Add FIDO2/WebAuthn passkey authentication

Phase 14: Full WebAuthn support for passwordless passkey login and hardware security key 2FA. - go-webauthn/webauthn v0.16.1 dependency - WebAuthnConfig with RPID/RPOrigin/DisplayName validation - Migration 000009: webauthn_credentials table - DB CRUD with ownership checks and admin operations - internal/webauthn adapter: encrypt/decrypt at rest with AES-256-GCM - REST: register begin/finish, login begin/finish, list, delete - Web UI: profile enrollment, login passkey button, admin management - gRPC: ListWebAuthnCredentials, RemoveWebAuthnCredential RPCs - mciasdb: webauthn list/delete/reset subcommands - OpenAPI: 6 new endpoints, WebAuthnCredentialInfo schema - Policy: self-service enrollment rule, admin remove via wildcard - Tests: DB CRUD, adapter round-trip, interface compliance - Docs: ARCHITECTURE.md §22, PROJECT_PLAN.md Phase 14 Security: Credential IDs and public keys encrypted at rest with AES-256-GCM via vault master key. Challenge ceremonies use 128-bit nonces with 120s TTL in sync.Map. Sign counter validated on each assertion to detect cloned authenticators. Password re-auth required for registration (SEC-01 pattern). No credential material in API responses or logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 16:12:59 -07:00
parent 19fa0c9a8e
commit 25417b24f4
42 changed files with 4214 additions and 84 deletions
--- a/gen/mcias/v1/account.pb.go
+++ b/gen/mcias/v1/account.pb.go
@@ -4,7 +4,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.36.11
-// 	protoc        v6.33.4
+// 	protoc        v3.20.3
 // source: mcias/v1/account.proto

 package mciasv1
--- a/gen/mcias/v1/account_grpc.pb.go
+++ b/gen/mcias/v1/account_grpc.pb.go
@@ -4,7 +4,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.6.1
-// - protoc             v6.33.4
+// - protoc             v3.20.3
 // source: mcias/v1/account.proto

 package mciasv1
--- a/gen/mcias/v1/auth.pb.go
+++ b/gen/mcias/v1/auth.pb.go
@@ -569,6 +569,288 @@ func (*RemoveTOTPResponse) Descriptor() ([]byte, []int) {
 	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{11}
 }

+// ListWebAuthnCredentialsRequest lists metadata for an account's WebAuthn credentials.
+type ListWebAuthnCredentialsRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	AccountId     string                 `protobuf:"bytes,1,opt,name=account_id,json=accountId,proto3" json:"account_id,omitempty"` // UUID
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListWebAuthnCredentialsRequest) Reset() {
+	*x = ListWebAuthnCredentialsRequest{}
+	mi := &file_mcias_v1_auth_proto_msgTypes[12]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListWebAuthnCredentialsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListWebAuthnCredentialsRequest) ProtoMessage() {}
+
+func (x *ListWebAuthnCredentialsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_mcias_v1_auth_proto_msgTypes[12]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListWebAuthnCredentialsRequest.ProtoReflect.Descriptor instead.
+func (*ListWebAuthnCredentialsRequest) Descriptor() ([]byte, []int) {
+	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *ListWebAuthnCredentialsRequest) GetAccountId() string {
+	if x != nil {
+		return x.AccountId
+	}
+	return ""
+}
+
+// WebAuthnCredentialInfo holds metadata about a stored WebAuthn credential.
+// Credential material (IDs, public keys) is never included.
+type WebAuthnCredentialInfo struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	Id            int64                  `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Name          string                 `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	Aaguid        string                 `protobuf:"bytes,3,opt,name=aaguid,proto3" json:"aaguid,omitempty"`
+	SignCount     uint32                 `protobuf:"varint,4,opt,name=sign_count,json=signCount,proto3" json:"sign_count,omitempty"`
+	Discoverable  bool                   `protobuf:"varint,5,opt,name=discoverable,proto3" json:"discoverable,omitempty"`
+	Transports    string                 `protobuf:"bytes,6,opt,name=transports,proto3" json:"transports,omitempty"`
+	CreatedAt     *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	LastUsedAt    *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=last_used_at,json=lastUsedAt,proto3" json:"last_used_at,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WebAuthnCredentialInfo) Reset() {
+	*x = WebAuthnCredentialInfo{}
+	mi := &file_mcias_v1_auth_proto_msgTypes[13]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WebAuthnCredentialInfo) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WebAuthnCredentialInfo) ProtoMessage() {}
+
+func (x *WebAuthnCredentialInfo) ProtoReflect() protoreflect.Message {
+	mi := &file_mcias_v1_auth_proto_msgTypes[13]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WebAuthnCredentialInfo.ProtoReflect.Descriptor instead.
+func (*WebAuthnCredentialInfo) Descriptor() ([]byte, []int) {
+	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{13}
+}
+
+func (x *WebAuthnCredentialInfo) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
+func (x *WebAuthnCredentialInfo) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *WebAuthnCredentialInfo) GetAaguid() string {
+	if x != nil {
+		return x.Aaguid
+	}
+	return ""
+}
+
+func (x *WebAuthnCredentialInfo) GetSignCount() uint32 {
+	if x != nil {
+		return x.SignCount
+	}
+	return 0
+}
+
+func (x *WebAuthnCredentialInfo) GetDiscoverable() bool {
+	if x != nil {
+		return x.Discoverable
+	}
+	return false
+}
+
+func (x *WebAuthnCredentialInfo) GetTransports() string {
+	if x != nil {
+		return x.Transports
+	}
+	return ""
+}
+
+func (x *WebAuthnCredentialInfo) GetCreatedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.CreatedAt
+	}
+	return nil
+}
+
+func (x *WebAuthnCredentialInfo) GetLastUsedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.LastUsedAt
+	}
+	return nil
+}
+
+// ListWebAuthnCredentialsResponse returns credential metadata.
+type ListWebAuthnCredentialsResponse struct {
+	state         protoimpl.MessageState    `protogen:"open.v1"`
+	Credentials   []*WebAuthnCredentialInfo `protobuf:"bytes,1,rep,name=credentials,proto3" json:"credentials,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *ListWebAuthnCredentialsResponse) Reset() {
+	*x = ListWebAuthnCredentialsResponse{}
+	mi := &file_mcias_v1_auth_proto_msgTypes[14]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *ListWebAuthnCredentialsResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ListWebAuthnCredentialsResponse) ProtoMessage() {}
+
+func (x *ListWebAuthnCredentialsResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_mcias_v1_auth_proto_msgTypes[14]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ListWebAuthnCredentialsResponse.ProtoReflect.Descriptor instead.
+func (*ListWebAuthnCredentialsResponse) Descriptor() ([]byte, []int) {
+	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{14}
+}
+
+func (x *ListWebAuthnCredentialsResponse) GetCredentials() []*WebAuthnCredentialInfo {
+	if x != nil {
+		return x.Credentials
+	}
+	return nil
+}
+
+// RemoveWebAuthnCredentialRequest removes a specific WebAuthn credential (admin).
+type RemoveWebAuthnCredentialRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	AccountId     string                 `protobuf:"bytes,1,opt,name=account_id,json=accountId,proto3" json:"account_id,omitempty"` // UUID
+	CredentialId  int64                  `protobuf:"varint,2,opt,name=credential_id,json=credentialId,proto3" json:"credential_id,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RemoveWebAuthnCredentialRequest) Reset() {
+	*x = RemoveWebAuthnCredentialRequest{}
+	mi := &file_mcias_v1_auth_proto_msgTypes[15]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RemoveWebAuthnCredentialRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RemoveWebAuthnCredentialRequest) ProtoMessage() {}
+
+func (x *RemoveWebAuthnCredentialRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_mcias_v1_auth_proto_msgTypes[15]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RemoveWebAuthnCredentialRequest.ProtoReflect.Descriptor instead.
+func (*RemoveWebAuthnCredentialRequest) Descriptor() ([]byte, []int) {
+	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{15}
+}
+
+func (x *RemoveWebAuthnCredentialRequest) GetAccountId() string {
+	if x != nil {
+		return x.AccountId
+	}
+	return ""
+}
+
+func (x *RemoveWebAuthnCredentialRequest) GetCredentialId() int64 {
+	if x != nil {
+		return x.CredentialId
+	}
+	return 0
+}
+
+// RemoveWebAuthnCredentialResponse confirms removal.
+type RemoveWebAuthnCredentialResponse struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RemoveWebAuthnCredentialResponse) Reset() {
+	*x = RemoveWebAuthnCredentialResponse{}
+	mi := &file_mcias_v1_auth_proto_msgTypes[16]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RemoveWebAuthnCredentialResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RemoveWebAuthnCredentialResponse) ProtoMessage() {}
+
+func (x *RemoveWebAuthnCredentialResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_mcias_v1_auth_proto_msgTypes[16]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RemoveWebAuthnCredentialResponse.ProtoReflect.Descriptor instead.
+func (*RemoveWebAuthnCredentialResponse) Descriptor() ([]byte, []int) {
+	return file_mcias_v1_auth_proto_rawDescGZIP(), []int{16}
+}
+
 var File_mcias_v1_auth_proto protoreflect.FileDescriptor

 const file_mcias_v1_auth_proto_rawDesc = "" +
@@ -601,7 +883,31 @@ const file_mcias_v1_auth_proto_rawDesc = "" +
 	"\x11RemoveTOTPRequest\x12\x1d\n" +
 	"\n" +
 	"account_id\x18\x01 \x01(\tR\taccountId\"\x14\n" +
-	"\x12RemoveTOTPResponse2\xab\x03\n" +
+	"\x12RemoveTOTPResponse\"?\n" +
+	"\x1eListWebAuthnCredentialsRequest\x12\x1d\n" +
+	"\n" +
+	"account_id\x18\x01 \x01(\tR\taccountId\"\xb0\x02\n" +
+	"\x16WebAuthnCredentialInfo\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\x03R\x02id\x12\x12\n" +
+	"\x04name\x18\x02 \x01(\tR\x04name\x12\x16\n" +
+	"\x06aaguid\x18\x03 \x01(\tR\x06aaguid\x12\x1d\n" +
+	"\n" +
+	"sign_count\x18\x04 \x01(\rR\tsignCount\x12\"\n" +
+	"\fdiscoverable\x18\x05 \x01(\bR\fdiscoverable\x12\x1e\n" +
+	"\n" +
+	"transports\x18\x06 \x01(\tR\n" +
+	"transports\x129\n" +
+	"\n" +
+	"created_at\x18\a \x01(\v2\x1a.google.protobuf.TimestampR\tcreatedAt\x12<\n" +
+	"\flast_used_at\x18\b \x01(\v2\x1a.google.protobuf.TimestampR\n" +
+	"lastUsedAt\"e\n" +
+	"\x1fListWebAuthnCredentialsResponse\x12B\n" +
+	"\vcredentials\x18\x01 \x03(\v2 .mcias.v1.WebAuthnCredentialInfoR\vcredentials\"e\n" +
+	"\x1fRemoveWebAuthnCredentialRequest\x12\x1d\n" +
+	"\n" +
+	"account_id\x18\x01 \x01(\tR\taccountId\x12#\n" +
+	"\rcredential_id\x18\x02 \x01(\x03R\fcredentialId\"\"\n" +
+	" RemoveWebAuthnCredentialResponse2\x8e\x05\n" +
 	"\vAuthService\x128\n" +
 	"\x05Login\x12\x16.mcias.v1.LoginRequest\x1a\x17.mcias.v1.LoginResponse\x12;\n" +
 	"\x06Logout\x12\x17.mcias.v1.LogoutRequest\x1a\x18.mcias.v1.LogoutResponse\x12G\n" +
@@ -611,7 +917,9 @@ const file_mcias_v1_auth_proto_rawDesc = "" +
 	"EnrollTOTP\x12\x1b.mcias.v1.EnrollTOTPRequest\x1a\x1c.mcias.v1.EnrollTOTPResponse\x12J\n" +
 	"\vConfirmTOTP\x12\x1c.mcias.v1.ConfirmTOTPRequest\x1a\x1d.mcias.v1.ConfirmTOTPResponse\x12G\n" +
 	"\n" +
-	"RemoveTOTP\x12\x1b.mcias.v1.RemoveTOTPRequest\x1a\x1c.mcias.v1.RemoveTOTPResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3"
+	"RemoveTOTP\x12\x1b.mcias.v1.RemoveTOTPRequest\x1a\x1c.mcias.v1.RemoveTOTPResponse\x12n\n" +
+	"\x17ListWebAuthnCredentials\x12(.mcias.v1.ListWebAuthnCredentialsRequest\x1a).mcias.v1.ListWebAuthnCredentialsResponse\x12q\n" +
+	"\x18RemoveWebAuthnCredential\x12).mcias.v1.RemoveWebAuthnCredentialRequest\x1a*.mcias.v1.RemoveWebAuthnCredentialResponseB2Z0git.wntrmute.dev/kyle/mcias/gen/mcias/v1;mciasv1b\x06proto3"

 var (
 	file_mcias_v1_auth_proto_rawDescOnce sync.Once
@@ -625,42 +933,54 @@ func file_mcias_v1_auth_proto_rawDescGZIP() []byte {
 	return file_mcias_v1_auth_proto_rawDescData
 }

-var file_mcias_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
+var file_mcias_v1_auth_proto_msgTypes = make([]protoimpl.MessageInfo, 17)
 var file_mcias_v1_auth_proto_goTypes = []any{
-	(*LoginRequest)(nil),          // 0: mcias.v1.LoginRequest
-	(*LoginResponse)(nil),         // 1: mcias.v1.LoginResponse
-	(*LogoutRequest)(nil),         // 2: mcias.v1.LogoutRequest
-	(*LogoutResponse)(nil),        // 3: mcias.v1.LogoutResponse
-	(*RenewTokenRequest)(nil),     // 4: mcias.v1.RenewTokenRequest
-	(*RenewTokenResponse)(nil),    // 5: mcias.v1.RenewTokenResponse
-	(*EnrollTOTPRequest)(nil),     // 6: mcias.v1.EnrollTOTPRequest
-	(*EnrollTOTPResponse)(nil),    // 7: mcias.v1.EnrollTOTPResponse
-	(*ConfirmTOTPRequest)(nil),    // 8: mcias.v1.ConfirmTOTPRequest
-	(*ConfirmTOTPResponse)(nil),   // 9: mcias.v1.ConfirmTOTPResponse
-	(*RemoveTOTPRequest)(nil),     // 10: mcias.v1.RemoveTOTPRequest
-	(*RemoveTOTPResponse)(nil),    // 11: mcias.v1.RemoveTOTPResponse
-	(*timestamppb.Timestamp)(nil), // 12: google.protobuf.Timestamp
+	(*LoginRequest)(nil),                     // 0: mcias.v1.LoginRequest
+	(*LoginResponse)(nil),                    // 1: mcias.v1.LoginResponse
+	(*LogoutRequest)(nil),                    // 2: mcias.v1.LogoutRequest
+	(*LogoutResponse)(nil),                   // 3: mcias.v1.LogoutResponse
+	(*RenewTokenRequest)(nil),                // 4: mcias.v1.RenewTokenRequest
+	(*RenewTokenResponse)(nil),               // 5: mcias.v1.RenewTokenResponse
+	(*EnrollTOTPRequest)(nil),                // 6: mcias.v1.EnrollTOTPRequest
+	(*EnrollTOTPResponse)(nil),               // 7: mcias.v1.EnrollTOTPResponse
+	(*ConfirmTOTPRequest)(nil),               // 8: mcias.v1.ConfirmTOTPRequest
+	(*ConfirmTOTPResponse)(nil),              // 9: mcias.v1.ConfirmTOTPResponse
+	(*RemoveTOTPRequest)(nil),                // 10: mcias.v1.RemoveTOTPRequest
+	(*RemoveTOTPResponse)(nil),               // 11: mcias.v1.RemoveTOTPResponse
+	(*ListWebAuthnCredentialsRequest)(nil),   // 12: mcias.v1.ListWebAuthnCredentialsRequest
+	(*WebAuthnCredentialInfo)(nil),           // 13: mcias.v1.WebAuthnCredentialInfo
+	(*ListWebAuthnCredentialsResponse)(nil),  // 14: mcias.v1.ListWebAuthnCredentialsResponse
+	(*RemoveWebAuthnCredentialRequest)(nil),  // 15: mcias.v1.RemoveWebAuthnCredentialRequest
+	(*RemoveWebAuthnCredentialResponse)(nil), // 16: mcias.v1.RemoveWebAuthnCredentialResponse
+	(*timestamppb.Timestamp)(nil),            // 17: google.protobuf.Timestamp
 }
 var file_mcias_v1_auth_proto_depIdxs = []int32{
-	12, // 0: mcias.v1.LoginResponse.expires_at:type_name -> google.protobuf.Timestamp
-	12, // 1: mcias.v1.RenewTokenResponse.expires_at:type_name -> google.protobuf.Timestamp
-	0,  // 2: mcias.v1.AuthService.Login:input_type -> mcias.v1.LoginRequest
-	2,  // 3: mcias.v1.AuthService.Logout:input_type -> mcias.v1.LogoutRequest
-	4,  // 4: mcias.v1.AuthService.RenewToken:input_type -> mcias.v1.RenewTokenRequest
-	6,  // 5: mcias.v1.AuthService.EnrollTOTP:input_type -> mcias.v1.EnrollTOTPRequest
-	8,  // 6: mcias.v1.AuthService.ConfirmTOTP:input_type -> mcias.v1.ConfirmTOTPRequest
-	10, // 7: mcias.v1.AuthService.RemoveTOTP:input_type -> mcias.v1.RemoveTOTPRequest
-	1,  // 8: mcias.v1.AuthService.Login:output_type -> mcias.v1.LoginResponse
-	3,  // 9: mcias.v1.AuthService.Logout:output_type -> mcias.v1.LogoutResponse
-	5,  // 10: mcias.v1.AuthService.RenewToken:output_type -> mcias.v1.RenewTokenResponse
-	7,  // 11: mcias.v1.AuthService.EnrollTOTP:output_type -> mcias.v1.EnrollTOTPResponse
-	9,  // 12: mcias.v1.AuthService.ConfirmTOTP:output_type -> mcias.v1.ConfirmTOTPResponse
-	11, // 13: mcias.v1.AuthService.RemoveTOTP:output_type -> mcias.v1.RemoveTOTPResponse
-	8,  // [8:14] is the sub-list for method output_type
-	2,  // [2:8] is the sub-list for method input_type
-	2,  // [2:2] is the sub-list for extension type_name
-	2,  // [2:2] is the sub-list for extension extendee
-	0,  // [0:2] is the sub-list for field type_name
+	17, // 0: mcias.v1.LoginResponse.expires_at:type_name -> google.protobuf.Timestamp
+	17, // 1: mcias.v1.RenewTokenResponse.expires_at:type_name -> google.protobuf.Timestamp
+	17, // 2: mcias.v1.WebAuthnCredentialInfo.created_at:type_name -> google.protobuf.Timestamp
+	17, // 3: mcias.v1.WebAuthnCredentialInfo.last_used_at:type_name -> google.protobuf.Timestamp
+	13, // 4: mcias.v1.ListWebAuthnCredentialsResponse.credentials:type_name -> mcias.v1.WebAuthnCredentialInfo
+	0,  // 5: mcias.v1.AuthService.Login:input_type -> mcias.v1.LoginRequest
+	2,  // 6: mcias.v1.AuthService.Logout:input_type -> mcias.v1.LogoutRequest
+	4,  // 7: mcias.v1.AuthService.RenewToken:input_type -> mcias.v1.RenewTokenRequest
+	6,  // 8: mcias.v1.AuthService.EnrollTOTP:input_type -> mcias.v1.EnrollTOTPRequest
+	8,  // 9: mcias.v1.AuthService.ConfirmTOTP:input_type -> mcias.v1.ConfirmTOTPRequest
+	10, // 10: mcias.v1.AuthService.RemoveTOTP:input_type -> mcias.v1.RemoveTOTPRequest
+	12, // 11: mcias.v1.AuthService.ListWebAuthnCredentials:input_type -> mcias.v1.ListWebAuthnCredentialsRequest
+	15, // 12: mcias.v1.AuthService.RemoveWebAuthnCredential:input_type -> mcias.v1.RemoveWebAuthnCredentialRequest
+	1,  // 13: mcias.v1.AuthService.Login:output_type -> mcias.v1.LoginResponse
+	3,  // 14: mcias.v1.AuthService.Logout:output_type -> mcias.v1.LogoutResponse
+	5,  // 15: mcias.v1.AuthService.RenewToken:output_type -> mcias.v1.RenewTokenResponse
+	7,  // 16: mcias.v1.AuthService.EnrollTOTP:output_type -> mcias.v1.EnrollTOTPResponse
+	9,  // 17: mcias.v1.AuthService.ConfirmTOTP:output_type -> mcias.v1.ConfirmTOTPResponse
+	11, // 18: mcias.v1.AuthService.RemoveTOTP:output_type -> mcias.v1.RemoveTOTPResponse
+	14, // 19: mcias.v1.AuthService.ListWebAuthnCredentials:output_type -> mcias.v1.ListWebAuthnCredentialsResponse
+	16, // 20: mcias.v1.AuthService.RemoveWebAuthnCredential:output_type -> mcias.v1.RemoveWebAuthnCredentialResponse
+	13, // [13:21] is the sub-list for method output_type
+	5,  // [5:13] is the sub-list for method input_type
+	5,  // [5:5] is the sub-list for extension type_name
+	5,  // [5:5] is the sub-list for extension extendee
+	0,  // [0:5] is the sub-list for field type_name
 }

 func init() { file_mcias_v1_auth_proto_init() }
@@ -674,7 +994,7 @@ func file_mcias_v1_auth_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_mcias_v1_auth_proto_rawDesc), len(file_mcias_v1_auth_proto_rawDesc)),
 			NumEnums:      0,
-			NumMessages:   12,
+			NumMessages:   17,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/gen/mcias/v1/auth_grpc.pb.go
+++ b/gen/mcias/v1/auth_grpc.pb.go
@@ -21,12 +21,14 @@ import (
 const _ = grpc.SupportPackageIsVersion9

 const (
-	AuthService_Login_FullMethodName       = "/mcias.v1.AuthService/Login"
-	AuthService_Logout_FullMethodName      = "/mcias.v1.AuthService/Logout"
-	AuthService_RenewToken_FullMethodName  = "/mcias.v1.AuthService/RenewToken"
-	AuthService_EnrollTOTP_FullMethodName  = "/mcias.v1.AuthService/EnrollTOTP"
-	AuthService_ConfirmTOTP_FullMethodName = "/mcias.v1.AuthService/ConfirmTOTP"
-	AuthService_RemoveTOTP_FullMethodName  = "/mcias.v1.AuthService/RemoveTOTP"
+	AuthService_Login_FullMethodName                    = "/mcias.v1.AuthService/Login"
+	AuthService_Logout_FullMethodName                   = "/mcias.v1.AuthService/Logout"
+	AuthService_RenewToken_FullMethodName               = "/mcias.v1.AuthService/RenewToken"
+	AuthService_EnrollTOTP_FullMethodName               = "/mcias.v1.AuthService/EnrollTOTP"
+	AuthService_ConfirmTOTP_FullMethodName              = "/mcias.v1.AuthService/ConfirmTOTP"
+	AuthService_RemoveTOTP_FullMethodName               = "/mcias.v1.AuthService/RemoveTOTP"
+	AuthService_ListWebAuthnCredentials_FullMethodName  = "/mcias.v1.AuthService/ListWebAuthnCredentials"
+	AuthService_RemoveWebAuthnCredential_FullMethodName = "/mcias.v1.AuthService/RemoveWebAuthnCredential"
 )

 // AuthServiceClient is the client API for AuthService service.
@@ -53,6 +55,12 @@ type AuthServiceClient interface {
 	// RemoveTOTP removes TOTP from an account (admin only).
 	// Requires: admin JWT in metadata.
 	RemoveTOTP(ctx context.Context, in *RemoveTOTPRequest, opts ...grpc.CallOption) (*RemoveTOTPResponse, error)
+	// ListWebAuthnCredentials returns metadata for an account's WebAuthn credentials.
+	// Requires: admin JWT in metadata.
+	ListWebAuthnCredentials(ctx context.Context, in *ListWebAuthnCredentialsRequest, opts ...grpc.CallOption) (*ListWebAuthnCredentialsResponse, error)
+	// RemoveWebAuthnCredential removes a specific WebAuthn credential.
+	// Requires: admin JWT in metadata.
+	RemoveWebAuthnCredential(ctx context.Context, in *RemoveWebAuthnCredentialRequest, opts ...grpc.CallOption) (*RemoveWebAuthnCredentialResponse, error)
 }

 type authServiceClient struct {
@@ -123,6 +131,26 @@ func (c *authServiceClient) RemoveTOTP(ctx context.Context, in *RemoveTOTPReques
 	return out, nil
 }

+func (c *authServiceClient) ListWebAuthnCredentials(ctx context.Context, in *ListWebAuthnCredentialsRequest, opts ...grpc.CallOption) (*ListWebAuthnCredentialsResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(ListWebAuthnCredentialsResponse)
+	err := c.cc.Invoke(ctx, AuthService_ListWebAuthnCredentials_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *authServiceClient) RemoveWebAuthnCredential(ctx context.Context, in *RemoveWebAuthnCredentialRequest, opts ...grpc.CallOption) (*RemoveWebAuthnCredentialResponse, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(RemoveWebAuthnCredentialResponse)
+	err := c.cc.Invoke(ctx, AuthService_RemoveWebAuthnCredential_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // AuthServiceServer is the server API for AuthService service.
 // All implementations must embed UnimplementedAuthServiceServer
 // for forward compatibility.
@@ -147,6 +175,12 @@ type AuthServiceServer interface {
 	// RemoveTOTP removes TOTP from an account (admin only).
 	// Requires: admin JWT in metadata.
 	RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error)
+	// ListWebAuthnCredentials returns metadata for an account's WebAuthn credentials.
+	// Requires: admin JWT in metadata.
+	ListWebAuthnCredentials(context.Context, *ListWebAuthnCredentialsRequest) (*ListWebAuthnCredentialsResponse, error)
+	// RemoveWebAuthnCredential removes a specific WebAuthn credential.
+	// Requires: admin JWT in metadata.
+	RemoveWebAuthnCredential(context.Context, *RemoveWebAuthnCredentialRequest) (*RemoveWebAuthnCredentialResponse, error)
 	mustEmbedUnimplementedAuthServiceServer()
 }

@@ -175,6 +209,12 @@ func (UnimplementedAuthServiceServer) ConfirmTOTP(context.Context, *ConfirmTOTPR
 func (UnimplementedAuthServiceServer) RemoveTOTP(context.Context, *RemoveTOTPRequest) (*RemoveTOTPResponse, error) {
 	return nil, status.Error(codes.Unimplemented, "method RemoveTOTP not implemented")
 }
+func (UnimplementedAuthServiceServer) ListWebAuthnCredentials(context.Context, *ListWebAuthnCredentialsRequest) (*ListWebAuthnCredentialsResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method ListWebAuthnCredentials not implemented")
+}
+func (UnimplementedAuthServiceServer) RemoveWebAuthnCredential(context.Context, *RemoveWebAuthnCredentialRequest) (*RemoveWebAuthnCredentialResponse, error) {
+	return nil, status.Error(codes.Unimplemented, "method RemoveWebAuthnCredential not implemented")
+}
 func (UnimplementedAuthServiceServer) mustEmbedUnimplementedAuthServiceServer() {}
 func (UnimplementedAuthServiceServer) testEmbeddedByValue()                     {}

@@ -304,6 +344,42 @@ func _AuthService_RemoveTOTP_Handler(srv interface{}, ctx context.Context, dec f
 	return interceptor(ctx, in, info, handler)
 }

+func _AuthService_ListWebAuthnCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ListWebAuthnCredentialsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).ListWebAuthnCredentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_ListWebAuthnCredentials_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).ListWebAuthnCredentials(ctx, req.(*ListWebAuthnCredentialsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _AuthService_RemoveWebAuthnCredential_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RemoveWebAuthnCredentialRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).RemoveWebAuthnCredential(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: AuthService_RemoveWebAuthnCredential_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).RemoveWebAuthnCredential(ctx, req.(*RemoveWebAuthnCredentialRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // AuthService_ServiceDesc is the grpc.ServiceDesc for AuthService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -335,6 +411,14 @@ var AuthService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "RemoveTOTP",
 			Handler:    _AuthService_RemoveTOTP_Handler,
 		},
+		{
+			MethodName: "ListWebAuthnCredentials",
+			Handler:    _AuthService_ListWebAuthnCredentials_Handler,
+		},
+		{
+			MethodName: "RemoveWebAuthnCredential",
+			Handler:    _AuthService_RemoveWebAuthnCredential_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "mcias/v1/auth.proto",