diff --git a/web/packages/shared/components/ButtonSso/ButtonSso.tsx b/web/packages/shared/components/ButtonSso/ButtonSso.tsx
index 83e6943064562..039a4efdc5117 100644
--- a/web/packages/shared/components/ButtonSso/ButtonSso.tsx
+++ b/web/packages/shared/components/ButtonSso/ButtonSso.tsx
@@ -17,7 +17,7 @@ limitations under the License.
 import React from 'react';
 import styled from 'styled-components';
 import Button from 'design/Button';
-import { fade } from 'design/theme/utils/colorManipulator';
+import { darken, lighten } from 'design/theme/utils/colorManipulator';
 import * as Icons from 'design/Icon';
 import { AuthProviderType } from 'shared/services';
 
@@ -101,10 +101,12 @@ const StyledButton = styled(Button)`
   background-color: ${props => props.color};
   display: block;
   width: 100%;
+  border: 1px solid transparent;
 
   &:hover,
   &:focus {
-    background: ${props => fade(props.color, 0.4)};
+    background: ${props => darken(props.color, 0.1)};
+    border: 1px solid ${props => lighten(props.color, 0.4)};
   }
   height: 40px;
   position: relative;
diff --git a/web/packages/teleport/src/components/FormLogin/FormLogin.tsx b/web/packages/teleport/src/components/FormLogin/FormLogin.tsx
index 0139af18ecc1e..a3c0c4396a4fa 100644
--- a/web/packages/teleport/src/components/FormLogin/FormLogin.tsx
+++ b/web/packages/teleport/src/components/FormLogin/FormLogin.tsx
@@ -109,7 +109,12 @@ export default function LoginForm(props: Props) {
   );
 }
 
-const SsoList = ({ attempt, authProviders, onLoginWithSso }: Props) => {
+const SsoList = ({
+  attempt,
+  authProviders,
+  onLoginWithSso,
+  autoFocus = false,
+}: Props) => {
   const { isProcessing } = attempt;
   return (
     <SSOButtonList
@@ -117,11 +122,16 @@ const SsoList = ({ attempt, authProviders, onLoginWithSso }: Props) => {
       isDisabled={isProcessing}
       providers={authProviders}
       onClick={onLoginWithSso}
+      autoFocus={autoFocus}
     />
   );
 };
 
-const Passwordless = ({ onLoginWithWebauthn, attempt }: Props) => {
+const Passwordless = ({
+  onLoginWithWebauthn,
+  attempt,
+  autoFocus = false,
+}: Props) => {
   // Firefox currently does not support passwordless and when
   // logging in, it will return an ambigugous error.
   // We display a soft warning because firefox may provide
@@ -144,6 +154,7 @@ const Passwordless = ({ onLoginWithWebauthn, attempt }: Props) => {
         width="100%"
         onClick={() => onLoginWithWebauthn()}
         disabled={attempt.isProcessing}
+        autoFocus={autoFocus}
       >
         <Flex alignItems="center" justifyContent="space-between">
           <Flex alignItems="center">
@@ -171,6 +182,7 @@ const LocalForm = ({
   onLoginWithWebauthn,
   clearAttempt,
   hasTransitionEnded,
+  autoFocus = false,
 }: Props & { hasTransitionEnded: boolean }) => {
   const { isProcessing } = attempt;
   const [pass, setPass] = useState('');
@@ -183,7 +195,7 @@ const LocalForm = ({
   );
 
   const usernameInputRef = useRefAutoFocus<HTMLInputElement>({
-    shouldFocus: hasTransitionEnded,
+    shouldFocus: hasTransitionEnded && autoFocus,
   });
 
   const [mfaType, setMfaType] = useState(mfaOptions[0]);
@@ -233,8 +245,9 @@ const LocalForm = ({
             value={user}
             onChange={e => setUser(e.target.value)}
             placeholder="Username"
+            mb={3}
           />
-          <Box mb={isRecoveryEnabled ? 2 : 4}>
+          <Box mb={isRecoveryEnabled ? 1 : 3}>
             <FieldInput
               rule={requiredField('Password is required')}
               label="Password"
@@ -257,7 +270,7 @@ const LocalForm = ({
             )}
           </Box>
           {auth2faType !== 'off' && (
-            <Box mb={isRecoveryEnabled ? 3 : 4}>
+            <Box mb={isRecoveryEnabled ? 2 : 3}>
               <Flex alignItems="flex-end">
                 <FieldSelect
                   maxWidth="50%"
@@ -313,6 +326,8 @@ const LocalForm = ({
   );
 };
 
+// Primary determines which authentication type to display
+// on initial render of the login form.
 const Primary = ({
   next,
   refCallback,
@@ -323,19 +338,23 @@ const Primary = ({
   let otherOptionsAvailable = true;
   let $primary;
 
-  if (otherProps.primaryAuthType === 'passwordless') {
-    $primary = <Passwordless {...otherProps} />;
-  }
-
-  if (otherProps.primaryAuthType === 'local') {
-    otherOptionsAvailable = otherProps.isPasswordlessEnabled || ssoEnabled;
-    $primary = (
-      <LocalForm {...otherProps} hasTransitionEnded={hasTransitionEnded} />
-    );
-  }
-
-  if (otherProps.primaryAuthType === 'sso') {
-    $primary = <SsoList {...otherProps} />;
+  switch (otherProps.primaryAuthType) {
+    case 'passwordless':
+      $primary = <Passwordless {...otherProps} autoFocus={true} />;
+      break;
+    case 'sso':
+      $primary = <SsoList {...otherProps} autoFocus={true} />;
+      break;
+    case 'local':
+      otherOptionsAvailable = otherProps.isPasswordlessEnabled || ssoEnabled;
+      $primary = (
+        <LocalForm
+          {...otherProps}
+          hasTransitionEnded={hasTransitionEnded}
+          autoFocus={true}
+        />
+      );
+      break;
   }
 
   return (
@@ -358,6 +377,11 @@ const Primary = ({
   );
 };
 
+// Secondary determines what other forms of authentication
+// is allowed for the user to login with.
+//
+// There can be multiple authn types available, which will
+// be visually separated by a divider.
 const Secondary = ({
   prev,
   refCallback,
@@ -366,50 +390,48 @@ const Secondary = ({
   const ssoEnabled = otherProps.authProviders?.length > 0;
   const { primaryAuthType, isPasswordlessEnabled } = otherProps;
 
-  const $local = <LocalForm {...otherProps} />;
-  const $sso = <SsoList {...otherProps} />;
-  const $passwordless = <Passwordless {...otherProps} />;
-
   let $secondary;
-
-  if (primaryAuthType === 'passwordless') {
-    $secondary = (
-      <>
-        {ssoEnabled && (
+  switch (primaryAuthType) {
+    case 'passwordless':
+      if (ssoEnabled) {
+        $secondary = (
           <>
-            {$sso}
+            <SsoList {...otherProps} autoFocus={true} />
             <Divider />
+            <LocalForm {...otherProps} />
           </>
-        )}
-        {$local}
-      </>
-    );
-  }
-
-  if (primaryAuthType === 'local') {
-    $secondary = (
-      <>
-        {isPasswordlessEnabled && $passwordless}
-        {isPasswordlessEnabled && ssoEnabled && <Divider />}
-        {ssoEnabled && $sso}
-      </>
-    );
-  }
-
-  if (primaryAuthType === 'sso') {
-    $secondary = (
-      <>
-        {isPasswordlessEnabled && (
+        );
+      } else {
+        $secondary = <LocalForm {...otherProps} autoFocus={true} />;
+      }
+      break;
+    case 'sso':
+      if (isPasswordlessEnabled) {
+        $secondary = (
           <>
-            {$passwordless}
+            <Passwordless {...otherProps} autoFocus={true} />
             <Divider />
+            <LocalForm {...otherProps} />
           </>
-        )}
-        {$local}
-      </>
-    );
+        );
+      } else {
+        $secondary = <LocalForm {...otherProps} autoFocus={true} />;
+      }
+      break;
+    case 'local':
+      if (isPasswordlessEnabled) {
+        $secondary = (
+          <>
+            <Passwordless {...otherProps} autoFocus={true} />
+            {otherProps.isPasswordlessEnabled && ssoEnabled && <Divider />}
+            {ssoEnabled && <SsoList {...otherProps} />}
+          </>
+        );
+      } else {
+        $secondary = <SsoList {...otherProps} autoFocus={true} />;
+      }
+      break;
   }
-
   return (
     <Box ref={refCallback}>
       {$secondary}
@@ -490,6 +512,7 @@ export type Props = {
   onLoginWithSso(provider: AuthProvider): void;
   onLoginWithWebauthn(creds?: UserCredentials): void;
   onLogin(username: string, password: string, token: string): void;
+  autoFocus?: boolean;
 };
 
 type AttemptState = ReturnType<typeof useAttempt>[0];
diff --git a/web/packages/teleport/src/components/FormLogin/SsoButtons.tsx b/web/packages/teleport/src/components/FormLogin/SsoButtons.tsx
index df40d168b27a5..8ad61a65307ea 100644
--- a/web/packages/teleport/src/components/FormLogin/SsoButtons.tsx
+++ b/web/packages/teleport/src/components/FormLogin/SsoButtons.tsx
@@ -15,15 +15,22 @@ limitations under the License.
 */
 
 import React from 'react';
-import { Box } from 'design';
+import { Box, Text } from 'design';
 import ButtonSso, { guessProviderType } from 'shared/components/ButtonSso';
 import { AuthProvider } from 'shared/services';
 
-const SSOBtnList = ({ providers, prefixText, isDisabled, onClick }: Props) => {
+const SSOBtnList = ({
+  providers,
+  prefixText,
+  isDisabled,
+  onClick,
+  autoFocus = false,
+}: Props) => {
   const $btns = providers.map((item, index) => {
     let { name, type, displayName } = item;
     const title = displayName || `${prefixText} ${name}`;
     const ssoType = guessProviderType(title, type);
+    const len = providers.length - 1;
     return (
       <ButtonSso
         key={index}
@@ -31,6 +38,8 @@ const SSOBtnList = ({ providers, prefixText, isDisabled, onClick }: Props) => {
         ssoType={ssoType}
         disabled={isDisabled}
         mt={3}
+        mb={index < len ? 3 : 0}
+        autoFocus={index === 0 && autoFocus}
         onClick={e => {
           e.preventDefault();
           onClick(item);
@@ -40,7 +49,11 @@ const SSOBtnList = ({ providers, prefixText, isDisabled, onClick }: Props) => {
   });
 
   if ($btns.length === 0) {
-    return <h4> You have no SSO providers configured </h4>;
+    return (
+      <Text textAlign="center" bold pt={3}>
+        You have no SSO providers configured
+      </Text>
+    );
   }
 
   return (
@@ -55,6 +68,8 @@ type Props = {
   isDisabled: boolean;
   onClick(provider: AuthProvider): void;
   providers: AuthProvider[];
+  // autoFocus focuses on the first button in list.
+  autoFocus?: boolean;
 };
 
 export default SSOBtnList;
diff --git a/web/packages/teleport/src/components/FormLogin/__snapshots__/FormLogin.story.test.tsx.snap b/web/packages/teleport/src/components/FormLogin/__snapshots__/FormLogin.story.test.tsx.snap
index 2cb5099409415..5efd001bbf54d 100644
--- a/web/packages/teleport/src/components/FormLogin/__snapshots__/FormLogin.story.test.tsx.snap
+++ b/web/packages/teleport/src/components/FormLogin/__snapshots__/FormLogin.story.test.tsx.snap
@@ -7,7 +7,7 @@ exports[`auth2faType: off 1`] = `
 
 .c5 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c8 {
@@ -272,7 +272,7 @@ exports[`auth2faType: optional rendering 1`] = `
 
 .c5 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c8 {
@@ -705,7 +705,7 @@ exports[`auth2faType: otp rendering 1`] = `
 
 .c5 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c8 {
@@ -1164,7 +1164,7 @@ exports[`auth2faType: webauthn rendering 1`] = `
 
 .c5 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c8 {
@@ -1597,12 +1597,12 @@ exports[`cloud auth2faType: on rendering 1`] = `
 
 .c5 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c8 {
   box-sizing: border-box;
-  margin-bottom: 8px;
+  margin-bottom: 4px;
 }
 
 .c9 {
@@ -1618,7 +1618,7 @@ exports[`cloud auth2faType: on rendering 1`] = `
 
 .c13 {
   box-sizing: border-box;
-  margin-bottom: 16px;
+  margin-bottom: 8px;
 }
 
 .c15 {
@@ -2230,7 +2230,7 @@ exports[`server error rendering 1`] = `
 
 .c6 {
   box-sizing: border-box;
-  margin-bottom: 24px;
+  margin-bottom: 16px;
 }
 
 .c9 {
@@ -2527,6 +2527,7 @@ exports[`sso list still renders when local auth is disabled 1`] = `
   min-height: 32px;
   font-size: 12px;
   padding: 0px 24px;
+  margin-bottom: 16px;
   margin-top: 16px;
   width: 100%;
 }
@@ -2549,6 +2550,53 @@ exports[`sso list still renders when local auth is disabled 1`] = `
   color: rgba(255,255,255,0.3);
 }
 
+.c8 {
+  line-height: 1.5;
+  margin: 0;
+  display: inline-flex;
+  justify-content: center;
+  align-items: center;
+  box-sizing: border-box;
+  border: none;
+  border-radius: 4px;
+  cursor: pointer;
+  font-family: inherit;
+  font-weight: 600;
+  outline: none;
+  position: relative;
+  text-align: center;
+  text-decoration: none;
+  text-transform: uppercase;
+  transition: all 0.3s;
+  -webkit-font-smoothing: antialiased;
+  background: #512FC9;
+  color: rgba(255,255,255,0.87);
+  min-height: 32px;
+  font-size: 12px;
+  padding: 0px 24px;
+  margin-bottom: 0px;
+  margin-top: 16px;
+  width: 100%;
+}
+
+.c8:active {
+  opacity: 0.56;
+}
+
+.c8:hover,
+.c8:focus {
+  background: #651FFF;
+}
+
+.c8:active {
+  background: #354AA4;
+}
+
+.c8:disabled {
+  background: rgba(255,255,255,0.12);
+  color: rgba(255,255,255,0.3);
+}
+
 .c7 {
   display: inline-block;
   transition: color 0.3s;
@@ -2584,6 +2632,7 @@ exports[`sso list still renders when local auth is disabled 1`] = `
   background-color: #444444;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
@@ -2591,7 +2640,8 @@ exports[`sso list still renders when local auth is disabled 1`] = `
 
 .c4:hover,
 .c4:focus {
-  background: rgba(68,68,68,0.4);
+  background: rgb(61,61,61);
+  border: 1px solid rgb(142,142,142);
 }
 
 .c4 .c6 {
@@ -2599,21 +2649,23 @@ exports[`sso list still renders when local auth is disabled 1`] = `
   opacity: 0.87;
 }
 
-.c8 {
+.c9 {
   background-color: #dd4b39;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
 }
 
-.c8:hover,
-.c8:focus {
-  background: rgba(221,75,57,0.4);
+.c9:hover,
+.c9:focus {
+  background: rgb(198,67,51);
+  border: 1px solid rgb(234,147,136);
 }
 
-.c8 .c6 {
+.c9 .c6 {
   font-size: 20px;
   opacity: 0.87;
 }
@@ -2663,7 +2715,7 @@ exports[`sso list still renders when local auth is disabled 1`] = `
       Login with github
     </button>
     <button
-      class="c3 c8"
+      class="c8 c9"
       color="#dd4b39"
       kind="primary"
     >
@@ -2695,7 +2747,7 @@ exports[`sso providers rendering 1`] = `
   padding-right: 40px;
 }
 
-.c14 {
+.c15 {
   box-sizing: border-box;
   margin-top: -4px;
   padding-top: 16px;
@@ -2726,6 +2778,7 @@ exports[`sso providers rendering 1`] = `
   min-height: 32px;
   font-size: 12px;
   padding: 0px 24px;
+  margin-bottom: 16px;
   margin-top: 16px;
   width: 100%;
 }
@@ -2748,7 +2801,54 @@ exports[`sso providers rendering 1`] = `
   color: rgba(255,255,255,0.3);
 }
 
-.c15 {
+.c13 {
+  line-height: 1.5;
+  margin: 0;
+  display: inline-flex;
+  justify-content: center;
+  align-items: center;
+  box-sizing: border-box;
+  border: none;
+  border-radius: 4px;
+  cursor: pointer;
+  font-family: inherit;
+  font-weight: 600;
+  outline: none;
+  position: relative;
+  text-align: center;
+  text-decoration: none;
+  text-transform: uppercase;
+  transition: all 0.3s;
+  -webkit-font-smoothing: antialiased;
+  background: #512FC9;
+  color: rgba(255,255,255,0.87);
+  min-height: 32px;
+  font-size: 12px;
+  padding: 0px 24px;
+  margin-bottom: 0px;
+  margin-top: 16px;
+  width: 100%;
+}
+
+.c13:active {
+  opacity: 0.56;
+}
+
+.c13:hover,
+.c13:focus {
+  background: #651FFF;
+}
+
+.c13:active {
+  background: #354AA4;
+}
+
+.c13:disabled {
+  background: rgba(255,255,255,0.12);
+  color: rgba(255,255,255,0.3);
+}
+
+.c16 {
   line-height: 1.5;
   margin: 0;
   display: inline-flex;
@@ -2775,17 +2875,17 @@ exports[`sso providers rendering 1`] = `
   padding: 0px 24px;
 }
 
-.c15:active {
+.c16:active {
   opacity: 0.56;
 }
 
-.c15:hover,
-.c15:focus {
+.c16:hover,
+.c16:focus {
   background: none;
   text-decoration: underline;
 }
 
-.c15:disabled {
+.c16:disabled {
   background: none;
   color: rgba(255,255,255,0.3);
 }
@@ -2869,6 +2969,7 @@ exports[`sso providers rendering 1`] = `
   background-color: #444444;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
@@ -2876,7 +2977,8 @@ exports[`sso providers rendering 1`] = `
 
 .c6:hover,
 .c6:focus {
-  background: rgba(68,68,68,0.4);
+  background: rgb(61,61,61);
+  border: 1px solid rgb(142,142,142);
 }
 
 .c6 .c8 {
@@ -2888,6 +2990,7 @@ exports[`sso providers rendering 1`] = `
   background-color: #dd4b39;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
@@ -2895,7 +2998,8 @@ exports[`sso providers rendering 1`] = `
 
 .c10:hover,
 .c10:focus {
-  background: rgba(221,75,57,0.4);
+  background: rgb(198,67,51);
+  border: 1px solid rgb(234,147,136);
 }
 
 .c10 .c8 {
@@ -2907,6 +3011,7 @@ exports[`sso providers rendering 1`] = `
   background-color: #205081;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
@@ -2914,7 +3019,8 @@ exports[`sso providers rendering 1`] = `
 
 .c11:hover,
 .c11:focus {
-  background: rgba(32,80,129,0.4);
+  background: rgb(28,72,116);
+  border: 1px solid rgb(121,150,179);
 }
 
 .c11 .c8 {
@@ -2926,6 +3032,7 @@ exports[`sso providers rendering 1`] = `
   background-color: #f7931e;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
@@ -2933,7 +3040,8 @@ exports[`sso providers rendering 1`] = `
 
 .c12:hover,
 .c12:focus {
-  background: rgba(247,147,30,0.4);
+  background: rgb(222,132,27);
+  border: 1px solid rgb(250,190,120);
 }
 
 .c12 .c8 {
@@ -2941,21 +3049,23 @@ exports[`sso providers rendering 1`] = `
   opacity: 0.87;
 }
 
-.c13 {
+.c14 {
   background-color: #2672ec;
   display: block;
   width: 100%;
+  border: 1px solid transparent;
   height: 40px;
   position: relative;
   box-sizing: border-box;
 }
 
-.c13:hover,
-.c13:focus {
-  background: rgba(38,114,236,0.4);
+.c14:hover,
+.c14:focus {
+  background: rgb(34,102,212);
+  border: 1px solid rgb(124,170,243);
 }
 
-.c13 .c8 {
+.c14 .c8 {
   font-size: 20px;
   opacity: 0.87;
 }
@@ -3063,7 +3173,7 @@ exports[`sso providers rendering 1`] = `
             Login with Mission Control
           </button>
           <button
-            class="c5 c13"
+            class="c13 c14"
             color="#2672ec"
             kind="primary"
           >
@@ -3080,10 +3190,10 @@ exports[`sso providers rendering 1`] = `
           </button>
         </div>
         <div
-          class="c14"
+          class="c15"
         >
           <button
-            class="c15"
+            class="c16"
             kind="text"
           >
             Other sign-in options
diff --git a/web/packages/teleterm/src/services/tshd/createClient.ts b/web/packages/teleterm/src/services/tshd/createClient.ts
index 1fd2788196fe6..d92c686fe73dd 100644
--- a/web/packages/teleterm/src/services/tshd/createClient.ts
+++ b/web/packages/teleterm/src/services/tshd/createClient.ts
@@ -1,4 +1,4 @@
-import { ChannelCredentials } from '@grpc/grpc-js';
+import { ChannelCredentials, ClientDuplexStream } from '@grpc/grpc-js';
 
 import { TerminalServiceClient } from 'teleterm/services/tshd/v1/service_grpc_pb';
 import * as api from 'teleterm/services/tshd/v1/service_pb';
@@ -164,30 +164,42 @@ export default function createClient(
       });
     },
 
-    async login(params: types.LoginParams, abortSignal?: types.TshAbortSignal) {
-      const ssoParams = params.sso
-        ? new api.LoginRequest.SsoParams()
-            .setProviderName(params.sso.providerName)
-            .setProviderType(params.sso.providerType)
-        : null;
-
-      const localParams = params.local
-        ? new api.LoginRequest.LocalParams()
-            .setToken(params.local.token)
-            .setUser(params.local.username)
-            .setPassword(params.local.password)
-        : null;
+    async loginLocal(
+      params: types.LoginLocalParams,
+      abortSignal?: types.TshAbortSignal
+    ) {
+      const localParams = new api.LoginRequest.LocalParams()
+        .setToken(params.token)
+        .setUser(params.username)
+        .setPassword(params.password);
 
       return withAbort(abortSignal, callRef => {
         const req = new api.LoginRequest().setClusterUri(params.clusterUri);
+        req.setLocal(localParams);
 
-        // LoginRequest has oneof on `Local` and `Sso`, which means that setting one of them clears
-        // the other.
-        if (ssoParams) {
-          req.setSso(ssoParams);
-        } else {
-          req.setLocal(localParams);
-        }
+        return new Promise<void>((resolve, reject) => {
+          callRef.current = tshd.login(req, err => {
+            if (err) {
+              reject(err);
+            } else {
+              resolve();
+            }
+          });
+        });
+      });
+    },
+
+    async loginSso(
+      params: types.LoginSsoParams,
+      abortSignal?: types.TshAbortSignal
+    ) {
+      const ssoParams = new api.LoginRequest.SsoParams()
+        .setProviderName(params.providerName)
+        .setProviderType(params.providerType);
+
+      return withAbort(abortSignal, callRef => {
+        const req = new api.LoginRequest().setClusterUri(params.clusterUri);
+        req.setSso(ssoParams);
 
         return new Promise<void>((resolve, reject) => {
           callRef.current = tshd.login(req, err => {
@@ -201,6 +213,105 @@ export default function createClient(
       });
     },
 
+    async loginPasswordless(
+      params: types.LoginPasswordlessParams,
+      abortSignal?: types.TshAbortSignal
+    ) {
+      return withAbort(abortSignal, callRef => {
+        const streamInitReq =
+          new api.LoginPasswordlessRequest.LoginPasswordlessRequestInit().setClusterUri(
+            params.clusterUri
+          );
+        const streamReq = new api.LoginPasswordlessRequest().setInit(
+          streamInitReq
+        );
+
+        return new Promise<void>((resolve, reject) => {
+          callRef.current = tshd.loginPasswordless();
+          const stream = callRef.current as ClientDuplexStream<
+            api.LoginPasswordlessRequest,
+            api.LoginPasswordlessResponse
+          >;
+
+          let hasDeviceBeenTapped = false;
+
+          // Init the stream.
+          stream.write(streamReq);
+
+          stream.on('data', function (response: api.LoginPasswordlessResponse) {
+            const req = response.toObject();
+
+            switch (req.prompt) {
+              case api.PasswordlessPrompt.PASSWORDLESS_PROMPT_PIN:
+                const pinResponse = pin => {
+                  const pinRes =
+                    new api.LoginPasswordlessRequest.LoginPasswordlessPINResponse().setPin(
+                      pin
+                    );
+                  stream.write(
+                    new api.LoginPasswordlessRequest().setPin(pinRes)
+                  );
+                };
+
+                params.onPromptCallback({
+                  type: 'pin',
+                  onUserResponse: pinResponse,
+                });
+                return;
+
+              case api.PasswordlessPrompt.PASSWORDLESS_PROMPT_CREDENTIAL:
+                const credResponse = index => {
+                  const credRes =
+                    new api.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse().setIndex(
+                      index
+                    );
+                  stream.write(
+                    new api.LoginPasswordlessRequest().setCredential(credRes)
+                  );
+                };
+
+                params.onPromptCallback({
+                  type: 'credential',
+                  onUserResponse: credResponse,
+                  data: { credentials: req.credentialsList || [] },
+                });
+                return;
+
+              case api.PasswordlessPrompt.PASSWORDLESS_PROMPT_TAP:
+                if (hasDeviceBeenTapped) {
+                  params.onPromptCallback({ type: 'retap' });
+                } else {
+                  hasDeviceBeenTapped = true;
+                  params.onPromptCallback({ type: 'tap' });
+                }
+                return;
+
+              // Following cases should never happen but just in case?
+              case api.PasswordlessPrompt.PASSWORDLESS_PROMPT_UNSPECIFIED:
+                stream.cancel();
+                return reject(
+                  new Error('no passwordless prompt was specified')
+                );
+
+              default:
+                stream.cancel();
+                return reject(
+                  new Error(`passwordless prompt '${req.prompt}' not supported`)
+                );
+            }
+          });
+
+          stream.on('end', function () {
+            resolve();
+          });
+
+          stream.on('error', function (err: Error) {
+            reject(err);
+          });
+        });
+      });
+    },
+
     async getAuthSettings(clusterUri = '') {
       const req = new api.GetAuthSettingsRequest().setClusterUri(clusterUri);
       return new Promise<types.AuthSettings>((resolve, reject) => {
diff --git a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
index 549943b47dc1a..2bc2281de1dc2 100644
--- a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
+++ b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
@@ -6,7 +6,9 @@ import {
   Database,
   Gateway,
   Kube,
-  LoginParams,
+  LoginLocalParams,
+  LoginPasswordlessParams,
+  LoginSsoParams,
   Server,
   TshAbortController,
   TshAbortSignal,
@@ -40,8 +42,16 @@ export class MockTshClient implements TshClient {
   getCluster: (clusterUri: string) => Promise<Cluster>;
   getAuthSettings: (clusterUri: string) => Promise<AuthSettings>;
   removeCluster: (clusterUri: string) => Promise<undefined>;
-  login: (
-    params: LoginParams,
+  loginLocal: (
+    params: LoginLocalParams,
+    abortSignal?: TshAbortSignal
+  ) => Promise<undefined>;
+  loginSso: (
+    params: LoginSsoParams,
+    abortSignal?: TshAbortSignal
+  ) => Promise<undefined>;
+  loginPasswordless: (
+    params: LoginPasswordlessParams,
     abortSignal?: TshAbortSignal
   ) => Promise<undefined>;
   logout: (clusterUri: string) => Promise<undefined>;
diff --git a/web/packages/teleterm/src/services/tshd/types.ts b/web/packages/teleterm/src/services/tshd/types.ts
index d92d9c389ec7a..90cbee9549020 100644
--- a/web/packages/teleterm/src/services/tshd/types.ts
+++ b/web/packages/teleterm/src/services/tshd/types.ts
@@ -4,6 +4,7 @@ import apigateway from './v1/gateway_pb';
 import apiServer from './v1/server_pb';
 import apiKube from './v1/kube_pb';
 import apiApp from './v1/app_pb';
+import apiService from './v1/service_pb';
 import apiAuthSettings from './v1/auth_settings_pb';
 
 export type Application = apiApp.App.AsObject;
@@ -27,6 +28,26 @@ export type LoggedInUser = apiCluster.LoggedInUser.AsObject;
 export type AuthProvider = apiAuthSettings.AuthProvider.AsObject;
 export type AuthSettings = apiAuthSettings.AuthSettings.AsObject;
 
+export type WebauthnCredentialInfo = apiService.CredentialInfo.AsObject;
+export type WebauthnLoginPrompt =
+  | WebauthnLoginTapPrompt
+  | WebauthnLoginRetapPrompt
+  | WebauthnLoginPinPrompt
+  | WebauthnLoginCredentialPrompt;
+export type WebauthnLoginTapPrompt = { type: 'tap' };
+export type WebauthnLoginRetapPrompt = { type: 'retap' };
+export type WebauthnLoginPinPrompt = {
+  type: 'pin';
+  onUserResponse(pin: string): void;
+};
+export type WebauthnLoginCredentialPrompt = {
+  type: 'credential';
+  data: { credentials: WebauthnCredentialInfo[] };
+  onUserResponse(index: number): void;
+};
+export type LoginPasswordlessRequest =
+  Partial<apiService.LoginPasswordlessRequest.AsObject>;
+
 export type TshClient = {
   listRootClusters: () => Promise<Cluster[]>;
   listLeafClusters: (clusterUri: string) => Promise<Cluster[]>;
@@ -54,7 +75,18 @@ export type TshClient = {
   getCluster: (clusterUri: string) => Promise<Cluster>;
   getAuthSettings: (clusterUri: string) => Promise<AuthSettings>;
   removeCluster: (clusterUri: string) => Promise<void>;
-  login: (params: LoginParams, abortSignal?: TshAbortSignal) => Promise<void>;
+  loginLocal: (
+    params: LoginLocalParams,
+    abortSignal?: TshAbortSignal
+  ) => Promise<void>;
+  loginSso: (
+    params: LoginSsoParams,
+    abortSignal?: TshAbortSignal
+  ) => Promise<void>;
+  loginPasswordless: (
+    params: LoginPasswordlessParams,
+    abortSignal?: TshAbortSignal
+  ) => Promise<void>;
   logout: (clusterUri: string) => Promise<void>;
 };
 
@@ -68,18 +100,24 @@ export type TshAbortSignal = {
   removeEventListener(cb: (...args: any[]) => void): void;
 };
 
-export type LoginParams = {
+interface LoginParamsBase {
   clusterUri: string;
-  sso?: {
-    providerType: string;
-    providerName: string;
-  };
-  local?: {
-    username: string;
-    password: string;
-    token?: string;
-  };
-};
+}
+
+export interface LoginLocalParams extends LoginParamsBase {
+  username: string;
+  password: string;
+  token?: string;
+}
+
+export interface LoginSsoParams extends LoginParamsBase {
+  providerType: string;
+  providerName: string;
+}
+
+export interface LoginPasswordlessParams extends LoginParamsBase {
+  onPromptCallback(res: WebauthnLoginPrompt): void;
+}
 
 export type CreateGatewayParams = {
   targetUri: string;
diff --git a/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.d.ts b/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.d.ts
index c31496ca3aae3..1ff6576a2acb6 100644
--- a/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.d.ts
+++ b/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.d.ts
@@ -24,6 +24,15 @@ export class AuthSettings extends jspb.Message {
     getHasMessageOfTheDay(): boolean;
     setHasMessageOfTheDay(value: boolean): AuthSettings;
 
+    getAuthType(): string;
+    setAuthType(value: string): AuthSettings;
+
+    getAllowPasswordless(): boolean;
+    setAllowPasswordless(value: boolean): AuthSettings;
+
+    getLocalConnectorName(): string;
+    setLocalConnectorName(value: string): AuthSettings;
+
 
     serializeBinary(): Uint8Array;
     toObject(includeInstance?: boolean): AuthSettings.AsObject;
@@ -42,6 +51,9 @@ export namespace AuthSettings {
         preferredMfa: string,
         authProvidersList: Array<AuthProvider.AsObject>,
         hasMessageOfTheDay: boolean,
+        authType: string,
+        allowPasswordless: boolean,
+        localConnectorName: string,
     }
 }
 
diff --git a/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.js b/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.js
index 159bf20a95dfa..39cacaf9b83f4 100644
--- a/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.js
+++ b/web/packages/teleterm/src/services/tshd/v1/auth_settings_pb.js
@@ -100,7 +100,10 @@ proto.teleport.terminal.v1.AuthSettings.toObject = function(includeInstance, msg
     preferredMfa: jspb.Message.getFieldWithDefault(msg, 3, ""),
     authProvidersList: jspb.Message.toObjectList(msg.getAuthProvidersList(),
     proto.teleport.terminal.v1.AuthProvider.toObject, includeInstance),
-    hasMessageOfTheDay: jspb.Message.getBooleanFieldWithDefault(msg, 5, false)
+    hasMessageOfTheDay: jspb.Message.getBooleanFieldWithDefault(msg, 5, false),
+    authType: jspb.Message.getFieldWithDefault(msg, 6, ""),
+    allowPasswordless: jspb.Message.getBooleanFieldWithDefault(msg, 7, false),
+    localConnectorName: jspb.Message.getFieldWithDefault(msg, 8, "")
   };
 
   if (includeInstance) {
@@ -158,6 +161,18 @@ proto.teleport.terminal.v1.AuthSettings.deserializeBinaryFromReader = function(m
       var value = /** @type {boolean} */ (reader.readBool());
       msg.setHasMessageOfTheDay(value);
       break;
+    case 6:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setAuthType(value);
+      break;
+    case 7:
+      var value = /** @type {boolean} */ (reader.readBool());
+      msg.setAllowPasswordless(value);
+      break;
+    case 8:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setLocalConnectorName(value);
+      break;
     default:
       reader.skipField();
       break;
@@ -223,6 +238,27 @@ proto.teleport.terminal.v1.AuthSettings.serializeBinaryToWriter = function(messa
       f
     );
   }
+  f = message.getAuthType();
+  if (f.length > 0) {
+    writer.writeString(
+      6,
+      f
+    );
+  }
+  f = message.getAllowPasswordless();
+  if (f) {
+    writer.writeBool(
+      7,
+      f
+    );
+  }
+  f = message.getLocalConnectorName();
+  if (f.length > 0) {
+    writer.writeString(
+      8,
+      f
+    );
+  }
 };
 
 
@@ -336,6 +372,60 @@ proto.teleport.terminal.v1.AuthSettings.prototype.setHasMessageOfTheDay = functi
 };
 
 
+/**
+ * optional string auth_type = 6;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.getAuthType = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 6, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.AuthSettings} returns this
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.setAuthType = function(value) {
+  return jspb.Message.setProto3StringField(this, 6, value);
+};
+
+
+/**
+ * optional bool allow_passwordless = 7;
+ * @return {boolean}
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.getAllowPasswordless = function() {
+  return /** @type {boolean} */ (jspb.Message.getBooleanFieldWithDefault(this, 7, false));
+};
+
+
+/**
+ * @param {boolean} value
+ * @return {!proto.teleport.terminal.v1.AuthSettings} returns this
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.setAllowPasswordless = function(value) {
+  return jspb.Message.setProto3BooleanField(this, 7, value);
+};
+
+
+/**
+ * optional string local_connector_name = 8;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.getLocalConnectorName = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 8, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.AuthSettings} returns this
+ */
+proto.teleport.terminal.v1.AuthSettings.prototype.setLocalConnectorName = function(value) {
+  return jspb.Message.setProto3StringField(this, 8, value);
+};
+
+
 
 
 
diff --git a/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.d.ts b/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.d.ts
index 4722a24f5630c..727542d803267 100644
--- a/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.d.ts
+++ b/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.d.ts
@@ -34,6 +34,7 @@ interface ITerminalServiceService extends grpc.ServiceDefinition<grpc.UntypedSer
     getAuthSettings: ITerminalServiceService_IGetAuthSettings;
     getCluster: ITerminalServiceService_IGetCluster;
     login: ITerminalServiceService_ILogin;
+    loginPasswordless: ITerminalServiceService_ILoginPasswordless;
     logout: ITerminalServiceService_ILogout;
 }
 
@@ -199,6 +200,15 @@ interface ITerminalServiceService_ILogin extends grpc.MethodDefinition<v1_servic
     responseSerialize: grpc.serialize<v1_service_pb.EmptyResponse>;
     responseDeserialize: grpc.deserialize<v1_service_pb.EmptyResponse>;
 }
+interface ITerminalServiceService_ILoginPasswordless extends grpc.MethodDefinition<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse> {
+    path: "/teleport.terminal.v1.TerminalService/LoginPasswordless";
+    requestStream: true;
+    responseStream: true;
+    requestSerialize: grpc.serialize<v1_service_pb.LoginPasswordlessRequest>;
+    requestDeserialize: grpc.deserialize<v1_service_pb.LoginPasswordlessRequest>;
+    responseSerialize: grpc.serialize<v1_service_pb.LoginPasswordlessResponse>;
+    responseDeserialize: grpc.deserialize<v1_service_pb.LoginPasswordlessResponse>;
+}
 interface ITerminalServiceService_ILogout extends grpc.MethodDefinition<v1_service_pb.LogoutRequest, v1_service_pb.EmptyResponse> {
     path: "/teleport.terminal.v1.TerminalService/Logout";
     requestStream: false;
@@ -230,6 +240,7 @@ export interface ITerminalServiceServer {
     getAuthSettings: grpc.handleUnaryCall<v1_service_pb.GetAuthSettingsRequest, v1_auth_settings_pb.AuthSettings>;
     getCluster: grpc.handleUnaryCall<v1_service_pb.GetClusterRequest, v1_cluster_pb.Cluster>;
     login: grpc.handleUnaryCall<v1_service_pb.LoginRequest, v1_service_pb.EmptyResponse>;
+    loginPasswordless: grpc.handleBidiStreamingCall<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
     logout: grpc.handleUnaryCall<v1_service_pb.LogoutRequest, v1_service_pb.EmptyResponse>;
 }
 
@@ -288,6 +299,9 @@ export interface ITerminalServiceClient {
     login(request: v1_service_pb.LoginRequest, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     login(request: v1_service_pb.LoginRequest, metadata: grpc.Metadata, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     login(request: v1_service_pb.LoginRequest, metadata: grpc.Metadata, options: Partial<grpc.CallOptions>, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
+    loginPasswordless(): grpc.ClientDuplexStream<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
+    loginPasswordless(options: Partial<grpc.CallOptions>): grpc.ClientDuplexStream<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
+    loginPasswordless(metadata: grpc.Metadata, options?: Partial<grpc.CallOptions>): grpc.ClientDuplexStream<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
     logout(request: v1_service_pb.LogoutRequest, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     logout(request: v1_service_pb.LogoutRequest, metadata: grpc.Metadata, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     logout(request: v1_service_pb.LogoutRequest, metadata: grpc.Metadata, options: Partial<grpc.CallOptions>, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
@@ -349,6 +363,8 @@ export class TerminalServiceClient extends grpc.Client implements ITerminalServi
     public login(request: v1_service_pb.LoginRequest, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     public login(request: v1_service_pb.LoginRequest, metadata: grpc.Metadata, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     public login(request: v1_service_pb.LoginRequest, metadata: grpc.Metadata, options: Partial<grpc.CallOptions>, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
+    public loginPasswordless(options?: Partial<grpc.CallOptions>): grpc.ClientDuplexStream<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
+    public loginPasswordless(metadata?: grpc.Metadata, options?: Partial<grpc.CallOptions>): grpc.ClientDuplexStream<v1_service_pb.LoginPasswordlessRequest, v1_service_pb.LoginPasswordlessResponse>;
     public logout(request: v1_service_pb.LogoutRequest, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     public logout(request: v1_service_pb.LogoutRequest, metadata: grpc.Metadata, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
     public logout(request: v1_service_pb.LogoutRequest, metadata: grpc.Metadata, options: Partial<grpc.CallOptions>, callback: (error: grpc.ServiceError | null, response: v1_service_pb.EmptyResponse) => void): grpc.ClientUnaryCall;
diff --git a/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.js b/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.js
index 6761c84dcbe40..b2a0d8b2dced4 100644
--- a/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.js
+++ b/web/packages/teleterm/src/services/tshd/v1/service_grpc_pb.js
@@ -280,6 +280,28 @@ function deserialize_teleport_terminal_v1_ListServersResponse(buffer_arg) {
   return v1_service_pb.ListServersResponse.deserializeBinary(new Uint8Array(buffer_arg));
 }
 
+function serialize_teleport_terminal_v1_LoginPasswordlessRequest(arg) {
+  if (!(arg instanceof v1_service_pb.LoginPasswordlessRequest)) {
+    throw new Error('Expected argument of type teleport.terminal.v1.LoginPasswordlessRequest');
+  }
+  return Buffer.from(arg.serializeBinary());
+}
+
+function deserialize_teleport_terminal_v1_LoginPasswordlessRequest(buffer_arg) {
+  return v1_service_pb.LoginPasswordlessRequest.deserializeBinary(new Uint8Array(buffer_arg));
+}
+
+function serialize_teleport_terminal_v1_LoginPasswordlessResponse(arg) {
+  if (!(arg instanceof v1_service_pb.LoginPasswordlessResponse)) {
+    throw new Error('Expected argument of type teleport.terminal.v1.LoginPasswordlessResponse');
+  }
+  return Buffer.from(arg.serializeBinary());
+}
+
+function deserialize_teleport_terminal_v1_LoginPasswordlessResponse(buffer_arg) {
+  return v1_service_pb.LoginPasswordlessResponse.deserializeBinary(new Uint8Array(buffer_arg));
+}
+
 function serialize_teleport_terminal_v1_LoginRequest(arg) {
   if (!(arg instanceof v1_service_pb.LoginRequest)) {
     throw new Error('Expected argument of type teleport.terminal.v1.LoginRequest');
@@ -582,6 +604,33 @@ login: {
     responseSerialize: serialize_teleport_terminal_v1_EmptyResponse,
     responseDeserialize: deserialize_teleport_terminal_v1_EmptyResponse,
   },
+  // LoginPasswordless logs in a user to a cluster passwordlessly.
+//
+// The RPC is streaming both ways and the message sequence example for hardware keys are:
+// (-> means client-to-server, <- means server-to-client)
+//
+// Hardware keys:
+// -> Init
+// <- Send PasswordlessPrompt enum TAP to choose a device
+// -> Receive TAP device response
+// <- Send PasswordlessPrompt enum PIN
+// -> Receive PIN response
+// <- Send PasswordlessPrompt enum RETAP to confirm
+// -> Receive RETAP device response
+// <- Send list of credentials (e.g. usernames) associated with device
+// -> Receive the index number associated with the selected credential in list
+// <- End
+loginPasswordless: {
+    path: '/teleport.terminal.v1.TerminalService/LoginPasswordless',
+    requestStream: true,
+    responseStream: true,
+    requestType: v1_service_pb.LoginPasswordlessRequest,
+    responseType: v1_service_pb.LoginPasswordlessResponse,
+    requestSerialize: serialize_teleport_terminal_v1_LoginPasswordlessRequest,
+    requestDeserialize: deserialize_teleport_terminal_v1_LoginPasswordlessRequest,
+    responseSerialize: serialize_teleport_terminal_v1_LoginPasswordlessResponse,
+    responseDeserialize: deserialize_teleport_terminal_v1_LoginPasswordlessResponse,
+  },
   // ClusterLogin logs out a user from cluster
 logout: {
     path: '/teleport.terminal.v1.TerminalService/Logout',
diff --git a/web/packages/teleterm/src/services/tshd/v1/service_pb.d.ts b/web/packages/teleterm/src/services/tshd/v1/service_pb.d.ts
index 51762d2356451..2b5fa0c48f3df 100644
--- a/web/packages/teleterm/src/services/tshd/v1/service_pb.d.ts
+++ b/web/packages/teleterm/src/services/tshd/v1/service_pb.d.ts
@@ -77,6 +77,171 @@ export namespace LogoutRequest {
     }
 }
 
+export class CredentialInfo extends jspb.Message { 
+    getUsername(): string;
+    setUsername(value: string): CredentialInfo;
+
+
+    serializeBinary(): Uint8Array;
+    toObject(includeInstance?: boolean): CredentialInfo.AsObject;
+    static toObject(includeInstance: boolean, msg: CredentialInfo): CredentialInfo.AsObject;
+    static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+    static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+    static serializeBinaryToWriter(message: CredentialInfo, writer: jspb.BinaryWriter): void;
+    static deserializeBinary(bytes: Uint8Array): CredentialInfo;
+    static deserializeBinaryFromReader(message: CredentialInfo, reader: jspb.BinaryReader): CredentialInfo;
+}
+
+export namespace CredentialInfo {
+    export type AsObject = {
+        username: string,
+    }
+}
+
+export class LoginPasswordlessResponse extends jspb.Message { 
+    getPrompt(): PasswordlessPrompt;
+    setPrompt(value: PasswordlessPrompt): LoginPasswordlessResponse;
+
+    clearCredentialsList(): void;
+    getCredentialsList(): Array<CredentialInfo>;
+    setCredentialsList(value: Array<CredentialInfo>): LoginPasswordlessResponse;
+    addCredentials(value?: CredentialInfo, index?: number): CredentialInfo;
+
+
+    serializeBinary(): Uint8Array;
+    toObject(includeInstance?: boolean): LoginPasswordlessResponse.AsObject;
+    static toObject(includeInstance: boolean, msg: LoginPasswordlessResponse): LoginPasswordlessResponse.AsObject;
+    static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+    static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+    static serializeBinaryToWriter(message: LoginPasswordlessResponse, writer: jspb.BinaryWriter): void;
+    static deserializeBinary(bytes: Uint8Array): LoginPasswordlessResponse;
+    static deserializeBinaryFromReader(message: LoginPasswordlessResponse, reader: jspb.BinaryReader): LoginPasswordlessResponse;
+}
+
+export namespace LoginPasswordlessResponse {
+    export type AsObject = {
+        prompt: PasswordlessPrompt,
+        credentialsList: Array<CredentialInfo.AsObject>,
+    }
+}
+
+export class LoginPasswordlessRequest extends jspb.Message { 
+
+    hasInit(): boolean;
+    clearInit(): void;
+    getInit(): LoginPasswordlessRequest.LoginPasswordlessRequestInit | undefined;
+    setInit(value?: LoginPasswordlessRequest.LoginPasswordlessRequestInit): LoginPasswordlessRequest;
+
+
+    hasPin(): boolean;
+    clearPin(): void;
+    getPin(): LoginPasswordlessRequest.LoginPasswordlessPINResponse | undefined;
+    setPin(value?: LoginPasswordlessRequest.LoginPasswordlessPINResponse): LoginPasswordlessRequest;
+
+
+    hasCredential(): boolean;
+    clearCredential(): void;
+    getCredential(): LoginPasswordlessRequest.LoginPasswordlessCredentialResponse | undefined;
+    setCredential(value?: LoginPasswordlessRequest.LoginPasswordlessCredentialResponse): LoginPasswordlessRequest;
+
+
+    getRequestCase(): LoginPasswordlessRequest.RequestCase;
+
+    serializeBinary(): Uint8Array;
+    toObject(includeInstance?: boolean): LoginPasswordlessRequest.AsObject;
+    static toObject(includeInstance: boolean, msg: LoginPasswordlessRequest): LoginPasswordlessRequest.AsObject;
+    static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+    static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+    static serializeBinaryToWriter(message: LoginPasswordlessRequest, writer: jspb.BinaryWriter): void;
+    static deserializeBinary(bytes: Uint8Array): LoginPasswordlessRequest;
+    static deserializeBinaryFromReader(message: LoginPasswordlessRequest, reader: jspb.BinaryReader): LoginPasswordlessRequest;
+}
+
+export namespace LoginPasswordlessRequest {
+    export type AsObject = {
+        init?: LoginPasswordlessRequest.LoginPasswordlessRequestInit.AsObject,
+        pin?: LoginPasswordlessRequest.LoginPasswordlessPINResponse.AsObject,
+        credential?: LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.AsObject,
+    }
+
+
+    export class LoginPasswordlessRequestInit extends jspb.Message { 
+        getClusterUri(): string;
+        setClusterUri(value: string): LoginPasswordlessRequestInit;
+
+
+        serializeBinary(): Uint8Array;
+        toObject(includeInstance?: boolean): LoginPasswordlessRequestInit.AsObject;
+        static toObject(includeInstance: boolean, msg: LoginPasswordlessRequestInit): LoginPasswordlessRequestInit.AsObject;
+        static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+        static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+        static serializeBinaryToWriter(message: LoginPasswordlessRequestInit, writer: jspb.BinaryWriter): void;
+        static deserializeBinary(bytes: Uint8Array): LoginPasswordlessRequestInit;
+        static deserializeBinaryFromReader(message: LoginPasswordlessRequestInit, reader: jspb.BinaryReader): LoginPasswordlessRequestInit;
+    }
+
+    export namespace LoginPasswordlessRequestInit {
+        export type AsObject = {
+            clusterUri: string,
+        }
+    }
+
+    export class LoginPasswordlessPINResponse extends jspb.Message { 
+        getPin(): string;
+        setPin(value: string): LoginPasswordlessPINResponse;
+
+
+        serializeBinary(): Uint8Array;
+        toObject(includeInstance?: boolean): LoginPasswordlessPINResponse.AsObject;
+        static toObject(includeInstance: boolean, msg: LoginPasswordlessPINResponse): LoginPasswordlessPINResponse.AsObject;
+        static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+        static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+        static serializeBinaryToWriter(message: LoginPasswordlessPINResponse, writer: jspb.BinaryWriter): void;
+        static deserializeBinary(bytes: Uint8Array): LoginPasswordlessPINResponse;
+        static deserializeBinaryFromReader(message: LoginPasswordlessPINResponse, reader: jspb.BinaryReader): LoginPasswordlessPINResponse;
+    }
+
+    export namespace LoginPasswordlessPINResponse {
+        export type AsObject = {
+            pin: string,
+        }
+    }
+
+    export class LoginPasswordlessCredentialResponse extends jspb.Message { 
+        getIndex(): number;
+        setIndex(value: number): LoginPasswordlessCredentialResponse;
+
+
+        serializeBinary(): Uint8Array;
+        toObject(includeInstance?: boolean): LoginPasswordlessCredentialResponse.AsObject;
+        static toObject(includeInstance: boolean, msg: LoginPasswordlessCredentialResponse): LoginPasswordlessCredentialResponse.AsObject;
+        static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
+        static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
+        static serializeBinaryToWriter(message: LoginPasswordlessCredentialResponse, writer: jspb.BinaryWriter): void;
+        static deserializeBinary(bytes: Uint8Array): LoginPasswordlessCredentialResponse;
+        static deserializeBinaryFromReader(message: LoginPasswordlessCredentialResponse, reader: jspb.BinaryReader): LoginPasswordlessCredentialResponse;
+    }
+
+    export namespace LoginPasswordlessCredentialResponse {
+        export type AsObject = {
+            index: number,
+        }
+    }
+
+
+    export enum RequestCase {
+        REQUEST_NOT_SET = 0,
+    
+    INIT = 1,
+
+    PIN = 2,
+
+    CREDENTIAL = 3,
+
+    }
+
+}
+
 export class LoginRequest extends jspb.Message { 
     getClusterUri(): string;
     setClusterUri(value: string): LoginRequest;
@@ -690,3 +855,10 @@ export namespace EmptyResponse {
     export type AsObject = {
     }
 }
+
+export enum PasswordlessPrompt {
+    PASSWORDLESS_PROMPT_UNSPECIFIED = 0,
+    PASSWORDLESS_PROMPT_PIN = 1,
+    PASSWORDLESS_PROMPT_TAP = 2,
+    PASSWORDLESS_PROMPT_CREDENTIAL = 3,
+}
diff --git a/web/packages/teleterm/src/services/tshd/v1/service_pb.js b/web/packages/teleterm/src/services/tshd/v1/service_pb.js
index b352f05915607..b0e6b8eadd073 100644
--- a/web/packages/teleterm/src/services/tshd/v1/service_pb.js
+++ b/web/packages/teleterm/src/services/tshd/v1/service_pb.js
@@ -30,6 +30,7 @@ var v1_auth_settings_pb = require('../v1/auth_settings_pb.js');
 goog.object.extend(proto, v1_auth_settings_pb);
 goog.exportSymbol('proto.teleport.terminal.v1.AddClusterRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.CreateGatewayRequest', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.CredentialInfo', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.EmptyResponse', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.GetAuthSettingsRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.GetClusterRequest', null, global);
@@ -48,11 +49,18 @@ goog.exportSymbol('proto.teleport.terminal.v1.ListKubesResponse', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.ListLeafClustersRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.ListServersRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.ListServersResponse', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessRequest', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessRequest.RequestCase', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.LoginPasswordlessResponse', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.LoginRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.LoginRequest.LocalParams', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.LoginRequest.ParamsCase', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.LoginRequest.SsoParams', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.LogoutRequest', null, global);
+goog.exportSymbol('proto.teleport.terminal.v1.PasswordlessPrompt', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.RemoveClusterRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.RemoveGatewayRequest', null, global);
 goog.exportSymbol('proto.teleport.terminal.v1.RestartGatewayRequest', null, global);
@@ -121,6 +129,132 @@ if (goog.DEBUG && !COMPILED) {
    */
   proto.teleport.terminal.v1.LogoutRequest.displayName = 'proto.teleport.terminal.v1.LogoutRequest';
 }
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.CredentialInfo = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.CredentialInfo, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.CredentialInfo.displayName = 'proto.teleport.terminal.v1.CredentialInfo';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, proto.teleport.terminal.v1.LoginPasswordlessResponse.repeatedFields_, null);
+};
+goog.inherits(proto.teleport.terminal.v1.LoginPasswordlessResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.LoginPasswordlessResponse.displayName = 'proto.teleport.terminal.v1.LoginPasswordlessResponse';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_);
+};
+goog.inherits(proto.teleport.terminal.v1.LoginPasswordlessRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.displayName = 'proto.teleport.terminal.v1.LoginPasswordlessRequest';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.displayName = 'proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.displayName = 'proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.displayName = 'proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse';
+}
 /**
  * Generated by JsPbCodeGenerator.
  * @param {Array=} opt_data Optional initial data array, typically from a
@@ -605,68 +739,947 @@ if (goog.DEBUG && !COMPILED) {
   proto.teleport.terminal.v1.ListKubesResponse.displayName = 'proto.teleport.terminal.v1.ListKubesResponse';
 }
 /**
- * Generated by JsPbCodeGenerator.
- * @param {Array=} opt_data Optional initial data array, typically from a
- * server response, or constructed directly in Javascript. The array is used
- * in place and becomes part of the constructed object. It is not cloned.
- * If no data is provided, the constructed object will be empty, but still
- * valid.
- * @extends {jspb.Message}
- * @constructor
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.ListAppsResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, proto.teleport.terminal.v1.ListAppsResponse.repeatedFields_, null);
+};
+goog.inherits(proto.teleport.terminal.v1.ListAppsResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.ListAppsResponse.displayName = 'proto.teleport.terminal.v1.ListAppsResponse';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.GetAuthSettingsRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.GetAuthSettingsRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.GetAuthSettingsRequest.displayName = 'proto.teleport.terminal.v1.GetAuthSettingsRequest';
+}
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.teleport.terminal.v1.EmptyResponse = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.teleport.terminal.v1.EmptyResponse, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.teleport.terminal.v1.EmptyResponse.displayName = 'proto.teleport.terminal.v1.EmptyResponse';
+}
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.RemoveClusterRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.RemoveClusterRequest}
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.RemoveClusterRequest;
+  return proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.RemoveClusterRequest}
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setClusterUri(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.RemoveClusterRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getClusterUri();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string cluster_uri = 1;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.prototype.getClusterUri = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.RemoveClusterRequest} returns this
+ */
+proto.teleport.terminal.v1.RemoveClusterRequest.prototype.setClusterUri = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.GetClusterRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.GetClusterRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.GetClusterRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.GetClusterRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.GetClusterRequest}
+ */
+proto.teleport.terminal.v1.GetClusterRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.GetClusterRequest;
+  return proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.GetClusterRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.GetClusterRequest}
+ */
+proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setClusterUri(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.teleport.terminal.v1.GetClusterRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.GetClusterRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.GetClusterRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.GetClusterRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getClusterUri();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string cluster_uri = 1;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.GetClusterRequest.prototype.getClusterUri = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.GetClusterRequest} returns this
+ */
+proto.teleport.terminal.v1.GetClusterRequest.prototype.setClusterUri = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.LogoutRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LogoutRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.LogoutRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.LogoutRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.LogoutRequest}
+ */
+proto.teleport.terminal.v1.LogoutRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.LogoutRequest;
+  return proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.LogoutRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.LogoutRequest}
+ */
+proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setClusterUri(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.teleport.terminal.v1.LogoutRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.LogoutRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.LogoutRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.LogoutRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getClusterUri();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string cluster_uri = 1;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.LogoutRequest.prototype.getClusterUri = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.LogoutRequest} returns this
+ */
+proto.teleport.terminal.v1.LogoutRequest.prototype.setClusterUri = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.CredentialInfo.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.CredentialInfo.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.CredentialInfo} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.CredentialInfo.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    username: jspb.Message.getFieldWithDefault(msg, 1, "")
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.CredentialInfo}
+ */
+proto.teleport.terminal.v1.CredentialInfo.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.CredentialInfo;
+  return proto.teleport.terminal.v1.CredentialInfo.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.CredentialInfo} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.CredentialInfo}
+ */
+proto.teleport.terminal.v1.CredentialInfo.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setUsername(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.teleport.terminal.v1.CredentialInfo.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.CredentialInfo.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.CredentialInfo} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.CredentialInfo.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getUsername();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+};
+
+
+/**
+ * optional string Username = 1;
+ * @return {string}
+ */
+proto.teleport.terminal.v1.CredentialInfo.prototype.getUsername = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.teleport.terminal.v1.CredentialInfo} returns this
+ */
+proto.teleport.terminal.v1.CredentialInfo.prototype.setUsername = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+
+/**
+ * List of repeated fields within this message type.
+ * @private {!Array<number>}
+ * @const
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.repeatedFields_ = [2];
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LoginPasswordlessResponse.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessResponse} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    prompt: jspb.Message.getFieldWithDefault(msg, 1, 0),
+    credentialsList: jspb.Message.toObjectList(msg.getCredentialsList(),
+    proto.teleport.terminal.v1.CredentialInfo.toObject, includeInstance)
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessResponse}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.LoginPasswordlessResponse;
+  return proto.teleport.terminal.v1.LoginPasswordlessResponse.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessResponse} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessResponse}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {!proto.teleport.terminal.v1.PasswordlessPrompt} */ (reader.readEnum());
+      msg.setPrompt(value);
+      break;
+    case 2:
+      var value = new proto.teleport.terminal.v1.CredentialInfo;
+      reader.readMessage(value,proto.teleport.terminal.v1.CredentialInfo.deserializeBinaryFromReader);
+      msg.addCredentials(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.LoginPasswordlessResponse.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessResponse} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getPrompt();
+  if (f !== 0.0) {
+    writer.writeEnum(
+      1,
+      f
+    );
+  }
+  f = message.getCredentialsList();
+  if (f.length > 0) {
+    writer.writeRepeatedMessage(
+      2,
+      f,
+      proto.teleport.terminal.v1.CredentialInfo.serializeBinaryToWriter
+    );
+  }
+};
+
+
+/**
+ * optional PasswordlessPrompt prompt = 1;
+ * @return {!proto.teleport.terminal.v1.PasswordlessPrompt}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.getPrompt = function() {
+  return /** @type {!proto.teleport.terminal.v1.PasswordlessPrompt} */ (jspb.Message.getFieldWithDefault(this, 1, 0));
+};
+
+
+/**
+ * @param {!proto.teleport.terminal.v1.PasswordlessPrompt} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessResponse} returns this
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.setPrompt = function(value) {
+  return jspb.Message.setProto3EnumField(this, 1, value);
+};
+
+
+/**
+ * repeated CredentialInfo credentials = 2;
+ * @return {!Array<!proto.teleport.terminal.v1.CredentialInfo>}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.getCredentialsList = function() {
+  return /** @type{!Array<!proto.teleport.terminal.v1.CredentialInfo>} */ (
+    jspb.Message.getRepeatedWrapperField(this, proto.teleport.terminal.v1.CredentialInfo, 2));
+};
+
+
+/**
+ * @param {!Array<!proto.teleport.terminal.v1.CredentialInfo>} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessResponse} returns this
+*/
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.setCredentialsList = function(value) {
+  return jspb.Message.setRepeatedWrapperField(this, 2, value);
+};
+
+
+/**
+ * @param {!proto.teleport.terminal.v1.CredentialInfo=} opt_value
+ * @param {number=} opt_index
+ * @return {!proto.teleport.terminal.v1.CredentialInfo}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.addCredentials = function(opt_value, opt_index) {
+  return jspb.Message.addToRepeatedWrapperField(this, 2, opt_value, proto.teleport.terminal.v1.CredentialInfo, opt_index);
+};
+
+
+/**
+ * Clears the list making it empty but non-null.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessResponse} returns this
+ */
+proto.teleport.terminal.v1.LoginPasswordlessResponse.prototype.clearCredentialsList = function() {
+  return this.setCredentialsList([]);
+};
+
+
+
+/**
+ * Oneof group definitions for this message. Each group defines the field
+ * numbers belonging to that group. When of these fields' value is set, all
+ * other fields in the group are cleared. During deserialization, if multiple
+ * fields are encountered for a group, only the last value seen will be kept.
+ * @private {!Array<!Array<number>>}
+ * @const
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_ = [[1,2,3]];
+
+/**
+ * @enum {number}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.RequestCase = {
+  REQUEST_NOT_SET: 0,
+  INIT: 1,
+  PIN: 2,
+  CREDENTIAL: 3
+};
+
+/**
+ * @return {proto.teleport.terminal.v1.LoginPasswordlessRequest.RequestCase}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.getRequestCase = function() {
+  return /** @type {proto.teleport.terminal.v1.LoginPasswordlessRequest.RequestCase} */(jspb.Message.computeOneofCase(this, proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_[0]));
+};
+
+
+
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    init: (f = msg.getInit()) && proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.toObject(includeInstance, f),
+    pin: (f = msg.getPin()) && proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.toObject(includeInstance, f),
+    credential: (f = msg.getCredential()) && proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.toObject(includeInstance, f)
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.teleport.terminal.v1.LoginPasswordlessRequest;
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest}
  */
-proto.teleport.terminal.v1.ListAppsResponse = function(opt_data) {
-  jspb.Message.initialize(this, opt_data, 0, -1, proto.teleport.terminal.v1.ListAppsResponse.repeatedFields_, null);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit;
+      reader.readMessage(value,proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.deserializeBinaryFromReader);
+      msg.setInit(value);
+      break;
+    case 2:
+      var value = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse;
+      reader.readMessage(value,proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.deserializeBinaryFromReader);
+      msg.setPin(value);
+      break;
+    case 3:
+      var value = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse;
+      reader.readMessage(value,proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.deserializeBinaryFromReader);
+      msg.setCredential(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
 };
-goog.inherits(proto.teleport.terminal.v1.ListAppsResponse, jspb.Message);
-if (goog.DEBUG && !COMPILED) {
-  /**
-   * @public
-   * @override
-   */
-  proto.teleport.terminal.v1.ListAppsResponse.displayName = 'proto.teleport.terminal.v1.ListAppsResponse';
-}
+
+
 /**
- * Generated by JsPbCodeGenerator.
- * @param {Array=} opt_data Optional initial data array, typically from a
- * server response, or constructed directly in Javascript. The array is used
- * in place and becomes part of the constructed object. It is not cloned.
- * If no data is provided, the constructed object will be empty, but still
- * valid.
- * @extends {jspb.Message}
- * @constructor
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
  */
-proto.teleport.terminal.v1.GetAuthSettingsRequest = function(opt_data) {
-  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
 };
-goog.inherits(proto.teleport.terminal.v1.GetAuthSettingsRequest, jspb.Message);
-if (goog.DEBUG && !COMPILED) {
-  /**
-   * @public
-   * @override
-   */
-  proto.teleport.terminal.v1.GetAuthSettingsRequest.displayName = 'proto.teleport.terminal.v1.GetAuthSettingsRequest';
-}
+
+
 /**
- * Generated by JsPbCodeGenerator.
- * @param {Array=} opt_data Optional initial data array, typically from a
- * server response, or constructed directly in Javascript. The array is used
- * in place and becomes part of the constructed object. It is not cloned.
- * If no data is provided, the constructed object will be empty, but still
- * valid.
- * @extends {jspb.Message}
- * @constructor
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.EmptyResponse = function(opt_data) {
-  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getInit();
+  if (f != null) {
+    writer.writeMessage(
+      1,
+      f,
+      proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.serializeBinaryToWriter
+    );
+  }
+  f = message.getPin();
+  if (f != null) {
+    writer.writeMessage(
+      2,
+      f,
+      proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.serializeBinaryToWriter
+    );
+  }
+  f = message.getCredential();
+  if (f != null) {
+    writer.writeMessage(
+      3,
+      f,
+      proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.serializeBinaryToWriter
+    );
+  }
 };
-goog.inherits(proto.teleport.terminal.v1.EmptyResponse, jspb.Message);
-if (goog.DEBUG && !COMPILED) {
-  /**
-   * @public
-   * @override
-   */
-  proto.teleport.terminal.v1.EmptyResponse.displayName = 'proto.teleport.terminal.v1.EmptyResponse';
-}
+
+
 
 
 
@@ -683,8 +1696,8 @@ if (jspb.Message.GENERATE_TO_OBJECT) {
  *     http://goto/soy-param-migration
  * @return {!Object}
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.prototype.toObject = function(opt_includeInstance) {
-  return proto.teleport.terminal.v1.RemoveClusterRequest.toObject(opt_includeInstance, this);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.toObject(opt_includeInstance, this);
 };
 
 
@@ -693,11 +1706,11 @@ proto.teleport.terminal.v1.RemoveClusterRequest.prototype.toObject = function(op
  * @param {boolean|undefined} includeInstance Deprecated. Whether to include
  *     the JSPB instance for transitional soy proto support:
  *     http://goto/soy-param-migration
- * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} msg The msg instance to transform.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit} msg The msg instance to transform.
  * @return {!Object}
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.toObject = function(includeInstance, msg) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.toObject = function(includeInstance, msg) {
   var f, obj = {
     clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
   };
@@ -713,23 +1726,23 @@ proto.teleport.terminal.v1.RemoveClusterRequest.toObject = function(includeInsta
 /**
  * Deserializes binary data (in protobuf wire format).
  * @param {jspb.ByteSource} bytes The bytes to deserialize.
- * @return {!proto.teleport.terminal.v1.RemoveClusterRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit}
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinary = function(bytes) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.deserializeBinary = function(bytes) {
   var reader = new jspb.BinaryReader(bytes);
-  var msg = new proto.teleport.terminal.v1.RemoveClusterRequest;
-  return proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinaryFromReader(msg, reader);
+  var msg = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit;
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.deserializeBinaryFromReader(msg, reader);
 };
 
 
 /**
  * Deserializes binary data (in protobuf wire format) from the
  * given reader into the given message object.
- * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} msg The message object to deserialize into.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit} msg The message object to deserialize into.
  * @param {!jspb.BinaryReader} reader The BinaryReader to use.
- * @return {!proto.teleport.terminal.v1.RemoveClusterRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit}
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinaryFromReader = function(msg, reader) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.deserializeBinaryFromReader = function(msg, reader) {
   while (reader.nextField()) {
     if (reader.isEndGroup()) {
       break;
@@ -753,9 +1766,9 @@ proto.teleport.terminal.v1.RemoveClusterRequest.deserializeBinaryFromReader = fu
  * Serializes the message to binary data (in protobuf wire format).
  * @return {!Uint8Array}
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.prototype.serializeBinary = function() {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.prototype.serializeBinary = function() {
   var writer = new jspb.BinaryWriter();
-  proto.teleport.terminal.v1.RemoveClusterRequest.serializeBinaryToWriter(this, writer);
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.serializeBinaryToWriter(this, writer);
   return writer.getResultBuffer();
 };
 
@@ -763,11 +1776,11 @@ proto.teleport.terminal.v1.RemoveClusterRequest.prototype.serializeBinary = func
 /**
  * Serializes the given message to binary data (in protobuf wire
  * format), writing to the given BinaryWriter.
- * @param {!proto.teleport.terminal.v1.RemoveClusterRequest} message
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit} message
  * @param {!jspb.BinaryWriter} writer
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.serializeBinaryToWriter = function(message, writer) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.serializeBinaryToWriter = function(message, writer) {
   var f = undefined;
   f = message.getClusterUri();
   if (f.length > 0) {
@@ -783,16 +1796,16 @@ proto.teleport.terminal.v1.RemoveClusterRequest.serializeBinaryToWriter = functi
  * optional string cluster_uri = 1;
  * @return {string}
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.prototype.getClusterUri = function() {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.prototype.getClusterUri = function() {
   return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 
 
 /**
  * @param {string} value
- * @return {!proto.teleport.terminal.v1.RemoveClusterRequest} returns this
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit} returns this
  */
-proto.teleport.terminal.v1.RemoveClusterRequest.prototype.setClusterUri = function(value) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit.prototype.setClusterUri = function(value) {
   return jspb.Message.setProto3StringField(this, 1, value);
 };
 
@@ -813,8 +1826,8 @@ if (jspb.Message.GENERATE_TO_OBJECT) {
  *     http://goto/soy-param-migration
  * @return {!Object}
  */
-proto.teleport.terminal.v1.GetClusterRequest.prototype.toObject = function(opt_includeInstance) {
-  return proto.teleport.terminal.v1.GetClusterRequest.toObject(opt_includeInstance, this);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.toObject(opt_includeInstance, this);
 };
 
 
@@ -823,13 +1836,13 @@ proto.teleport.terminal.v1.GetClusterRequest.prototype.toObject = function(opt_i
  * @param {boolean|undefined} includeInstance Deprecated. Whether to include
  *     the JSPB instance for transitional soy proto support:
  *     http://goto/soy-param-migration
- * @param {!proto.teleport.terminal.v1.GetClusterRequest} msg The msg instance to transform.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse} msg The msg instance to transform.
  * @return {!Object}
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.GetClusterRequest.toObject = function(includeInstance, msg) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.toObject = function(includeInstance, msg) {
   var f, obj = {
-    clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
+    pin: jspb.Message.getFieldWithDefault(msg, 1, "")
   };
 
   if (includeInstance) {
@@ -843,23 +1856,23 @@ proto.teleport.terminal.v1.GetClusterRequest.toObject = function(includeInstance
 /**
  * Deserializes binary data (in protobuf wire format).
  * @param {jspb.ByteSource} bytes The bytes to deserialize.
- * @return {!proto.teleport.terminal.v1.GetClusterRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse}
  */
-proto.teleport.terminal.v1.GetClusterRequest.deserializeBinary = function(bytes) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.deserializeBinary = function(bytes) {
   var reader = new jspb.BinaryReader(bytes);
-  var msg = new proto.teleport.terminal.v1.GetClusterRequest;
-  return proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader(msg, reader);
+  var msg = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse;
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.deserializeBinaryFromReader(msg, reader);
 };
 
 
 /**
  * Deserializes binary data (in protobuf wire format) from the
  * given reader into the given message object.
- * @param {!proto.teleport.terminal.v1.GetClusterRequest} msg The message object to deserialize into.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse} msg The message object to deserialize into.
  * @param {!jspb.BinaryReader} reader The BinaryReader to use.
- * @return {!proto.teleport.terminal.v1.GetClusterRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse}
  */
-proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader = function(msg, reader) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.deserializeBinaryFromReader = function(msg, reader) {
   while (reader.nextField()) {
     if (reader.isEndGroup()) {
       break;
@@ -868,7 +1881,7 @@ proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader = funct
     switch (field) {
     case 1:
       var value = /** @type {string} */ (reader.readString());
-      msg.setClusterUri(value);
+      msg.setPin(value);
       break;
     default:
       reader.skipField();
@@ -883,9 +1896,9 @@ proto.teleport.terminal.v1.GetClusterRequest.deserializeBinaryFromReader = funct
  * Serializes the message to binary data (in protobuf wire format).
  * @return {!Uint8Array}
  */
-proto.teleport.terminal.v1.GetClusterRequest.prototype.serializeBinary = function() {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.prototype.serializeBinary = function() {
   var writer = new jspb.BinaryWriter();
-  proto.teleport.terminal.v1.GetClusterRequest.serializeBinaryToWriter(this, writer);
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.serializeBinaryToWriter(this, writer);
   return writer.getResultBuffer();
 };
 
@@ -893,13 +1906,13 @@ proto.teleport.terminal.v1.GetClusterRequest.prototype.serializeBinary = functio
 /**
  * Serializes the given message to binary data (in protobuf wire
  * format), writing to the given BinaryWriter.
- * @param {!proto.teleport.terminal.v1.GetClusterRequest} message
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse} message
  * @param {!jspb.BinaryWriter} writer
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.GetClusterRequest.serializeBinaryToWriter = function(message, writer) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.serializeBinaryToWriter = function(message, writer) {
   var f = undefined;
-  f = message.getClusterUri();
+  f = message.getPin();
   if (f.length > 0) {
     writer.writeString(
       1,
@@ -910,19 +1923,19 @@ proto.teleport.terminal.v1.GetClusterRequest.serializeBinaryToWriter = function(
 
 
 /**
- * optional string cluster_uri = 1;
+ * optional string pin = 1;
  * @return {string}
  */
-proto.teleport.terminal.v1.GetClusterRequest.prototype.getClusterUri = function() {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.prototype.getPin = function() {
   return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 
 
 /**
  * @param {string} value
- * @return {!proto.teleport.terminal.v1.GetClusterRequest} returns this
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse} returns this
  */
-proto.teleport.terminal.v1.GetClusterRequest.prototype.setClusterUri = function(value) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse.prototype.setPin = function(value) {
   return jspb.Message.setProto3StringField(this, 1, value);
 };
 
@@ -943,8 +1956,8 @@ if (jspb.Message.GENERATE_TO_OBJECT) {
  *     http://goto/soy-param-migration
  * @return {!Object}
  */
-proto.teleport.terminal.v1.LogoutRequest.prototype.toObject = function(opt_includeInstance) {
-  return proto.teleport.terminal.v1.LogoutRequest.toObject(opt_includeInstance, this);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.prototype.toObject = function(opt_includeInstance) {
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.toObject(opt_includeInstance, this);
 };
 
 
@@ -953,13 +1966,13 @@ proto.teleport.terminal.v1.LogoutRequest.prototype.toObject = function(opt_inclu
  * @param {boolean|undefined} includeInstance Deprecated. Whether to include
  *     the JSPB instance for transitional soy proto support:
  *     http://goto/soy-param-migration
- * @param {!proto.teleport.terminal.v1.LogoutRequest} msg The msg instance to transform.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse} msg The msg instance to transform.
  * @return {!Object}
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.LogoutRequest.toObject = function(includeInstance, msg) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.toObject = function(includeInstance, msg) {
   var f, obj = {
-    clusterUri: jspb.Message.getFieldWithDefault(msg, 1, "")
+    index: jspb.Message.getFieldWithDefault(msg, 1, 0)
   };
 
   if (includeInstance) {
@@ -973,23 +1986,23 @@ proto.teleport.terminal.v1.LogoutRequest.toObject = function(includeInstance, ms
 /**
  * Deserializes binary data (in protobuf wire format).
  * @param {jspb.ByteSource} bytes The bytes to deserialize.
- * @return {!proto.teleport.terminal.v1.LogoutRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse}
  */
-proto.teleport.terminal.v1.LogoutRequest.deserializeBinary = function(bytes) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.deserializeBinary = function(bytes) {
   var reader = new jspb.BinaryReader(bytes);
-  var msg = new proto.teleport.terminal.v1.LogoutRequest;
-  return proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader(msg, reader);
+  var msg = new proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse;
+  return proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.deserializeBinaryFromReader(msg, reader);
 };
 
 
 /**
  * Deserializes binary data (in protobuf wire format) from the
  * given reader into the given message object.
- * @param {!proto.teleport.terminal.v1.LogoutRequest} msg The message object to deserialize into.
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse} msg The message object to deserialize into.
  * @param {!jspb.BinaryReader} reader The BinaryReader to use.
- * @return {!proto.teleport.terminal.v1.LogoutRequest}
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse}
  */
-proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader = function(msg, reader) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.deserializeBinaryFromReader = function(msg, reader) {
   while (reader.nextField()) {
     if (reader.isEndGroup()) {
       break;
@@ -997,8 +2010,8 @@ proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader = function(
     var field = reader.getFieldNumber();
     switch (field) {
     case 1:
-      var value = /** @type {string} */ (reader.readString());
-      msg.setClusterUri(value);
+      var value = /** @type {number} */ (reader.readInt64());
+      msg.setIndex(value);
       break;
     default:
       reader.skipField();
@@ -1013,9 +2026,9 @@ proto.teleport.terminal.v1.LogoutRequest.deserializeBinaryFromReader = function(
  * Serializes the message to binary data (in protobuf wire format).
  * @return {!Uint8Array}
  */
-proto.teleport.terminal.v1.LogoutRequest.prototype.serializeBinary = function() {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.prototype.serializeBinary = function() {
   var writer = new jspb.BinaryWriter();
-  proto.teleport.terminal.v1.LogoutRequest.serializeBinaryToWriter(this, writer);
+  proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.serializeBinaryToWriter(this, writer);
   return writer.getResultBuffer();
 };
 
@@ -1023,15 +2036,15 @@ proto.teleport.terminal.v1.LogoutRequest.prototype.serializeBinary = function()
 /**
  * Serializes the given message to binary data (in protobuf wire
  * format), writing to the given BinaryWriter.
- * @param {!proto.teleport.terminal.v1.LogoutRequest} message
+ * @param {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse} message
  * @param {!jspb.BinaryWriter} writer
  * @suppress {unusedLocalVariables} f is only used for nested messages
  */
-proto.teleport.terminal.v1.LogoutRequest.serializeBinaryToWriter = function(message, writer) {
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.serializeBinaryToWriter = function(message, writer) {
   var f = undefined;
-  f = message.getClusterUri();
-  if (f.length > 0) {
-    writer.writeString(
+  f = message.getIndex();
+  if (f !== 0) {
+    writer.writeInt64(
       1,
       f
     );
@@ -1040,20 +2053,131 @@ proto.teleport.terminal.v1.LogoutRequest.serializeBinaryToWriter = function(mess
 
 
 /**
- * optional string cluster_uri = 1;
- * @return {string}
+ * optional int64 index = 1;
+ * @return {number}
  */
-proto.teleport.terminal.v1.LogoutRequest.prototype.getClusterUri = function() {
-  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.prototype.getIndex = function() {
+  return /** @type {number} */ (jspb.Message.getFieldWithDefault(this, 1, 0));
 };
 
 
 /**
- * @param {string} value
- * @return {!proto.teleport.terminal.v1.LogoutRequest} returns this
+ * @param {number} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse} returns this
  */
-proto.teleport.terminal.v1.LogoutRequest.prototype.setClusterUri = function(value) {
-  return jspb.Message.setProto3StringField(this, 1, value);
+proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse.prototype.setIndex = function(value) {
+  return jspb.Message.setProto3IntField(this, 1, value);
+};
+
+
+/**
+ * optional LoginPasswordlessRequestInit init = 1;
+ * @return {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.getInit = function() {
+  return /** @type{?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit} */ (
+    jspb.Message.getWrapperField(this, proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit, 1));
+};
+
+
+/**
+ * @param {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessRequestInit|undefined} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+*/
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.setInit = function(value) {
+  return jspb.Message.setOneofWrapperField(this, 1, proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_[0], value);
+};
+
+
+/**
+ * Clears the message field making it undefined.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.clearInit = function() {
+  return this.setInit(undefined);
+};
+
+
+/**
+ * Returns whether this field is set.
+ * @return {boolean}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.hasInit = function() {
+  return jspb.Message.getField(this, 1) != null;
+};
+
+
+/**
+ * optional LoginPasswordlessPINResponse pin = 2;
+ * @return {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.getPin = function() {
+  return /** @type{?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse} */ (
+    jspb.Message.getWrapperField(this, proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse, 2));
+};
+
+
+/**
+ * @param {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessPINResponse|undefined} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+*/
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.setPin = function(value) {
+  return jspb.Message.setOneofWrapperField(this, 2, proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_[0], value);
+};
+
+
+/**
+ * Clears the message field making it undefined.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.clearPin = function() {
+  return this.setPin(undefined);
+};
+
+
+/**
+ * Returns whether this field is set.
+ * @return {boolean}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.hasPin = function() {
+  return jspb.Message.getField(this, 2) != null;
+};
+
+
+/**
+ * optional LoginPasswordlessCredentialResponse credential = 3;
+ * @return {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.getCredential = function() {
+  return /** @type{?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse} */ (
+    jspb.Message.getWrapperField(this, proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse, 3));
+};
+
+
+/**
+ * @param {?proto.teleport.terminal.v1.LoginPasswordlessRequest.LoginPasswordlessCredentialResponse|undefined} value
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+*/
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.setCredential = function(value) {
+  return jspb.Message.setOneofWrapperField(this, 3, proto.teleport.terminal.v1.LoginPasswordlessRequest.oneofGroups_[0], value);
+};
+
+
+/**
+ * Clears the message field making it undefined.
+ * @return {!proto.teleport.terminal.v1.LoginPasswordlessRequest} returns this
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.clearCredential = function() {
+  return this.setCredential(undefined);
+};
+
+
+/**
+ * Returns whether this field is set.
+ * @return {boolean}
+ */
+proto.teleport.terminal.v1.LoginPasswordlessRequest.prototype.hasCredential = function() {
+  return jspb.Message.getField(this, 3) != null;
 };
 
 
@@ -4979,4 +6103,14 @@ proto.teleport.terminal.v1.EmptyResponse.serializeBinaryToWriter = function(mess
 };
 
 
+/**
+ * @enum {number}
+ */
+proto.teleport.terminal.v1.PasswordlessPrompt = {
+  PASSWORDLESS_PROMPT_UNSPECIFIED: 0,
+  PASSWORDLESS_PROMPT_PIN: 1,
+  PASSWORDLESS_PROMPT_TAP: 2,
+  PASSWORDLESS_PROMPT_CREDENTIAL: 3
+};
+
 goog.object.extend(exports, proto.teleport.terminal.v1);
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterAdd/ClusterAdd.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterAdd/ClusterAdd.tsx
index 2c7d0508ea323..259305a03188a 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterAdd/ClusterAdd.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterAdd/ClusterAdd.tsx
@@ -38,51 +38,53 @@ export function ClusterAddPresentation({
   const [addr, setAddr] = useState('');
 
   return (
-    <Validation>
-      {({ validator }) => (
-        <form
-          onSubmit={e => {
-            e.preventDefault();
-            validator.validate() && addCluster(addr);
-          }}
-        >
-          <DialogHeader>
-            <Text typography="h4">Enter cluster address</Text>
-          </DialogHeader>
-          <DialogContent mb={2}>
-            {status === 'error' && (
-              <Alerts.Danger mb={5} children={statusText} />
-            )}
-            <FieldInput
-              rule={requiredField('Cluster address is required')}
-              value={addr}
-              autoFocus
-              onChange={e => setAddr(e.target.value)}
-              placeholder="teleport.example.com"
-            />
-            <Box mt="5">
-              <ButtonPrimary
-                disabled={status === 'processing'}
-                mr="3"
-                type="submit"
-              >
-                Next
-              </ButtonPrimary>
-              <ButtonSecondary
-                disabled={status === 'processing'}
-                type="button"
-                onClick={e => {
-                  e.preventDefault();
-                  onCancel();
-                }}
-              >
-                CANCEL
-              </ButtonSecondary>
-            </Box>
-          </DialogContent>
-        </form>
-      )}
-    </Validation>
+    <Box p={4}>
+      <Validation>
+        {({ validator }) => (
+          <form
+            onSubmit={e => {
+              e.preventDefault();
+              validator.validate() && addCluster(addr);
+            }}
+          >
+            <DialogHeader>
+              <Text typography="h4">Enter cluster address</Text>
+            </DialogHeader>
+            <DialogContent mb={2}>
+              {status === 'error' && (
+                <Alerts.Danger mb={5} children={statusText} />
+              )}
+              <FieldInput
+                rule={requiredField('Cluster address is required')}
+                value={addr}
+                autoFocus
+                onChange={e => setAddr(e.target.value)}
+                placeholder="teleport.example.com"
+              />
+              <Box mt="5">
+                <ButtonPrimary
+                  disabled={status === 'processing'}
+                  mr="3"
+                  type="submit"
+                >
+                  Next
+                </ButtonPrimary>
+                <ButtonSecondary
+                  disabled={status === 'processing'}
+                  type="button"
+                  onClick={e => {
+                    e.preventDefault();
+                    onCancel();
+                  }}
+                >
+                  CANCEL
+                </ButtonSecondary>
+              </Box>
+            </DialogContent>
+          </form>
+        )}
+      </Validation>
+    </Box>
   );
 }
 
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterConnect.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterConnect.tsx
index 8119c15a5f95d..d4e93bcdf2c1c 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterConnect.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterConnect.tsx
@@ -25,7 +25,7 @@ export function ClusterConnect(props: ClusterConnectProps) {
       dialogCss={() => ({
         maxWidth: '480px',
         width: '100%',
-        padding: '20px',
+        padding: '0',
       })}
       disableEscapeKeyDown={false}
       onClose={props.onCancel}
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.story.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.story.tsx
index bb67897a0e274..c0771e34fb826 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.story.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.story.tsx
@@ -15,18 +15,22 @@ limitations under the License.
 */
 
 import React from 'react';
-import * as types from 'teleterm/ui/services/clusters/types';
+
+import { Box } from 'design';
 import { Attempt } from 'shared/hooks/useAsync';
+
+import * as types from 'teleterm/ui/services/clusters/types';
+
 import { ClusterLoginPresentation } from './ClusterLogin';
+import { State } from './useClusterLogin';
 
 export default {
   title: 'Teleterm/ClusterLogin',
 };
 
-function makeProps() {
+function makeProps(): State {
   return {
     shouldPromptSsoStatus: false,
-    shouldPromptHardwareKey: false,
     title: 'localhost',
     loginAttempt: {
       status: '',
@@ -42,6 +46,9 @@ function makeProps() {
         type: '',
         secondFactor: 'optional',
         hasMessageOfTheDay: false,
+        allowPasswordless: true,
+        localConnectorName: '',
+        authType: 'local',
       } as types.AuthSettings,
     } as const,
 
@@ -49,24 +56,231 @@ function makeProps() {
     onCloseDialog: () => null,
     onAbort: () => null,
     onLoginWithLocal: () => Promise.resolve<[void, Error]>([null, null]),
+    onLoginWithPasswordless: () => Promise.resolve<[void, Error]>([null, null]),
     onLoginWithSso: () => null,
+    clearLoginAttempt: () => null,
+    webauthnLogin: null,
   };
 }
 
-export const Basic = () => {
-  return <ClusterLoginPresentation {...makeProps()} />;
+export const Error = () => {
+  const props = makeProps();
+  props.initAttempt = {
+    status: 'error',
+    statusText: 'some error message',
+  };
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const Processing = () => {
+  const props = makeProps();
+  props.initAttempt.status = 'processing';
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const LocalDisabled = () => {
+  const props = makeProps();
+  props.initAttempt.data.localAuthEnabled = false;
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
 };
 
-export const HardwareKeyPrompt = () => {
+export const LocalOnly = () => {
+  const props = makeProps();
+  props.initAttempt.data.secondFactor = 'off';
+  props.initAttempt.data.allowPasswordless = false;
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const SsoOnly = () => {
+  const props = makeProps();
+  props.initAttempt.data.localAuthEnabled = false;
+  props.initAttempt.data.authType = 'github';
+  props.initAttempt.data.authProvidersList = [
+    { type: 'github', name: 'github', displayName: 'github' },
+    { type: 'saml', name: 'microsoft', displayName: 'microsoft' },
+  ];
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const LocalWithPasswordless = () => {
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...makeProps()} />
+    </TestContainer>
+  );
+};
+
+export const LocalLoggedInUserWithPasswordless = () => {
+  const props = makeProps();
+  props.loggedInUserName = 'llama';
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const LocalWithSso = () => {
+  const props = makeProps();
+  props.initAttempt.data.authProvidersList = [
+    { type: 'github', name: 'github', displayName: 'github' },
+    { type: 'saml', name: 'microsoft', displayName: 'microsoft' },
+  ];
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const PasswordlessWithLocal = () => {
+  const props = makeProps();
+  props.initAttempt.data.localConnectorName = 'passwordless';
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const PasswordlessWithLocalLoggedInUser = () => {
+  const props = makeProps();
+  props.initAttempt.data.localConnectorName = 'passwordless';
+  props.loggedInUserName = 'llama';
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const SsoWithLocalAndPasswordless = () => {
+  const props = makeProps();
+  props.initAttempt.data.authType = 'github';
+  props.initAttempt.data.authProvidersList = [
+    { type: 'github', name: 'github', displayName: 'github' },
+    { type: 'saml', name: 'microsoft', displayName: 'microsoft' },
+  ];
+
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const HardwareTapPrompt = () => {
   const props = makeProps();
   props.loginAttempt.status = 'processing';
-  props.shouldPromptHardwareKey = true;
-  return <ClusterLoginPresentation {...props} />;
+  props.webauthnLogin = {
+    prompt: 'tap',
+  };
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const HardwarePinPrompt = () => {
+  const props = makeProps();
+  props.loginAttempt.status = 'processing';
+  props.webauthnLogin = {
+    prompt: 'pin',
+  };
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const HardwareRetapPrompt = () => {
+  const props = makeProps();
+  props.loginAttempt.status = 'processing';
+  props.webauthnLogin = {
+    prompt: 'retap',
+  };
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
+};
+
+export const HardwareCredentialPrompt = () => {
+  const props = makeProps();
+  props.loginAttempt.status = 'processing';
+  props.webauthnLogin = {
+    prompt: 'credential',
+    loginUsernames: [
+      'apple',
+      'banana',
+      'blueberry',
+      'carrot',
+      'durian',
+      'pumpkin',
+      'strawberry',
+    ],
+  };
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
 };
 
 export const SsoPrompt = () => {
   const props = makeProps();
   props.loginAttempt.status = 'processing';
   props.shouldPromptSsoStatus = true;
-  return <ClusterLoginPresentation {...props} />;
+  return (
+    <TestContainer>
+      <ClusterLoginPresentation {...props} />
+    </TestContainer>
+  );
 };
+
+const TestContainer: React.FC = ({ children }) => (
+  <>
+    <span>Bordered box is not part of the component</span>
+    <Box
+      css={`
+        width: 450px;
+        border: 1px solid ${props => props.theme.colors.primary.lighter};
+        background: ${props => props.theme.colors.primary.main};
+      `}
+    >
+      {children}
+    </Box>
+  </>
+);
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.tsx
index 6a7f4d47330ee..7e428fe899664 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/ClusterLogin.tsx
@@ -1,5 +1,5 @@
 /*
-Copyright 2019-2021 Gravitational, Inc.
+Copyright 2019-2022 Gravitational, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -16,11 +16,17 @@ limitations under the License.
 
 import React from 'react';
 import * as Alerts from 'design/Alert';
-import { ButtonIcon, Text } from 'design';
+import { ButtonIcon, Text, Indicator, Box } from 'design';
 import * as Icons from 'design/Icon';
+
+import { DialogHeader, DialogContent } from 'design/Dialog';
+
+import { PrimaryAuthType } from 'shared/services';
+
+import { AuthSettings } from 'teleterm/ui/services/clusters/types';
+
 import LoginForm from './FormLogin';
 import useClusterLogin, { State, Props } from './useClusterLogin';
-import { DialogHeader, DialogContent } from 'design/Dialog';
 
 export function ClusterLogin(props: Props) {
   const state = useClusterLogin(props);
@@ -31,17 +37,19 @@ export function ClusterLoginPresentation({
   title,
   initAttempt,
   loginAttempt,
+  clearLoginAttempt,
   onLoginWithLocal,
+  onLoginWithPasswordless,
   onLoginWithSso,
   onCloseDialog,
   onAbort,
   loggedInUserName,
   shouldPromptSsoStatus,
-  shouldPromptHardwareKey,
+  webauthnLogin,
 }: State) {
   return (
     <>
-      <DialogHeader>
+      <DialogHeader px={4} pt={4} mb={0}>
         <Text typography="h4">
           Login to <b>{title}</b>
         </Text>
@@ -49,30 +57,47 @@ export function ClusterLoginPresentation({
           <Icons.Close fontSize="20px" />
         </ButtonIcon>
       </DialogHeader>
-      <DialogContent mb={2}>
+      <DialogContent mb={0}>
         {initAttempt.status === 'error' && (
-          <Alerts.Danger>
+          <Alerts.Danger m={4}>
             Unable to retrieve cluster auth preferences,{' '}
             {initAttempt.statusText}
           </Alerts.Danger>
         )}
+        {initAttempt.status === 'processing' && (
+          <Box textAlign="center" m={4}>
+            <Indicator delay="none" />
+          </Box>
+        )}
         {initAttempt.status === 'success' && (
           <LoginForm
-            title={'Sign into Teleport'}
-            authProviders={initAttempt.data.authProvidersList}
-            auth2faType={initAttempt.data.secondFactor}
-            isLocalAuthEnabled={initAttempt.data.localAuthEnabled}
-            preferredMfa={initAttempt.data.preferredMfa}
+            {...initAttempt.data}
+            primaryAuthType={getPrimaryAuthType(initAttempt.data)}
             loggedInUserName={loggedInUserName}
             onLoginWithSso={onLoginWithSso}
+            onLoginWithPasswordless={onLoginWithPasswordless}
             onLogin={onLoginWithLocal}
             onAbort={onAbort}
             loginAttempt={loginAttempt}
+            clearLoginAttempt={clearLoginAttempt}
             shouldPromptSsoStatus={shouldPromptSsoStatus}
-            shouldPromptHardwareKey={shouldPromptHardwareKey}
+            webauthnLogin={webauthnLogin}
           />
         )}
       </DialogContent>
     </>
   );
 }
+
+function getPrimaryAuthType(auth: AuthSettings): PrimaryAuthType {
+  if (auth.localConnectorName === 'passwordless') {
+    return 'passwordless';
+  }
+
+  const { authType } = auth;
+  if (authType === 'github' || authType === 'oidc' || authType === 'saml') {
+    return 'sso';
+  }
+
+  return 'local';
+}
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/FormLocal.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/FormLocal.tsx
new file mode 100644
index 0000000000000..372897e903748
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/FormLocal.tsx
@@ -0,0 +1,145 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import React, { useState, useMemo } from 'react';
+import { Flex, ButtonPrimary, Box } from 'design';
+
+import Validation, { Validator } from 'shared/components/Validation';
+import FieldInput from 'shared/components/FieldInput';
+import FieldSelect from 'shared/components/FieldSelect';
+import {
+  requiredToken,
+  requiredField,
+} from 'shared/components/Validation/rules';
+import { useRefAutoFocus } from 'shared/hooks';
+import createMfaOptions, { MfaOption } from 'shared/utils/createMfaOptions';
+
+import type { Props } from '../FormLogin';
+
+export const FormLocal = ({
+  secondFactor,
+  loginAttempt,
+  onLogin,
+  clearLoginAttempt,
+  hasTransitionEnded,
+  loggedInUserName,
+  autoFocus = false,
+}: Props & { hasTransitionEnded?: boolean }) => {
+  const [pass, setPass] = useState('');
+  const [user, setUser] = useState(loggedInUserName || '');
+  const [token, setToken] = useState('');
+
+  const mfaOptions = useMemo(
+    () => createMfaOptions({ auth2faType: secondFactor }),
+    []
+  );
+
+  const [mfaType, setMfaType] = useState(mfaOptions[0]);
+  const usernameInputRef = useRefAutoFocus<HTMLInputElement>({
+    shouldFocus: hasTransitionEnded && autoFocus && !loggedInUserName,
+  });
+  const passwordInputRef = useRefAutoFocus<HTMLInputElement>({
+    shouldFocus: hasTransitionEnded && autoFocus && !!loggedInUserName,
+  });
+
+  function onSetMfaOption(option: MfaOption, validator: Validator) {
+    setToken('');
+    clearLoginAttempt();
+    validator.reset();
+    setMfaType(option);
+  }
+
+  function onLoginClick(
+    e: React.MouseEvent<HTMLButtonElement>,
+    validator: Validator
+  ) {
+    e.preventDefault();
+    if (!validator.validate()) {
+      return;
+    }
+
+    onLogin(user, pass, token, mfaType?.value);
+  }
+
+  return (
+    <Validation>
+      {({ validator }) => (
+        <Box as="form" height={secondFactor !== 'off' ? '310px' : 'auto'}>
+          <FieldInput
+            ref={usernameInputRef}
+            rule={requiredField('Username is required')}
+            label="Username"
+            value={user}
+            onChange={e => setUser(e.target.value)}
+            placeholder="Username"
+            mb={3}
+          />
+          <FieldInput
+            ref={passwordInputRef}
+            rule={requiredField('Password is required')}
+            label="Password"
+            value={pass}
+            onChange={e => setPass(e.target.value)}
+            type="password"
+            placeholder="Password"
+            mb={3}
+            width="100%"
+          />
+          {secondFactor !== 'off' && (
+            <Flex alignItems="flex-end" mb={4}>
+              <FieldSelect
+                maxWidth="50%"
+                width="100%"
+                data-testid="mfa-select"
+                label="Two-factor type"
+                value={mfaType}
+                options={mfaOptions}
+                onChange={opt => onSetMfaOption(opt as MfaOption, validator)}
+                mr={3}
+                mb={0}
+                isDisabled={loginAttempt.status === 'processing'}
+                menuIsOpen={true}
+              />
+              {mfaType.value === 'otp' && (
+                <FieldInput
+                  width="50%"
+                  label="Authenticator code"
+                  rule={requiredToken}
+                  autoComplete="one-time-code"
+                  inputMode="numeric"
+                  value={token}
+                  onChange={e => setToken(e.target.value)}
+                  placeholder="123 456"
+                  mb={0}
+                />
+              )}
+            </Flex>
+          )}
+          <ButtonPrimary
+            width="100%"
+            mt={2}
+            mb={1}
+            type="submit"
+            size="large"
+            onClick={e => onLoginClick(e, validator)}
+            disabled={loginAttempt.status === 'processing'}
+          >
+            Sign In
+          </ButtonPrimary>
+        </Box>
+      )}
+    </Validation>
+  );
+};
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/index.ts b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/index.ts
new file mode 100644
index 0000000000000..b57bf74092d3a
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLocal/index.ts
@@ -0,0 +1,17 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export { FormLocal } from './FormLocal';
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLogin.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLogin.tsx
index 439efa20ba406..306f18e69d884 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLogin.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormLogin.tsx
@@ -14,233 +14,265 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import React, { useState } from 'react';
+import React from 'react';
 import styled from 'styled-components';
-import { Text, Flex, ButtonLink, ButtonPrimary, Box } from 'design';
+import { Text, Flex, ButtonText, Box } from 'design';
 import * as Alerts from 'design/Alert';
-import Validation, { Validator } from 'shared/components/Validation';
-import FieldInput from 'shared/components/FieldInput';
-import FieldSelect from 'shared/components/FieldSelect';
-import {
-  requiredToken,
-  requiredField,
-} from 'shared/components/Validation/rules';
+import { StepSlider } from 'design/StepSlider';
 import { Attempt } from 'shared/hooks/useAsync';
-import createMfaOptions, { MfaOption } from 'shared/utils/createMfaOptions';
+
 import * as types from 'teleterm/ui/services/clusters/types';
-import SSOButtonList from './SsoButtons';
-import PromptHardwareKey from './PromptHardwareKey';
+
+import { PromptWebauthn } from './PromptWebauthn';
 import PromptSsoStatus from './PromptSsoStatus';
+import { FormPasswordless } from './FormPasswordless';
+import { FormSso } from './FormSso';
+import { FormLocal } from './FormLocal';
+
+import type { WebauthnLogin } from '../useClusterLogin';
+import type { PrimaryAuthType } from 'shared/services';
+import type { StepComponentProps } from 'design/StepSlider';
 
 export default function LoginForm(props: Props) {
   const {
-    title,
-    loggedInUserName,
     loginAttempt,
-    preferredMfa,
     onAbort,
-    onLogin,
-    onLoginWithSso,
-    authProviders,
-    auth2faType,
-    isLocalAuthEnabled = true,
+    authProvidersList,
+    localAuthEnabled = true,
     shouldPromptSsoStatus,
-    shouldPromptHardwareKey,
+    webauthnLogin,
   } = props;
 
-  const isProcessing = loginAttempt.status === 'processing';
-  const ssoEnabled = authProviders && authProviders.length > 0;
-  const mfaOptions = createMfaOptions({
-    auth2faType,
-    preferredType: preferredMfa,
-  });
-  const [mfaType, setMfaType] = useState<MfaOption>(mfaOptions[0]);
-  const [pass, setPass] = useState('');
-  const [user, setUser] = useState(loggedInUserName || '');
-  const [token, setToken] = useState('');
-
-  const [isExpanded, toggleExpander] = useState(
-    !(isLocalAuthEnabled && ssoEnabled)
-  );
-
-  function handleLocalLoginClick() {
-    onLogin(user, pass, token, mfaType?.value);
+  if (webauthnLogin) {
+    return <PromptWebauthn onCancel={onAbort} {...webauthnLogin} />;
   }
 
-  function handleChangeMfaOption(option: MfaOption, validator: Validator) {
-    setToken('');
-    validator.reset();
-    setMfaType(option);
+  if (shouldPromptSsoStatus) {
+    return <PromptSsoStatus onCancel={onAbort} />;
   }
 
-  if (!ssoEnabled && !isLocalAuthEnabled) {
-    return <LoginDisabled title={title} />;
-  }
+  const ssoEnabled = authProvidersList?.length > 0;
 
-  if (shouldPromptHardwareKey) {
-    return <PromptHardwareKey onCancel={onAbort} />;
+  // If local auth was not enabled, disregard any primary auth type config
+  // and display sso providers if any.
+  if (!localAuthEnabled && ssoEnabled) {
+    return (
+      <FlexBordered p={4} pb={5}>
+        {loginAttempt.status === 'error' && (
+          <Alerts.Danger m={5} mb={0}>
+            {loginAttempt.statusText}
+          </Alerts.Danger>
+        )}
+        <FormSso {...props} />
+      </FlexBordered>
+    );
   }
 
-  if (shouldPromptSsoStatus) {
-    return <PromptSsoStatus onCancel={onAbort} />;
+  if (!localAuthEnabled) {
+    return (
+      <FlexBordered p={4}>
+        <Alerts.Danger>Login has not been enabled</Alerts.Danger>
+        <Text mb={2} typography="paragraph2" width="100%">
+          The ability to login has not been enabled. Please contact your system
+          administrator for more information.
+        </Text>
+      </FlexBordered>
+    );
   }
 
+  // Everything below requires local auth to be enabled.
   return (
-    <Validation>
-      {({ validator }) => (
-        <>
-          {loginAttempt.status === 'error' && (
-            <Alerts.Danger>{loginAttempt.statusText}</Alerts.Danger>
-          )}
-          {ssoEnabled && (
-            <SSOButtonList
-              prefixText="Login with"
-              isDisabled={loginAttempt.status === 'processing'}
-              providers={authProviders}
-              onClick={onLoginWithSso}
-            />
-          )}
-          {ssoEnabled && isLocalAuthEnabled && (
-            <Flex
-              alignItems="center"
-              justifyContent="center"
-              style={{ position: 'relative' }}
-              flexDirection="column"
-              mb={1}
-            >
-              <StyledOr>Or</StyledOr>
-            </Flex>
-          )}
-          {ssoEnabled && isLocalAuthEnabled && !isExpanded && (
-            <FlexBordered flexDirection="row">
-              <ButtonLink autoFocus onClick={() => toggleExpander(!isExpanded)}>
-                Sign in with your Username and Password
-              </ButtonLink>
-            </FlexBordered>
-          )}
-          {isLocalAuthEnabled && isExpanded && (
-            <FlexBordered
-              as="form"
-              onSubmit={e => {
-                e.preventDefault();
-                validator.validate() && handleLocalLoginClick();
-              }}
-            >
-              <FieldInput
-                rule={requiredField('Username is required')}
-                label="Username"
-                autoFocus={!loggedInUserName}
-                value={user}
-                onChange={e => setUser(e.target.value)}
-                placeholder="Username"
-              />
-              <Box mb={4}>
-                <FieldInput
-                  rule={requiredField('Password is required')}
-                  label="Password"
-                  value={pass}
-                  autoFocus={!!loggedInUserName}
-                  onChange={e => setPass(e.target.value)}
-                  type="password"
-                  placeholder="Password"
-                  mb={0}
-                  width="100%"
-                />
-              </Box>
-              {auth2faType !== 'off' && (
-                <Box mb={4}>
-                  <Flex alignItems="flex-end">
-                    <FieldSelect
-                      menuPosition="fixed"
-                      maxWidth="50%"
-                      width="100%"
-                      data-testid="mfa-select"
-                      label="Two-factor type"
-                      value={mfaType}
-                      options={mfaOptions}
-                      onChange={opt =>
-                        handleChangeMfaOption(opt as MfaOption, validator)
-                      }
-                      mr={3}
-                      mb={0}
-                      isDisabled={isProcessing}
-                    />
-                    {mfaType.value === 'otp' && (
-                      <FieldInput
-                        width="50%"
-                        label="Authenticator code"
-                        rule={requiredToken}
-                        inputMode="numeric"
-                        autoComplete="one-time-code"
-                        value={token}
-                        onChange={e => setToken(e.target.value)}
-                        placeholder="123 456"
-                        mb={0}
-                      />
-                    )}
-                  </Flex>
-                </Box>
-              )}
-              <ButtonPrimary
-                width="100%"
-                mt={3}
-                type="submit"
-                size="large"
-                disabled={isProcessing}
-              >
-                LOGIN
-              </ButtonPrimary>
-            </FlexBordered>
-          )}
-        </>
+    <FlexBordered>
+      {loginAttempt.status === 'error' && (
+        <Alerts.Danger m={4} mb={0}>
+          {loginAttempt.statusText}
+        </Alerts.Danger>
       )}
-    </Validation>
+      <StepSlider<typeof loginViews>
+        flows={loginViews}
+        currFlow={'default'}
+        {...props}
+      />
+    </FlexBordered>
   );
 }
 
-const FlexBordered = props => (
-  <Flex justifyContent="center" flexDirection="column" {...props} />
+// Primary determines which authentication type to display
+// on initial render of the login form.
+const Primary = ({
+  next,
+  refCallback,
+  hasTransitionEnded,
+  ...otherProps
+}: Props & StepComponentProps) => {
+  const ssoEnabled = otherProps.authProvidersList?.length > 0;
+  let otherOptionsAvailable = true;
+  let $primary;
+
+  switch (otherProps.primaryAuthType) {
+    case 'passwordless':
+      $primary = <FormPasswordless {...otherProps} autoFocus={true} />;
+      break;
+    case 'sso':
+      $primary = <FormSso {...otherProps} autoFocus={true} />;
+      break;
+    case 'local':
+      otherOptionsAvailable = otherProps.allowPasswordless || ssoEnabled;
+      $primary = (
+        <FormLocal
+          {...otherProps}
+          hasTransitionEnded={hasTransitionEnded}
+          autoFocus={true}
+        />
+      );
+      break;
+  }
+
+  return (
+    <Box ref={refCallback} px={4} py={3}>
+      <Box mb={3}>{$primary}</Box>
+      {otherOptionsAvailable && (
+        <Box textAlign="center">
+          <ButtonText
+            disabled={otherProps.loginAttempt.status === 'processing'}
+            onClick={e => {
+              e.preventDefault();
+              otherProps.clearLoginAttempt();
+              next();
+            }}
+          >
+            Other sign-in options
+          </ButtonText>
+        </Box>
+      )}
+    </Box>
+  );
+};
+
+// Secondary determines what other forms of authentication
+// is allowed for the user to login with.
+//
+// There can be multiple authn types available, which will
+// be visually separated by a divider.
+const Secondary = ({
+  prev,
+  refCallback,
+  ...otherProps
+}: Props & StepComponentProps) => {
+  const ssoEnabled = otherProps.authProvidersList?.length > 0;
+  const { primaryAuthType, allowPasswordless } = otherProps;
+
+  let $secondary;
+  switch (primaryAuthType) {
+    case 'passwordless':
+      if (ssoEnabled) {
+        $secondary = (
+          <>
+            <FormSso {...otherProps} autoFocus={true} />
+            <Divider />
+            <FormLocal {...otherProps} />
+          </>
+        );
+      } else {
+        $secondary = <FormLocal {...otherProps} autoFocus={true} />;
+      }
+      break;
+    case 'sso':
+      if (allowPasswordless) {
+        $secondary = (
+          <>
+            <FormPasswordless {...otherProps} autoFocus={true} />
+            <Divider />
+            <FormLocal {...otherProps} />
+          </>
+        );
+      } else {
+        $secondary = <FormLocal {...otherProps} autoFocus={true} />;
+      }
+      break;
+    case 'local':
+      if (allowPasswordless) {
+        $secondary = (
+          <>
+            <FormPasswordless {...otherProps} autoFocus={true} />
+            {otherProps.allowPasswordless && ssoEnabled && <Divider />}
+            {ssoEnabled && <FormSso {...otherProps} />}
+          </>
+        );
+      } else {
+        $secondary = <FormSso {...otherProps} autoFocus={true} />;
+      }
+      break;
+  }
+
+  return (
+    <Box ref={refCallback} px={4} py={3}>
+      {$secondary}
+      <Box pt={3} textAlign="center">
+        <ButtonText
+          disabled={otherProps.loginAttempt.status === 'processing'}
+          onClick={() => {
+            otherProps.clearLoginAttempt();
+            prev();
+          }}
+        >
+          Back
+        </ButtonText>
+      </Box>
+    </Box>
+  );
+};
+
+const Divider = () => (
+  <Flex
+    alignItems="center"
+    justifyContent="center"
+    flexDirection="column"
+    borderBottom={1}
+    borderColor="text.placeholder"
+    mx={4}
+    mt={4}
+    mb={4}
+  >
+    <StyledOr>Or</StyledOr>
+  </Flex>
 );
 
-const LoginDisabled = ({ title = '' }) => (
-  <>
-    <Alerts.Danger my={5}>Login has not been enabled for {title}</Alerts.Danger>
-    <Text mb={2} typography="paragraph2" width="100%">
-      The ability to login has not been enabled. Please contact your system
-      administrator for more information.
-    </Text>
-  </>
+const FlexBordered = props => (
+  <Flex justifyContent="center" flexDirection="column" {...props} />
 );
 
 const StyledOr = styled.div`
-  background: ${props => props.theme.colors.primary.light};
+  background: ${props => props.theme.colors.primary.main};
   display: flex;
   align-items: center;
   font-size: 10px;
   height: 32px;
   width: 32px;
   justify-content: center;
-  border-radius: 50%;
+  position: absolute;
+  z-index: 1;
 `;
 
+const loginViews = { default: [Primary, Secondary] };
+
 type LoginAttempt = Attempt<void>;
 
-type Props = {
+export type Props = types.AuthSettings & {
   shouldPromptSsoStatus: boolean;
-  shouldPromptHardwareKey: boolean;
+  webauthnLogin: WebauthnLogin;
   loginAttempt: LoginAttempt;
-  title?: string;
-  isLocalAuthEnabled?: boolean;
-  preferredMfa: types.PreferredMfaType;
-  auth2faType?: types.Auth2faType;
-  authProviders: types.AuthProvider[];
+  clearLoginAttempt(): void;
+  primaryAuthType: PrimaryAuthType;
   loggedInUserName?: string;
   onAbort(): void;
   onLoginWithSso(provider: types.AuthProvider): void;
+  onLoginWithPasswordless(): void;
   onLogin(
     username: string,
     password: string,
     token: string,
     auth2fa: types.Auth2faType
   ): void;
+  autoFocus?: boolean;
 };
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/FormPasswordless.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/FormPasswordless.tsx
new file mode 100644
index 0000000000000..2489e11c48be9
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/FormPasswordless.tsx
@@ -0,0 +1,72 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import React from 'react';
+import styled from 'styled-components';
+import { Text, Flex, ButtonText, Box } from 'design';
+import { Key, ArrowForward } from 'design/Icon';
+
+import type { Props } from '../FormLogin';
+
+export const FormPasswordless = ({
+  loginAttempt,
+  onLoginWithPasswordless,
+  autoFocus = false,
+}: Props) => (
+  <Box data-testid="passwordless">
+    <StyledPaswordlessBtn
+      py={2}
+      px={3}
+      border={1}
+      borderRadius={2}
+      borderColor="text.placeholder"
+      width="100%"
+      onClick={onLoginWithPasswordless}
+      disabled={loginAttempt.status === 'processing'}
+      autoFocus={autoFocus}
+    >
+      <Flex alignItems="center" justifyContent="space-between">
+        <Flex alignItems="center">
+          <Key mr={3} fontSize={16} />
+          <Box>
+            <Text typography="h6">Passwordless</Text>
+            <Text fontSize={1} color="text.secondary">
+              Follow the prompts
+            </Text>
+          </Box>
+        </Flex>
+        <ArrowForward fontSize={16} />
+      </Flex>
+    </StyledPaswordlessBtn>
+  </Box>
+);
+
+const StyledPaswordlessBtn = styled(ButtonText)`
+  display: block;
+  text-align: left;
+  border: 1px solid ${({ theme }) => theme.colors.text.placeholder};
+
+  &:hover,
+  &:active,
+  &:focus {
+    border-color: ${({ theme }) => theme.colors.action.active};
+    text-decoration: none;
+  }
+
+  &[disabled] {
+    pointer-events: none;
+    opacity: 0.7;
+  }
+`;
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/index.ts b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/index.ts
new file mode 100644
index 0000000000000..b21162ae81a3d
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormPasswordless/index.ts
@@ -0,0 +1,17 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export { FormPasswordless } from './FormPasswordless';
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/FormSso.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/FormSso.tsx
new file mode 100644
index 0000000000000..1391795956976
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/FormSso.tsx
@@ -0,0 +1,41 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import React from 'react';
+import { Box } from 'design';
+
+import SSOButtonList from './SsoButtons';
+
+import type { Props } from '../FormLogin';
+
+export const FormSso = ({
+  loginAttempt,
+  authProvidersList,
+  onLoginWithSso,
+  autoFocus = false,
+}: Props) => {
+  return (
+    <Box textAlign="center">
+      <SSOButtonList
+        prefixText="Login with"
+        isDisabled={loginAttempt.status === 'processing'}
+        providers={authProvidersList}
+        onClick={onLoginWithSso}
+        autoFocus={autoFocus}
+      />
+    </Box>
+  );
+};
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/SsoButtons.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/SsoButtons.tsx
similarity index 81%
rename from web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/SsoButtons.tsx
rename to web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/SsoButtons.tsx
index 2b5cbdcd80b0c..bc6367be069f7 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/SsoButtons.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/SsoButtons.tsx
@@ -19,18 +19,26 @@ import { Box } from 'design';
 import ButtonSso, { guessProviderType } from 'shared/components/ButtonSso';
 import * as types from 'teleterm/ui/services/clusters/types';
 
-const SSOBtnList = ({ providers, prefixText, isDisabled, onClick }: Props) => {
+const SSOBtnList = ({
+  providers,
+  prefixText,
+  isDisabled,
+  onClick,
+  autoFocus = false,
+}: Props) => {
   const $btns = providers.map((item, index) => {
     let { name, type, displayName } = item;
     const title = displayName || `${prefixText} ${name}`;
     const ssoType = guessProviderType(title, type as types.AuthProviderType);
+    const isLastItem = providers.length - 1 === index;
     return (
       <ButtonSso
         key={index}
         title={title}
         ssoType={ssoType}
         disabled={isDisabled}
-        mt={3}
+        mb={isLastItem ? 0 : 3}
+        autoFocus={index === 0 && autoFocus}
         onClick={e => {
           e.preventDefault();
           onClick(item);
@@ -43,11 +51,7 @@ const SSOBtnList = ({ providers, prefixText, isDisabled, onClick }: Props) => {
     return <h4> You have no SSO providers configured </h4>;
   }
 
-  return (
-    <Box pt={2} mb={3}>
-      {$btns}
-    </Box>
-  );
+  return <Box>{$btns}</Box>;
 };
 
 type Props = {
@@ -55,6 +59,8 @@ type Props = {
   isDisabled: boolean;
   onClick(provider: types.AuthProvider): void;
   providers: types.AuthProvider[];
+  // autoFocus focuses on the first button in list.
+  autoFocus?: boolean;
 };
 
 export default SSOBtnList;
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/index.ts b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/index.ts
new file mode 100644
index 0000000000000..f5c3e6212c70e
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/FormSso/index.ts
@@ -0,0 +1,17 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export { FormSso } from './FormSso';
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/PromptHardwareKey.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/PromptHardwareKey.tsx
deleted file mode 100644
index c768545df505f..0000000000000
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/PromptHardwareKey.tsx
+++ /dev/null
@@ -1,48 +0,0 @@
-/**
- * Copyright 2021 Gravitational, Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-import React from 'react';
-import { Box, ButtonSecondary, Text, Image, Flex } from 'design';
-import LinearProgress from 'teleterm/ui/components/LinearProgress';
-
-const svg = require('./hardware.svg');
-
-export default function PromptHardwareKey(props: Props) {
-  return (
-    <Flex
-      flex="1"
-      minHeight="40px"
-      px={3}
-      py={3}
-      flexDirection="column"
-      justifyContent="space-between"
-      alignItems="center"
-    >
-      <Image mb={4} width="200px" src={svg} />
-      <Box mb={4} style={{ position: 'relative' }}>
-        <Text bold>Insert your security key and touch it</Text>
-        <LinearProgress />
-      </Box>
-      <ButtonSecondary width={120} size="small" onClick={props.onCancel}>
-        Cancel
-      </ButtonSecondary>
-    </Flex>
-  );
-}
-
-export type Props = {
-  onCancel(): void;
-};
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptSsoStatus/PromptSsoStatus.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptSsoStatus/PromptSsoStatus.tsx
index 2a10083148b17..30eb35a1363a5 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptSsoStatus/PromptSsoStatus.tsx
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptSsoStatus/PromptSsoStatus.tsx
@@ -26,9 +26,10 @@ export default function PromptSsoStatus(props: Props) {
       flexDirection="column"
       justifyContent="space-between"
       alignItems="center"
+      p={5}
     >
       <Box mb={4} style={{ position: 'relative' }}>
-        <Text bold mb={2}>
+        <Text bold mb={2} textAlign="center">
           Please follow the steps in the new browser window to authenticate.
         </Text>
         <LinearProgress />
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/PromptWebauthn.tsx b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/PromptWebauthn.tsx
new file mode 100644
index 0000000000000..8e6441ebd32c4
--- /dev/null
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/PromptWebauthn.tsx
@@ -0,0 +1,205 @@
+/**
+ * Copyright 2021-2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import React from 'react';
+import { Box, ButtonSecondary, ButtonPrimary, Text, Image, Flex } from 'design';
+import FieldInput from 'shared/components/FieldInput';
+import Validation from 'shared/components/Validation';
+
+import LinearProgress from 'teleterm/ui/components/LinearProgress';
+
+import svgHardwareKey from './hardware.svg';
+
+import type { WebauthnLogin } from '../../useClusterLogin';
+
+export function PromptWebauthn(props: Props) {
+  const { prompt } = props;
+  return (
+    <Box minHeight="40px" p={4}>
+      {prompt === 'credential' && <PromptCredential {...props} />}
+      {(prompt === 'tap' || prompt === 'retap') && <PromptTouch {...props} />}
+      {prompt === 'pin' && <PromptPin {...props} />}
+    </Box>
+  );
+}
+
+function PromptTouch({ onCancel, prompt }: Props) {
+  return (
+    <>
+      <Image mb={4} width="200px" src={svgHardwareKey} mx="auto" />
+      <Box textAlign="center" style={{ position: 'relative' }}>
+        {prompt === 'retap' ? (
+          <Text bold>Tap your security key again to complete the request</Text>
+        ) : (
+          <Text bold>Insert your security key and tap it</Text>
+        )}
+        <LinearProgress />
+      </Box>
+      <ActionButtons onCancel={onCancel} />
+    </>
+  );
+}
+
+function PromptCredential({
+  loginUsernames,
+  onUserResponse,
+  processing,
+  onCancel,
+}: Props) {
+  return (
+    <Box height="330px" width="100%">
+      <Text mb={2} bold>
+        Select the user for login:
+      </Text>
+      <Box
+        disabled={processing}
+        css={`
+          overflow: auto;
+          height: 240px;
+          width: 100%;
+          padding: 8px;
+          border: 1px solid #252c52;
+          border-radius: 4px;
+          &[disabled] {
+            pointer-events: none;
+            opacity: 0.5;
+          }
+        `}
+      >
+        {loginUsernames.map((username, index) => {
+          return (
+            <button
+              key={index}
+              autoFocus={index === 0}
+              css={`
+                background: inherit;
+                color: inherit;
+                font-size: inherit;
+                font-family: inherit;
+                line-height: inherit;
+                display: block;
+                border: none;
+                padding: 8px;
+                width: 100%;
+                text-align: left;
+                &:hover,
+                &:focus {
+                  cursor: pointer;
+                  background: ${props => props.theme.colors.action.hover};
+                }
+              `}
+              onClick={() => onUserResponse(index)}
+            >
+              {username}
+            </button>
+          );
+        })}
+      </Box>
+      <ActionButtons onCancel={onCancel} />
+    </Box>
+  );
+}
+
+function PromptPin({ onCancel, onUserResponse, processing }: Props) {
+  const [pin, setPin] = React.useState('');
+
+  return (
+    <Validation>
+      {({ validator }) => (
+        <form
+          onSubmit={e => {
+            e.preventDefault();
+            validator.validate() && onUserResponse(pin);
+          }}
+        >
+          <Box>
+            <FieldInput
+              width="240px"
+              label="Enter the PIN for your security key"
+              rule={requiredLength}
+              type="password"
+              value={pin}
+              onChange={e => setPin(e.target.value.trim())}
+              placeholder="1234"
+              autoFocus
+            />
+          </Box>
+          <ActionButtons
+            onCancel={onCancel}
+            nextButton={{
+              isVisible: true,
+              isDisabled: processing || pin.length === 0,
+            }}
+          />
+        </form>
+      )}
+    </Validation>
+  );
+}
+
+function ActionButtons({
+  onCancel,
+  nextButton = { isVisible: false, isDisabled: false },
+}: {
+  onCancel(): void;
+  nextButton?: {
+    isVisible: boolean;
+    isDisabled: boolean;
+  };
+}) {
+  return (
+    <Flex justifyContent="flex-end" mt={4}>
+      <ButtonSecondary
+        type="button"
+        width={80}
+        size="small"
+        onClick={onCancel}
+        mr={nextButton.isVisible ? 3 : 0}
+      >
+        Cancel
+      </ButtonSecondary>
+      {/* The caller of this component needs to handle wrapping
+      this in a <form> element to handle `onSubmit` event on enter key*/}
+      {nextButton.isVisible && (
+        <ButtonPrimary
+          type="submit"
+          width={80}
+          size="small"
+          disabled={nextButton.isDisabled}
+        >
+          Next
+        </ButtonPrimary>
+      )}
+    </Flex>
+  );
+}
+
+const requiredLength = value => () => {
+  if (!value || value.length < 4) {
+    return {
+      valid: false,
+      message: 'pin must be at least 4 characters',
+    };
+  }
+
+  return {
+    valid: true,
+  };
+};
+
+export type Props = WebauthnLogin & {
+  onCancel(): void;
+};
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/hardware.svg b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/hardware.svg
similarity index 100%
rename from web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/hardware.svg
rename to web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/hardware.svg
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/index.ts b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/index.ts
similarity index 86%
rename from web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/index.ts
rename to web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/index.ts
index 6dd0745e33377..71ecb48beead2 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptHardwareKey/index.ts
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/FormLogin/PromptWebauthn/index.ts
@@ -14,5 +14,4 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-import PromptHardwareKey from './PromptHardwareKey';
-export default PromptHardwareKey;
+export { PromptWebauthn } from './PromptWebauthn';
diff --git a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/useClusterLogin.ts b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/useClusterLogin.ts
index 42b4b6ea9f01a..35238ca9c9828 100644
--- a/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/useClusterLogin.ts
+++ b/web/packages/teleterm/src/ui/ClusterConnect/ClusterLogin/useClusterLogin.ts
@@ -15,18 +15,21 @@
  */
 
 import { useState, useEffect, useRef } from 'react';
+
+import { useAsync } from 'shared/hooks/useAsync';
+
 import * as types from 'teleterm/ui/services/clusters/types';
 import { useAppContext } from 'teleterm/ui/appContextProvider';
-import { useAsync } from 'shared/hooks/useAsync';
+import { assertUnreachable } from 'teleterm/ui/utils';
 
 export default function useClusterLogin(props: Props) {
   const { onSuccess, clusterUri } = props;
   const { clustersService } = useAppContext();
   const cluster = clustersService.findCluster(clusterUri);
   const refAbortCtrl = useRef<types.tsh.TshAbortController>(null);
-  const [shouldPromptSsoStatus, promptSsoStatus] = useState(false);
-  const [shouldPromptHardwareKey, promptHardwareKey] = useState(false);
   const loggedInUserName = cluster.loggedInUser?.name || null;
+  const [shouldPromptSsoStatus, promptSsoStatus] = useState(false);
+  const [webauthnLogin, setWebauthnLogin] = useState<WebauthnLogin>();
 
   const [initAttempt, init] = useAsync(async () => {
     const authSettings = await clustersService.getAuthSettings(clusterUri);
@@ -40,24 +43,83 @@ export default function useClusterLogin(props: Props) {
     return authSettings;
   });
 
-  const [loginAttempt, login] = useAsync((opts: types.LoginParams) => {
-    refAbortCtrl.current = clustersService.client.createAbortController();
-    return clustersService.login(opts, refAbortCtrl.current.signal);
-  });
+  const [loginAttempt, login, setAttempt] = useAsync(
+    (params: types.LoginParams) => {
+      refAbortCtrl.current = clustersService.client.createAbortController();
+      switch (params.kind) {
+        case 'local':
+          return clustersService.loginLocal(
+            params,
+            refAbortCtrl.current.signal
+          );
+        case 'passwordless':
+          return clustersService.loginPasswordless(
+            params,
+            refAbortCtrl.current.signal
+          );
+        case 'sso':
+          return clustersService.loginSso(params, refAbortCtrl.current.signal);
+        default:
+          assertUnreachable(params);
+      }
+    }
+  );
 
   const onLoginWithLocal = (
-    username: '',
-    password: '',
-    token: '',
-    authType?: types.Auth2faType
+    username: string,
+    password: string,
+    token: string,
+    secondFactor?: types.Auth2faType
   ) => {
-    promptHardwareKey(authType === 'webauthn');
+    if (secondFactor === 'webauthn') {
+      setWebauthnLogin({ prompt: 'tap' });
+    }
+
     login({
+      kind: 'local',
       clusterUri,
-      local: {
-        username,
-        password,
-        token,
+      username,
+      password,
+      token,
+    });
+  };
+
+  const onLoginWithPasswordless = () => {
+    login({
+      kind: 'passwordless',
+      clusterUri,
+      onPromptCallback: (prompt: types.WebauthnLoginPrompt) => {
+        const newLogin: WebauthnLogin = {
+          prompt: prompt.type,
+          processing: false,
+        };
+
+        if (prompt.type === 'pin') {
+          newLogin.onUserResponse = (pin: string) => {
+            setWebauthnLogin({
+              ...newLogin,
+              // prevent user from clicking on submit buttons more than once
+              processing: true,
+            });
+            prompt.onUserResponse(pin);
+          };
+        }
+
+        if (prompt.type === 'credential') {
+          newLogin.loginUsernames = prompt.data.credentials.map(
+            c => c.username
+          );
+          newLogin.onUserResponse = (index: number) => {
+            setWebauthnLogin({
+              ...newLogin,
+              // prevent user from clicking on multiple usernames
+              processing: true,
+            });
+            prompt.onUserResponse(index);
+          };
+        }
+
+        setWebauthnLogin(newLogin);
       },
     });
   };
@@ -65,11 +127,10 @@ export default function useClusterLogin(props: Props) {
   const onLoginWithSso = (provider: types.AuthProvider) => {
     promptSsoStatus(true);
     login({
+      kind: 'sso',
       clusterUri,
-      sso: {
-        providerName: provider.name,
-        providerType: provider.type,
-      },
+      providerName: provider.name,
+      providerType: provider.type,
     });
   };
 
@@ -82,13 +143,19 @@ export default function useClusterLogin(props: Props) {
     props.onCancel();
   };
 
+  // Since the login form can have two views (primary and secondary)
+  // we need to clear any rendered error dialogs before switching.
+  const clearLoginAttempt = () => {
+    setAttempt({ status: '', statusText: '', data: null });
+  };
+
   useEffect(() => {
     init();
   }, []);
 
   useEffect(() => {
     if (loginAttempt.status !== 'processing') {
-      promptHardwareKey(false);
+      setWebauthnLogin(null);
       promptSsoStatus(false);
     }
 
@@ -99,15 +166,17 @@ export default function useClusterLogin(props: Props) {
 
   return {
     shouldPromptSsoStatus,
-    shouldPromptHardwareKey,
+    webauthnLogin,
     title: cluster?.name,
     loggedInUserName,
     onLoginWithLocal,
+    onLoginWithPasswordless,
     onLoginWithSso,
     onCloseDialog,
     onAbort,
     loginAttempt,
     initAttempt,
+    clearLoginAttempt,
   };
 }
 
@@ -118,3 +187,11 @@ export type Props = {
   onCancel(): void;
   onSuccess?(): void;
 };
+
+export type WebauthnLogin = {
+  prompt: types.WebauthnLoginPrompt['type'];
+  // The below fields are only ever used for passwordless login flow.
+  processing?: boolean;
+  loginUsernames?: string[];
+  onUserResponse?(val: number | string): void;
+};
diff --git a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
index 97e3e9c031fe9..b02f8258889ac 100644
--- a/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
+++ b/web/packages/teleterm/src/ui/TopBar/Connections/ConnectionsFilterableList/ConnectionItem.tsx
@@ -1,11 +1,15 @@
 import React from 'react';
 import { ButtonIcon, Flex, Text } from 'design';
 import { Trash, Unlink } from 'design/Icon';
+
 import { ExtendedTrackedConnection } from 'teleterm/ui/services/connectionTracker';
 import { ListItem } from 'teleterm/ui/components/ListItem';
-import { ConnectionStatusIndicator } from './ConnectionStatusIndicator';
+import { assertUnreachable } from 'teleterm/ui/utils';
+
 import { useKeyboardArrowsNavigation } from 'teleterm/ui/components/KeyboardArrowsNavigation';
 
+import { ConnectionStatusIndicator } from './ConnectionStatusIndicator';
+
 interface ConnectionItemProps {
   index: number;
   item: ExtendedTrackedConnection;
@@ -128,7 +132,3 @@ function getKindName(kind: ExtendedTrackedConnection['kind']): string {
       assertUnreachable(kind);
   }
 }
-
-function assertUnreachable(x: never): never {
-  throw new Error(`Unhandled case: ${x}`);
-}
diff --git a/web/packages/teleterm/src/ui/services/clusters/clustersService.test.ts b/web/packages/teleterm/src/ui/services/clusters/clustersService.test.ts
index 7fdf45e85dad3..82c5213aa0a92 100644
--- a/web/packages/teleterm/src/ui/services/clusters/clustersService.test.ts
+++ b/web/packages/teleterm/src/ui/services/clusters/clustersService.test.ts
@@ -96,7 +96,9 @@ function createService(
 
 function getClientMocks(): Partial<tsh.TshClient> {
   return {
-    login: jest.fn().mockResolvedValueOnce(undefined),
+    loginLocal: jest.fn().mockResolvedValueOnce(undefined),
+    loginSso: jest.fn().mockResolvedValueOnce(undefined),
+    loginPasswordless: jest.fn().mockResolvedValueOnce(undefined),
     logout: jest.fn().mockResolvedValueOnce(undefined),
     addRootCluster: jest.fn().mockResolvedValueOnce(clusterMock),
     removeCluster: jest.fn().mockResolvedValueOnce(undefined),
@@ -177,16 +179,19 @@ test('login into cluster and sync resources', async () => {
   const client = getClientMocks();
   const service = createService(client, new NotificationsServiceMock());
   const loginParams = {
+    kind: 'local' as const,
     clusterUri,
-    local: { username: 'admin', password: 'admin', token: '1234' },
+    username: 'admin',
+    password: 'admin',
+    token: '1234',
   };
 
   // Add mocked gateway to service state.
   await service.syncGateways();
 
-  await service.login(loginParams, undefined);
+  await service.loginLocal(loginParams, undefined);
 
-  expect(client.login).toHaveBeenCalledWith(loginParams, undefined);
+  expect(client.loginLocal).toHaveBeenCalledWith(loginParams, undefined);
   expect(client.listGateways).toHaveBeenCalledWith();
   expect(client.listDatabases).toHaveBeenCalledWith(clusterUri);
   expect(client.listServers).toHaveBeenCalledWith(clusterUri);
diff --git a/web/packages/teleterm/src/ui/services/clusters/clustersService.ts b/web/packages/teleterm/src/ui/services/clusters/clustersService.ts
index 216f5dfb6225c..68d0770057eca 100644
--- a/web/packages/teleterm/src/ui/services/clusters/clustersService.ts
+++ b/web/packages/teleterm/src/ui/services/clusters/clustersService.ts
@@ -14,7 +14,9 @@ import {
   AuthSettings,
   ClustersServiceState,
   CreateGatewayParams,
-  LoginParams,
+  LoginLocalParams,
+  LoginSsoParams,
+  LoginPasswordlessParams,
   SyncStatus,
   tsh,
 } from './types';
@@ -62,16 +64,41 @@ export class ClustersService extends ImmutableStore<ClustersServiceState> {
     this.removeResources(clusterUri);
   }
 
-  async login(params: LoginParams, abortSignal: tsh.TshAbortSignal) {
-    await this.client.login(params, abortSignal);
+  async loginLocal(params: LoginLocalParams, abortSignal: tsh.TshAbortSignal) {
+    await this.client.loginLocal(params, abortSignal);
+    await this.syncRootClusterAndRestartClusterGatewaysAndCatchErrors(
+      params.clusterUri
+    );
+  }
+
+  async loginSso(params: LoginSsoParams, abortSignal: tsh.TshAbortSignal) {
+    await this.client.loginSso(params, abortSignal);
+    await this.syncRootClusterAndRestartClusterGatewaysAndCatchErrors(
+      params.clusterUri
+    );
+  }
+
+  async loginPasswordless(
+    params: LoginPasswordlessParams,
+    abortSignal: tsh.TshAbortSignal
+  ) {
+    await this.client.loginPasswordless(params, abortSignal);
+    await this.syncRootClusterAndRestartClusterGatewaysAndCatchErrors(
+      params.clusterUri
+    );
+  }
+
+  private async syncRootClusterAndRestartClusterGatewaysAndCatchErrors(
+    clusterUri: string
+  ) {
     await Promise.allSettled([
-      this.syncRootClusterAndCatchErrors(params.clusterUri),
+      this.syncRootClusterAndCatchErrors(clusterUri),
       // A temporary workaround until the gateways are able to refresh their own certs on incoming
       // connections.
       //
       // After logging in and obtaining fresh certs for the cluster, we need to make the gateways
       // obtain fresh certs as well. Currently, the only way to achieve that is to restart them.
-      this.restartClusterGatewaysAndCatchErrors(params.clusterUri).then(() =>
+      this.restartClusterGatewaysAndCatchErrors(clusterUri).then(() =>
         // Sync gateways to update their status, in case one of them failed to start back up.
         // In that case, that gateway won't be included in the gateway list in the tsh daemon.
         this.syncGateways()
diff --git a/web/packages/teleterm/src/ui/services/clusters/types.ts b/web/packages/teleterm/src/ui/services/clusters/types.ts
index c584128b06a41..6751bbd913b0f 100644
--- a/web/packages/teleterm/src/ui/services/clusters/types.ts
+++ b/web/packages/teleterm/src/ui/services/clusters/types.ts
@@ -30,9 +30,24 @@ export type Auth2faType = shared.Auth2faType;
 
 export type AuthProviderType = shared.AuthProviderType;
 
+export type PrimaryAuthType = shared.PrimaryAuthType;
+
+export type AuthType = shared.AuthType;
+
 export type AuthProvider = tsh.AuthProvider;
 
-export type LoginParams = tsh.LoginParams;
+export type LoginLocalParams = { kind: 'local' } & tsh.LoginLocalParams;
+
+export type LoginPasswordlessParams = {
+  kind: 'passwordless';
+} & tsh.LoginPasswordlessParams;
+
+export type LoginSsoParams = { kind: 'sso' } & tsh.LoginSsoParams;
+
+export type LoginParams =
+  | LoginLocalParams
+  | LoginPasswordlessParams
+  | LoginSsoParams;
 
 export type Application = tsh.Application;
 
@@ -48,9 +63,16 @@ export type Kube = tsh.Kube;
 
 export type Database = tsh.Database;
 
+export type LoginPasswordlessRequest = tsh.LoginPasswordlessRequest;
+
+export type WebauthnLoginPrompt = tsh.WebauthnLoginPrompt;
+
 export interface AuthSettings extends tsh.AuthSettings {
   secondFactor: Auth2faType;
   preferredMfa: PreferredMfaType;
+  authType: AuthType;
+  allowPasswordless: boolean;
+  localConnectorName: string;
 }
 
 export { tsh };
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
index 4693b0fda97b5..93012de426ed9 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
@@ -1,4 +1,6 @@
 import { routing } from 'teleterm/ui/uri';
+import { assertUnreachable } from 'teleterm/ui/utils';
+
 import { Document } from './types';
 
 export function getResourceUri(document: Document): string {
@@ -22,7 +24,3 @@ export function getResourceUri(document: Document): string {
       assertUnreachable(document);
   }
 }
-
-function assertUnreachable(x: never): never {
-  throw new Error(`Unhandled case: ${x}`);
-}
diff --git a/web/packages/teleterm/src/ui/utils/assertUnreachable.ts b/web/packages/teleterm/src/ui/utils/assertUnreachable.ts
new file mode 100644
index 0000000000000..0b9aed7fc3b88
--- /dev/null
+++ b/web/packages/teleterm/src/ui/utils/assertUnreachable.ts
@@ -0,0 +1,19 @@
+/**
+ * Copyright 2022 Gravitational, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export function assertUnreachable(x: never): never {
+  throw new Error(`Unhandled case: ${x}`);
+}
diff --git a/web/packages/teleterm/src/ui/utils/index.ts b/web/packages/teleterm/src/ui/utils/index.ts
index 54c2d03271aa5..b1bd20f808e26 100644
--- a/web/packages/teleterm/src/ui/utils/index.ts
+++ b/web/packages/teleterm/src/ui/utils/index.ts
@@ -1,3 +1,4 @@
 export * from './uid';
 export * from './retryWithRelogin';
 export * from './getUserWithClusterName';
+export * from './assertUnreachable';