # via webauthn
 pypdf==6.11.0 \
     --hash=sha256:062b51c81b0910e6d2755e99e1c5547a0a23b7d0a32322af66240d8edcfabe87 \
     --hash=sha256:769394d5756d5b304c9b6bef88b54b1816b328e7e6fc9254e625529a15ed4ab8
@@ -2279,6 +2325,7 @@ typing-extensions==4.15.0 \
     #   pydantic
     #   pydantic-core
     #   pyjwt
+    #   pyopenssl
     #   pypdf
     #   python-docx
     #   rich
@@ -2379,6 +2426,10 @@ wcwidth==0.7.0 \
     --hash=sha256:5d69154c429a82910e241c738cd0e2976fac8a2dd47a1a805f4afed1c0f136f2 \
     --hash=sha256:90e3a7ea092341c44b99562e75d09e4d5160fe7a3974c6fb842a101a95e7eed0
     # via prompt-toolkit
+webauthn==2.2.0 \
+    --hash=sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc \
+    --hash=sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c
+    # via hypha
 webencodings==0.5.1 \
     --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
     --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
diff --git a/requirements/prod.txt b/requirements/prod.txt
index aee0d54a18..35a6bdd6f5 100644
--- a/requirements/prod.txt
+++ b/requirements/prod.txt
@@ -30,6 +30,7 @@ asn1crypto==1.5.1 \
     #   oscrypto
     #   pyhanko
     #   pyhanko-certvalidator
+    #   webauthn
 async-timeout==5.0.1 ; python_full_version < '3.11.3' \
     --hash=sha256:39e3809566ff85354557ec2398b55e096c8364bacac9405a7a1fa429e77fe76c \
     --hash=sha256:d9321a7a3d5a6a5e187e824d2fa0793ce379a202935782d555d6e9d2735677d3
@@ -88,6 +89,45 @@ botocore==1.42.97 \
     # via
     #   boto3
     #   s3transfer
+cbor2==5.9.0 \
+    --hash=sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e \
+    --hash=sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9 \
+    --hash=sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57 \
+    --hash=sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f \
+    --hash=sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313 \
+    --hash=sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560 \
+    --hash=sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7 \
+    --hash=sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743 \
+    --hash=sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b \
+    --hash=sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a \
+    --hash=sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a \
+    --hash=sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7 \
+    --hash=sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b \
+    --hash=sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31 \
+    --hash=sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba \
+    --hash=sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec \
+    --hash=sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f \
+    --hash=sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b \
+    --hash=sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363 \
+    --hash=sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e \
+    --hash=sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422 \
+    --hash=sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975 \
+    --hash=sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4 \
+    --hash=sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4 \
+    --hash=sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea \
+    --hash=sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3 \
+    --hash=sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073 \
+    --hash=sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551 \
+    --hash=sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2 \
+    --hash=sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0 \
+    --hash=sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc \
+    --hash=sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9 \
+    --hash=sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5 \
+    --hash=sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf \
+    --hash=sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8 \
+    --hash=sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd \
+    --hash=sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27
+    # via webauthn
 celery==5.6.3 \
     --hash=sha256:0808f42f80909c4d5833202360ffafb2a4f83f4d8e23e1285d926610e9a7afa6 \
     --hash=sha256:177006bd2054b882e9f01be59abd8529e88879ef50d7918a7050c5a9f4e12912
@@ -357,6 +397,8 @@ cryptography==48.0.0 \
     #   pyhanko
     #   pyhanko-certvalidator
     #   pyjwt
+    #   pyopenssl
+    #   webauthn
 cssselect2==0.9.0 \
     --hash=sha256:6a99e5f91f9a016a304dd929b0966ca464bcfda15177b6fb4a118fc0fb5d9563 \
     --hash=sha256:759aa22c216326356f65e62e791d66160a0f9c91d1424e8d8adc5e74dddfc6fb
@@ -1028,6 +1070,10 @@ pyjwt==2.12.1 \
     --hash=sha256:28ca37c070cad8ba8cd9790cd940535d40274d22f80ab87f3ac6a713e6e8454c \
     --hash=sha256:c74a7a2adf861c04d002db713dd85f84beb242228e671280bf709d765b03672b
     # via social-auth-core
+pyopenssl==26.0.0 \
+    --hash=sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81 \
+    --hash=sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc
+    # via webauthn
 pypdf==6.11.0 \
     --hash=sha256:062b51c81b0910e6d2755e99e1c5547a0a23b7d0a32322af66240d8edcfabe87 \
     --hash=sha256:769394d5756d5b304c9b6bef88b54b1816b328e7e6fc9254e625529a15ed4ab8
@@ -1321,6 +1367,7 @@ typing-extensions==4.15.0 \
     #   mistune
     #   psycopg
     #   pyjwt
+    #   pyopenssl
     #   pypdf
     #   python-docx
 tzdata==2026.2 \
@@ -1370,6 +1417,10 @@ wcwidth==0.7.0 \
     --hash=sha256:5d69154c429a82910e241c738cd0e2976fac8a2dd47a1a805f4afed1c0f136f2 \
     --hash=sha256:90e3a7ea092341c44b99562e75d09e4d5160fe7a3974c6fb842a101a95e7eed0
     # via prompt-toolkit
+webauthn==2.2.0 \
+    --hash=sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc \
+    --hash=sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c
+    # via hypha
 webencodings==0.5.1 \
     --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \
     --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923
diff --git a/uv.lock b/uv.lock
index 128af3b24e..09d05b82d2 100644
--- a/uv.lock
+++ b/uv.lock
@@ -290,6 +290,50 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/9e/96/d32b941a501ab566a16358d68b6eb4e4acc373fab3c3c4d7d9e649f7b4bb/catalogue-2.0.10-py3-none-any.whl", hash = "sha256:58c2de0020aa90f4a2da7dfad161bf7b3b054c86a5f09fcedc0b2b740c109a9f", size = 17325, upload-time = "2023-09-25T06:29:23.337Z" },
 ]
 
+[[package]]
+name = "cbor2"
+version = "5.9.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/bd/cb/09939728be094d155b5d4ac262e39877875f5f7e36eea66beb359f647bd0/cbor2-5.9.0.tar.gz", hash = "sha256:85c7a46279ac8f226e1059275221e6b3d0e370d2bb6bd0500f9780781615bcea", size = 111231, upload-time = "2026-03-22T15:56:50.638Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e0/bf/12b337e5354e47f6378da18989480c0c1e2cc5fe9b865e6fab45d6332aa6/cbor2-5.9.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:55bea0dd9a7d354e35f4e5fe58ceab393e76962713749dc3a0a64a0e5d19545e", size = 70577, upload-time = "2026-03-22T15:55:54.174Z" },
+    { url = "https://files.pythonhosted.org/packages/45/7b/74c524ce81c1ddc6c44b4865028ffb7d3a8e7ae653b1061650375a28cbb1/cbor2-5.9.0-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3095dc49e75572841a9534cbfdabc2a17487ea4ee33341436abc4a7ac7245a3a", size = 261074, upload-time = "2026-03-22T15:55:55.654Z" },
+    { url = "https://files.pythonhosted.org/packages/4b/97/c496c71422b2ca18ff2acc5f49e8c45cd7294b7df1359eccec78021b428e/cbor2-5.9.0-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:25bec7beb2089465382b1be72e78667fe9090598800826559c3e3008cf0db743", size = 255498, upload-time = "2026-03-22T15:55:57.256Z" },
+    { url = "https://files.pythonhosted.org/packages/c2/40/9bd7e66dba7aea674a440e004faea406de42c49aeac23453954b67768532/cbor2-5.9.0-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:cc5efec69055c3c470997935d95762be7e4bfd1248d88fb1a33bb7e0f45712e9", size = 255683, upload-time = "2026-03-22T15:55:58.721Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/d1/fa3e158dbe4c08091495b720c604624b285bc272afdbcfac2150725d955b/cbor2-5.9.0-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:420d2490c7836c81151b4bd591c35cffc55391e33e7e333c50fda391bcea7d31", size = 250798, upload-time = "2026-03-22T15:55:59.953Z" },
+    { url = "https://files.pythonhosted.org/packages/7c/16/3186084b441c4b0caebfaaa2c66a57bde82ceaacd469570c77c8030b6b95/cbor2-5.9.0-cp310-cp310-win_amd64.whl", hash = "sha256:d1a21c006760f95acd9509cc5a7d15d6fc82e58f721f94fa9039b4e77189a6e5", size = 69436, upload-time = "2026-03-22T15:56:01.466Z" },
+    { url = "https://files.pythonhosted.org/packages/36/1f/57d00cd13e0f9391bcd616795aa78409210a7464570fe21e3b9cd42eb5a7/cbor2-5.9.0-cp310-cp310-win_arm64.whl", hash = "sha256:08388ea54195738602b4c4999966bcaef6f0b17d293c9658658409d9fff96f57", size = 65312, upload-time = "2026-03-22T15:56:02.804Z" },
+    { url = "https://files.pythonhosted.org/packages/43/aa/317c7118b8dda4c9563125c1a12c70c5b41e36677964a49c72b1aac061ec/cbor2-5.9.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:0485d3372fc832c5e16d4eb45fa1a20fc53e806e6c29a1d2b0d3e176cedd52b9", size = 70578, upload-time = "2026-03-22T15:56:03.835Z" },
+    { url = "https://files.pythonhosted.org/packages/31/43/fe29b1f897770011a5e7497f4523c2712282ee4a6cbf775ea6383fb7afb9/cbor2-5.9.0-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a9d6e4e0f988b0e766509a8071975a8ee99f930e14a524620bf38083106158d2", size = 268738, upload-time = "2026-03-22T15:56:05.222Z" },
+    { url = "https://files.pythonhosted.org/packages/0a/1a/e494568f3d8aafbcdfe361df44c3bcf5cdab5183e25ea08e3d3f9fcf4075/cbor2-5.9.0-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:5326336f633cc89dfe543c78829c16c3a6449c2c03277d1ddba99086c3323363", size = 262571, upload-time = "2026-03-22T15:56:06.411Z" },
+    { url = "https://files.pythonhosted.org/packages/42/2e/92acd6f87382fd44a34d9d7e85cc45372e6ba664040b72d1d9df648b25d0/cbor2-5.9.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:5e702b02d42a5ace45425b595ffe70fe35aebaf9a3cdfdc2c758b6189c744422", size = 262356, upload-time = "2026-03-22T15:56:08.236Z" },
+    { url = "https://files.pythonhosted.org/packages/3f/68/52c039a28688baeeb78b0be7483855e6c66ea05884a937444deede0c87b8/cbor2-5.9.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2372d357d403e7912f104ff085950ffc82a5854d6d717f1ca1ce16a40a0ef5a7", size = 257604, upload-time = "2026-03-22T15:56:09.835Z" },
+    { url = "https://files.pythonhosted.org/packages/5b/e4/10d96a7f73ed9227090ce6e3df5d73329eb6a267dab7d5b989e6fbf6c504/cbor2-5.9.0-cp311-cp311-win_amd64.whl", hash = "sha256:1d02b65f070fd726bdc310d927228975bb655d155bf059b6eb7cacefb3dca86f", size = 69388, upload-time = "2026-03-22T15:56:11.28Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/c6/eea5829aa5a649db540f47ea35f4bf2313383d28246f0cbc50432cfad6b3/cbor2-5.9.0-cp311-cp311-win_arm64.whl", hash = "sha256:837754ece9052b3f607047e1741e5f852a538aa2b0ee3db11c82a8fa11804aa4", size = 65315, upload-time = "2026-03-22T15:56:12.326Z" },
+    { url = "https://files.pythonhosted.org/packages/ee/39/72d8a5a4b06565561ec28f4fcb41aff7bb77f51705c01f00b8254a2aca4f/cbor2-5.9.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:1f223dffb1bcdd2764665f04c1152943d9daa4bc124a576cd8dee1cad4264313", size = 71223, upload-time = "2026-03-22T15:56:13.68Z" },
+    { url = "https://files.pythonhosted.org/packages/09/fd/7ddf3d3153b54c69c3be77172b8d9aa3a9d74f62a7fbde614d53eaeed9a4/cbor2-5.9.0-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ae6c706ac1d85a0b3cb3395308fd0c4d55e3202b4760773675957e93cdff45fc", size = 287865, upload-time = "2026-03-22T15:56:14.813Z" },
+    { url = "https://files.pythonhosted.org/packages/db/9d/7ede2cc42f9bb4260492e7d29d2aab781eacbbcfb09d983de1e695077199/cbor2-5.9.0-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:4cd43d8fc374b31643b2830910f28177a606a7bc84975a62675dd3f2e320fc7b", size = 288246, upload-time = "2026-03-22T15:56:16.113Z" },
+    { url = "https://files.pythonhosted.org/packages/ce/9d/588ebc7c5bc5843f609b05fe07be8575c7dec987735b0bbc908ac9c1264a/cbor2-5.9.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:4aa07b392cc3d76fb31c08a46a226b58c320d1c172ff3073e864409ced7bc50f", size = 280214, upload-time = "2026-03-22T15:56:17.519Z" },
+    { url = "https://files.pythonhosted.org/packages/f7/a1/6fc8f4b15c6a27e7fbb7966c30c2b4b18c274a3221fa2f5e6235502d34bc/cbor2-5.9.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:971d425b3a23b75953d8853d5f9911bdeefa09d759ee3b5e6b07b5ff3cbd9073", size = 282162, upload-time = "2026-03-22T15:56:18.975Z" },
+    { url = "https://files.pythonhosted.org/packages/cf/20/9a22cfe08be16ddfeef2542cf4eeed1b29f3f57ddbba0b42f7e0bb8331fd/cbor2-5.9.0-cp312-cp312-win_amd64.whl", hash = "sha256:34a6cb15e6ab6a8eae94ad2041731cd3ef786af43a8df99f847969af5b902ee7", size = 70049, upload-time = "2026-03-22T15:56:20.502Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/9e/695f92d09006614034e25a9f5b10620f3b219f79c1bec3c37b7c6f27a7a9/cbor2-5.9.0-cp312-cp312-win_arm64.whl", hash = "sha256:7d1ddc4541e7367ac58c2470cc0df847f7137167fe4f5729e2d3cc0b993d7da4", size = 65382, upload-time = "2026-03-22T15:56:21.526Z" },
+    { url = "https://files.pythonhosted.org/packages/81/c5/4901e21a8afe9448fd947b11e8f383903207cd6dd0800e5f5a386838de5b/cbor2-5.9.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:fbb06f34aa645b4deca66643bba3d400d20c15312d1fe88d429be60c1ab50f27", size = 71284, upload-time = "2026-03-22T15:56:22.836Z" },
+    { url = "https://files.pythonhosted.org/packages/1b/10/df643a381aebc3f05486de4813662bc58accb640fc3275cb276a75e89694/cbor2-5.9.0-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ac684fe195c39821fca70d18afbf748f728aefbfbf88456018d299e559b8cae0", size = 287682, upload-time = "2026-03-22T15:56:24.024Z" },
+    { url = "https://files.pythonhosted.org/packages/c6/0c/8aa6b766059ae4a0ca1ec3ff96fe3823a69a7be880dba2e249f7fbe2700b/cbor2-5.9.0-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:2a54fbb32cb828c214f7f333a707e4aec61182e7efdc06ea5d9596d3ecee624a", size = 288009, upload-time = "2026-03-22T15:56:25.305Z" },
+    { url = "https://files.pythonhosted.org/packages/74/07/6236bc25c183a9cf7e8062e5dddf9eae9b0b14ebf14a58a69fe5a1e872c6/cbor2-5.9.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:4753a6d1bc71054d9179557bc65740860f185095ccb401d46637fff028a5b3ec", size = 280437, upload-time = "2026-03-22T15:56:26.479Z" },
+    { url = "https://files.pythonhosted.org/packages/4e/0a/84328d23c3c68874ac6497edb9b1900579a1028efa54734df3f1762bbc15/cbor2-5.9.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:380e534482b843e43442b87d8777a7bf9bed20cb7526f89b780c3400f617304b", size = 282247, upload-time = "2026-03-22T15:56:28.644Z" },
+    { url = "https://files.pythonhosted.org/packages/9b/f6/89b4627e09d028c8e5fcaf7cb55f225c33ce6e037ec1844e65d02bcfa945/cbor2-5.9.0-cp313-cp313-win_amd64.whl", hash = "sha256:dcf0f695873e5c94bd072d6af8698e72b8fb7f7a18f37e0bced1041b7111a6cf", size = 70089, upload-time = "2026-03-22T15:56:29.801Z" },
+    { url = "https://files.pythonhosted.org/packages/e2/7c/efadcd5f0102db692490e4e206988a2f98d39a09912090db497a2b800885/cbor2-5.9.0-cp313-cp313-win_arm64.whl", hash = "sha256:f7c9751a9611601ab326d8f5837f01379195bbf06175fb4effeb552140e7c9e8", size = 65466, upload-time = "2026-03-22T15:56:30.823Z" },
+    { url = "https://files.pythonhosted.org/packages/08/7d/9ccc36d10ef96e6038e48046ebe1ce35a1e7814da0e1e204d09e6ef09b8d/cbor2-5.9.0-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:23606d31ba1368bd1b6602e3020ee88fe9523ca80e8630faf6b2fc904fd84560", size = 71500, upload-time = "2026-03-22T15:56:31.876Z" },
+    { url = "https://files.pythonhosted.org/packages/70/e1/a6cca2cc72e13f00030c6a649f57ae703eb2c620806ab70c40db8eab33fa/cbor2-5.9.0-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0322296b9d52f55880e300ba8ba09ecf644303b99b51138bbb1c0fb644fa7c3e", size = 286953, upload-time = "2026-03-22T15:56:33.292Z" },
+    { url = "https://files.pythonhosted.org/packages/08/3c/24cd5ef488a957d90e016f200a3aad820e4c2f85edd61c9fe4523007a1ee/cbor2-5.9.0-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:422817286c1d0ce947fb2f7eca9212b39bddd7231e8b452e2d2cc52f15332dba", size = 285454, upload-time = "2026-03-22T15:56:34.703Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/35/dca96818494c0ba47cdd73e8d809b27fa91f8fa0ce32a068a09237687454/cbor2-5.9.0-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:9a4907e0c3035bb8836116854ed8e56d8aef23909d601fa59706320897ec2551", size = 279441, upload-time = "2026-03-22T15:56:35.888Z" },
+    { url = "https://files.pythonhosted.org/packages/a4/44/d3362378b16e53cf7e535a3f5aed8476e2109068154e24e31981ef5bde9e/cbor2-5.9.0-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:fb7afe77f8d269e42d7c4b515c6fd14f1ccc0625379fb6829b269f493d16eddd", size = 279673, upload-time = "2026-03-22T15:56:37.08Z" },
+    { url = "https://files.pythonhosted.org/packages/43/d1/3533a697e5842fff7c2f64912eb251f8dcab3a8b5d88e228d6eebc3b5021/cbor2-5.9.0-cp314-cp314-win_amd64.whl", hash = "sha256:86baf870d4c0bfc6f79de3801f3860a84ab76d9c8b0abb7f081f2c14c38d79d3", size = 71940, upload-time = "2026-03-22T15:56:38.366Z" },
+    { url = "https://files.pythonhosted.org/packages/ff/e2/c6ba75f3fb25dfa15ab6999cc8709c821987e9ed8e375d7f58539261bcb9/cbor2-5.9.0-cp314-cp314-win_arm64.whl", hash = "sha256:7221483fad0c63afa4244624d552abf89d7dfdbc5f5edfc56fc1ff2b4b818975", size = 67639, upload-time = "2026-03-22T15:56:39.39Z" },
+    { url = "https://files.pythonhosted.org/packages/42/ff/b83492b096fbef26e9cb62c1a4bf2d3cef579ea7b33138c6c37c4ae66f67/cbor2-5.9.0-py3-none-any.whl", hash = "sha256:27695cbd70c90b8de5c4a284642c2836449b14e2c2e07e3ffe0744cb7669a01b", size = 24627, upload-time = "2026-03-22T15:56:48.847Z" },
+]
+
 [[package]]
 name = "celery"
 version = "5.6.3"
@@ -1791,6 +1835,7 @@ dependencies = [
     { name = "svgwrite" },
     { name = "wagtail" },
     { name = "wagtail-modeladmin" },
+    { name = "webauthn" },
     { name = "whitenoise" },
     { name = "xhtml2pdf" },
 ]
@@ -1884,6 +1929,7 @@ requires-dist = [
     { name = "svgwrite", specifier = "~=1.4.3" },
     { name = "wagtail", specifier = "~=7.0.5" },
     { name = "wagtail-modeladmin", specifier = "~=2.2.0" },
+    { name = "webauthn", specifier = "~=2.2.0" },
     { name = "whitenoise", specifier = "~=6.11.0" },
     { name = "xhtml2pdf", specifier = "~=0.2.17" },
 ]
@@ -3865,6 +3911,19 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/f7/27/a2fc51a4a122dfd1015e921ae9d22fee3d20b0b8080d9a704578bf9deece/pymdown_extensions-10.21.2-py3-none-any.whl", hash = "sha256:5c0fd2a2bea14eb39af8ff284f1066d898ab2187d81b889b75d46d4348c01638", size = 268901, upload-time = "2026-03-29T15:01:53.244Z" },
 ]
 
+[[package]]
+name = "pyopenssl"
+version = "26.0.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "cryptography" },
+    { name = "typing-extensions", marker = "python_full_version < '3.13'" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/8e/11/a62e1d33b373da2b2c2cd9eb508147871c80f12b1cacde3c5d314922afdd/pyopenssl-26.0.0.tar.gz", hash = "sha256:f293934e52936f2e3413b89c6ce36df66a0b34ae1ea3a053b8c5020ff2f513fc", size = 185534, upload-time = "2026-03-15T14:28:26.353Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/fb/7d/d4f7d908fa8415571771b30669251d57c3cf313b36a856e6d7548ae01619/pyopenssl-26.0.0-py3-none-any.whl", hash = "sha256:df94d28498848b98cc1c0ffb8ef1e71e40210d3b0a8064c9d29571ed2904bf81", size = 57969, upload-time = "2026-03-15T14:28:24.864Z" },
+]
+
 [[package]]
 name = "pypdf"
 version = "6.11.0"
@@ -5426,6 +5485,21 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/0a/07/57ebf7a6798b016c064bd0ca81b4c6a99daa4dc377b898bc7b41eb6b5af0/weasel-1.0.0-py3-none-any.whl", hash = "sha256:89518acee027f49d743126c3502d35e6dd14f5768be5c37c9af47c171b6005cc", size = 50713, upload-time = "2026-03-20T08:10:23.637Z" },
 ]
 
+[[package]]
+name = "webauthn"
+version = "2.2.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "asn1crypto" },
+    { name = "cbor2" },
+    { name = "cryptography" },
+    { name = "pyopenssl" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/8b/51/c3262e0a361b4f21b5f562f5705e74352e1c64dd9dc69d0cb3a232a50b5a/webauthn-2.2.0.tar.gz", hash = "sha256:70e4f318d293125e3a8609838be0561119f4f8846bc430d524f8da4052ee18cc", size = 113978, upload-time = "2024-06-25T17:39:59.09Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/53/97/2d37cdf3f88a81a84340862b94eb9e9f76b07bd1a460fa1ce28485ba6fe5/webauthn-2.2.0-py3-none-any.whl", hash = "sha256:e8e2daace85dde8f6fb436c1bca9aa72d5931dac8829ecc1562cc4e7cc169f6c", size = 67738, upload-time = "2024-06-25T17:39:57.588Z" },
+]
+
 [[package]]
 name = "webencodings"
 version = "0.5.1"