diff --git a/.rubocop.yml b/.rubocop.yml
index 17a03dc423b..5c3589b13c5 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -932,6 +932,7 @@ Style/AndOr:
     - conditionals
 
 Style/ArgumentsForwarding:
+  UseAnonymousForwarding: false
   Enabled: true
 
 Style/ArrayJoin:
diff --git a/Gemfile b/Gemfile
index de1eac11a26..51638653227 100644
--- a/Gemfile
+++ b/Gemfile
@@ -110,7 +110,7 @@ group :development, :test do
   gem 'pry-rails'
   gem 'psych'
   gem 'rspec-rails', '~> 6.0'
-  gem 'rubocop', '~> 1.43.0', require: false
+  gem 'rubocop', '~> 1.55.1', require: false
   gem 'rubocop-performance', '~> 1.15.0', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
 end
diff --git a/Gemfile.lock b/Gemfile.lock
index a35df8cc77e..efeae68cf6e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -366,6 +366,7 @@ GEM
     jwt (2.7.1)
     knapsack (4.0.0)
       rake
+    language_server-protocol (3.17.0.3)
     launchy (2.5.0)
       addressable (~> 2.7)
     letter_opener (1.8.1)
@@ -439,13 +440,14 @@ GEM
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
     orm_adapter (0.5.0)
-    parallel (1.22.1)
-    parser (3.2.2.0)
+    parallel (1.23.0)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
+      racc
     pg (1.4.5)
     pg_query (2.2.0)
       google-protobuf (>= 3.19.2)
-    phonelib (0.6.54)
+    phonelib (0.8.2)
     pkcs11 (0.3.4)
     premailer (1.21.0)
       addressable
@@ -589,18 +591,19 @@ GEM
     rspec-support (3.12.0)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.43.0)
+    rubocop (1.55.1)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
     rubocop-performance (1.15.2)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
@@ -819,7 +822,7 @@ DEPENDENCIES
   rspec-rails (~> 6.0)
   rspec-retry
   rspec_junit_formatter
-  rubocop (~> 1.43.0)
+  rubocop (~> 1.55.1)
   rubocop-performance (~> 1.15.0)
   rubocop-rails (>= 2.5.2)
   ruby-progressbar
diff --git a/app/assets/images/loading-badge.gif b/app/assets/images/loading-badge.gif
new file mode 100644
index 00000000000..729b9ad7f1c
Binary files /dev/null and b/app/assets/images/loading-badge.gif differ
diff --git a/app/assets/images/spinner.gif b/app/assets/images/spinner.gif
deleted file mode 100644
index 8646d68e705..00000000000
Binary files a/app/assets/images/spinner.gif and /dev/null differ
diff --git a/app/assets/images/spinner@2x.gif b/app/assets/images/spinner@2x.gif
deleted file mode 100644
index 0cd600cca68..00000000000
Binary files a/app/assets/images/spinner@2x.gif and /dev/null differ
diff --git a/app/assets/stylesheets/utilities/_util.scss b/app/assets/stylesheets/utilities/_util.scss
index 804be19afaa..7b9cf34e837 100644
--- a/app/assets/stylesheets/utilities/_util.scss
+++ b/app/assets/stylesheets/utilities/_util.scss
@@ -13,15 +13,3 @@ html.js .no-js {
   backface-visibility: hidden;
   transform: scale(0.7);
 }
-
-@include at-media('tablet') {
-  .sm-left-align {
-    text-align: left;
-  }
-}
-
-.half-center {
-  margin: 0 auto;
-  text-align: center;
-  width: 300px;
-}
diff --git a/app/components/block_link_component.rb b/app/components/block_link_component.rb
index fad065041b1..9878ee58641 100644
--- a/app/components/block_link_component.rb
+++ b/app/components/block_link_component.rb
@@ -1,6 +1,8 @@
 class BlockLinkComponent < BaseComponent
   attr_reader :url, :action, :new_tab, :tag_options
 
+  alias_method :new_tab?, :new_tab
+
   def initialize(url:, action: tag.method(:a), new_tab: false, **tag_options)
     @action = action
     @url = url
@@ -10,12 +12,12 @@ def initialize(url:, action: tag.method(:a), new_tab: false, **tag_options)
 
   def css_class
     classes = ['usa-link', 'block-link', *tag_options[:class]]
-    classes << 'usa-link--external' if new_tab
+    classes << 'usa-link--external' if new_tab?
     classes
   end
 
   def target
-    '_blank' if new_tab
+    '_blank' if new_tab?
   end
 
   def wrapper(&block)
diff --git a/app/components/password_confirmation_component.html.erb b/app/components/password_confirmation_component.html.erb
index 683da5ccd90..49014e370ad 100644
--- a/app/components/password_confirmation_component.html.erb
+++ b/app/components/password_confirmation_component.html.erb
@@ -3,7 +3,7 @@
         form: form,
         name: :password,
         type: :password,
-        label: t('forms.password'),
+        label: password_label,
         required: true,
         **field_options,
         input_html: field_options[:input_html].to_h.merge(
@@ -16,7 +16,7 @@
         form: form,
         name: :password_confirmation,
         type: :password_confirmation,
-        label: t('components.password_confirmation.confirm_label'),
+        label: confirmation_label,
         required: true,
         **field_options,
         input_html: field_options[:input_html].to_h.merge(
diff --git a/app/components/password_confirmation_component.rb b/app/components/password_confirmation_component.rb
index 752d8ccf91a..508188f5649 100644
--- a/app/components/password_confirmation_component.rb
+++ b/app/components/password_confirmation_component.rb
@@ -3,14 +3,26 @@ class PasswordConfirmationComponent < BaseComponent
 
   def initialize(
     form:,
+    password_label: nil,
+    confirmation_label: nil,
     field_options: {},
     **tag_options
   )
     @form = form
+    @password_label = password_label
+    @confirmation_label = confirmation_label
     @field_options = field_options
     @tag_options = tag_options
   end
 
+  def password_label
+    @password_label || t('forms.password')
+  end
+
+  def confirmation_label
+    @confirmation_label || t('components.password_confirmation.confirm_label')
+  end
+
   def toggle_id
     "password-confirmation-toggle-#{unique_id}"
   end
diff --git a/app/components/troubleshooting_options_component.rb b/app/components/troubleshooting_options_component.rb
index efa7d693b1d..e15e6c25ea8 100644
--- a/app/components/troubleshooting_options_component.rb
+++ b/app/components/troubleshooting_options_component.rb
@@ -4,10 +4,19 @@ class TroubleshootingOptionsComponent < BaseComponent
 
   attr_reader :tag_options
 
-  def initialize(**tag_options)
+  def initialize(options: [], **tag_options)
+    @options_from_constructor = options
     @tag_options = tag_options.dup
   end
 
+  def options
+    @options_from_constructor.map(&method(:render)) + get_slot(:options)
+  end
+
+  def options?
+    options.present?
+  end
+
   def render?
     options?
   end
diff --git a/app/components/webauthn_verify_button_component.html.erb b/app/components/webauthn_verify_button_component.html.erb
index 3fd6f911410..2aaa4e3da84 100644
--- a/app/components/webauthn_verify_button_component.html.erb
+++ b/app/components/webauthn_verify_button_component.html.erb
@@ -9,8 +9,7 @@
     ) do %>
   <div class="webauthn-verify-button__spinner text-center" hidden>
     <%= image_tag(
-          asset_url('spinner.gif'),
-          srcset: asset_url('spinner@2x.gif'),
+          asset_url('loading-badge.gif'),
           height: 144,
           width: 144,
           alt: '',
diff --git a/app/controllers/concerns/idv_step_concern.rb b/app/controllers/concerns/idv_step_concern.rb
index 09154a7d5b5..1c94cd9e51f 100644
--- a/app/controllers/concerns/idv_step_concern.rb
+++ b/app/controllers/concerns/idv_step_concern.rb
@@ -41,6 +41,10 @@ def flow_path
   private
 
   def confirm_ssn_step_complete
+    if IdentityConfig.store.in_person_ssn_info_controller_enabled
+      # mark ssn step as complete for FSM
+      flow_session['Idv::Steps::InPerson::SsnStep'] = true if flow_session.dig(:pii_from_user, :ssn)
+    end
     return if pii.present? && pii[:ssn].present?
     redirect_to prev_url
   end
diff --git a/app/controllers/concerns/rate_limit_concern.rb b/app/controllers/concerns/rate_limit_concern.rb
index a95f6d98be4..2d5bb2bc916 100644
--- a/app/controllers/concerns/rate_limit_concern.rb
+++ b/app/controllers/concerns/rate_limit_concern.rb
@@ -40,7 +40,7 @@ def rate_limited_redirect(rate_limit_type)
     when :idv_resolution
       redirect_to idv_session_errors_failure_url
     when :idv_doc_auth
-      redirect_to idv_session_errors_throttled_url
+      redirect_to idv_session_errors_rate_limited_url
     when :proof_address
       redirect_to idv_phone_errors_failure_url
     when :proof_ssn
diff --git a/app/controllers/idv/agreement_controller.rb b/app/controllers/idv/agreement_controller.rb
index 1fa50364e50..6c987be057f 100644
--- a/app/controllers/idv/agreement_controller.rb
+++ b/app/controllers/idv/agreement_controller.rb
@@ -18,7 +18,7 @@ def show
     end
 
     def update
-      skip_to_capture if params[:skip_hybrid_handoff] || params[:skip_upload]
+      skip_to_capture if params[:skip_hybrid_handoff]
 
       result = Idv::ConsentForm.new.submit(consent_form_params)
 
diff --git a/app/controllers/idv/capture_doc_status_controller.rb b/app/controllers/idv/capture_doc_status_controller.rb
index 9e461329405..c24d6829aa2 100644
--- a/app/controllers/idv/capture_doc_status_controller.rb
+++ b/app/controllers/idv/capture_doc_status_controller.rb
@@ -34,7 +34,7 @@ def redirect_url
       return unless flow_session && document_capture_session
 
       if rate_limiter.limited?
-        idv_session_errors_throttled_url
+        idv_session_errors_rate_limited_url
       elsif user_has_establishing_in_person_enrollment?
         idv_in_person_url
       end
@@ -85,7 +85,7 @@ def had_barcode_attention_result?
         idv_session.had_barcode_attention_error = session_result.attention_with_barcode?
       end
 
-      flow_session[:had_barcode_attention_error]
+      idv_session.had_barcode_attention_error
     end
 
     def idv_session
diff --git a/app/controllers/idv/getting_started_controller.rb b/app/controllers/idv/getting_started_controller.rb
index 06fca795d29..22250a6473d 100644
--- a/app/controllers/idv/getting_started_controller.rb
+++ b/app/controllers/idv/getting_started_controller.rb
@@ -20,7 +20,7 @@ def show
     end
 
     def update
-      skip_to_capture if params[:skip_hybrid_handoff] || params[:skip_upload]
+      skip_to_capture if params[:skip_hybrid_handoff]
 
       result = Idv::ConsentForm.new.submit(consent_form_params)
 
diff --git a/app/controllers/idv/phone_errors_controller.rb b/app/controllers/idv/phone_errors_controller.rb
index 13e2d7d3322..5f4a60aa0ec 100644
--- a/app/controllers/idv/phone_errors_controller.rb
+++ b/app/controllers/idv/phone_errors_controller.rb
@@ -5,6 +5,7 @@ class PhoneErrorsController < ApplicationController
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_phone_step_needed
+    before_action :confirm_idv_phone_step_submitted
     before_action :set_gpo_letter_available
     before_action :ignore_form_step_wait_requests
 
@@ -45,6 +46,10 @@ def confirm_idv_phone_step_needed
       redirect_to idv_review_url if idv_session.user_phone_confirmation == true
     end
 
+    def confirm_idv_phone_step_submitted
+      redirect_to idv_phone_url if idv_session.previous_phone_step_params.nil?
+    end
+
     def ignore_form_step_wait_requests
       head(:no_content) if request.headers['HTTP_X_FORM_STEPS_WAIT']
     end
diff --git a/app/controllers/idv/verify_info_controller.rb b/app/controllers/idv/verify_info_controller.rb
index 9918d141c09..cb39e4948a1 100644
--- a/app/controllers/idv/verify_info_controller.rb
+++ b/app/controllers/idv/verify_info_controller.rb
@@ -16,7 +16,7 @@ def show
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
         call('verify', :view, true)
 
-      @had_barcode_read_failure = flow_session[:had_barcode_read_failure]
+      @had_barcode_read_failure = idv_session.had_barcode_read_failure
       process_async_state(load_async_state)
     end
 
diff --git a/app/controllers/sign_up/passwords_controller.rb b/app/controllers/sign_up/passwords_controller.rb
index 2d980dc263f..268de4b34da 100644
--- a/app/controllers/sign_up/passwords_controller.rb
+++ b/app/controllers/sign_up/passwords_controller.rb
@@ -67,7 +67,7 @@ def process_successful_password_creation
     end
 
     def password_form
-      @password_form ||= PasswordForm.new(@user, validate_confirmation: true)
+      @password_form ||= PasswordForm.new(@user)
     end
 
     def process_unsuccessful_password_creation
diff --git a/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb b/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb
index 4080fdb2e11..c17654e382f 100644
--- a/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb
+++ b/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb
@@ -71,10 +71,7 @@ def render_show_after_invalid
     end
 
     def piv_cac_view_data
-      {
-        two_factor_authentication_method: 'piv_cac',
-        hide_fallback_question: service_provider_mfa_policy.piv_cac_required?,
-      }.merge(generic_data)
+      { two_factor_authentication_method: 'piv_cac' }.merge(generic_data)
     end
 
     def piv_cac_verification_form
diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb
index f86299f3e41..db135964483 100644
--- a/app/controllers/users/passwords_controller.rb
+++ b/app/controllers/users/passwords_controller.rb
@@ -41,7 +41,7 @@ def capture_password_if_pii_requested_but_locked
     end
 
     def user_params
-      params.require(:update_user_password_form).permit(:password)
+      params.require(:update_user_password_form).permit(:password, :password_confirmation)
     end
 
     def handle_valid_password
diff --git a/app/controllers/users/reset_passwords_controller.rb b/app/controllers/users/reset_passwords_controller.rb
index e90faf912ff..1738b3e00d2 100644
--- a/app/controllers/users/reset_passwords_controller.rb
+++ b/app/controllers/users/reset_passwords_controller.rb
@@ -180,7 +180,7 @@ def create_reset_event_and_send_notification
 
     def user_params
       params.require(:reset_password_form).
-        permit(:password, :reset_password_token)
+        permit(:password, :password_confirmation, :reset_password_token)
     end
 
     def assert_reset_token_passed
diff --git a/app/forms/openid_connect_authorize_form.rb b/app/forms/openid_connect_authorize_form.rb
index 989cef6d5dc..a3e65e9ab3d 100644
--- a/app/forms/openid_connect_authorize_form.rb
+++ b/app/forms/openid_connect_authorize_form.rb
@@ -234,6 +234,7 @@ def extra_analytics_attributes
       unauthorized_scope: @unauthorized_scope,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_challenge_present: code_challenge.present?,
+      service_provider_pkce: service_provider&.pkce,
     }
   end
 
diff --git a/app/forms/openid_connect_token_form.rb b/app/forms/openid_connect_token_form.rb
index f8dca5f8490..97fd3424092 100644
--- a/app/forms/openid_connect_token_form.rb
+++ b/app/forms/openid_connect_token_form.rb
@@ -199,6 +199,7 @@ def extra_analytics_attributes
       user_id: identity&.user&.uuid,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_verifier_present: code_verifier.present?,
+      service_provider_pkce: service_provider&.pkce,
     }
   end
 
diff --git a/app/forms/password_form.rb b/app/forms/password_form.rb
index d0820c8d52d..413bb3e0aad 100644
--- a/app/forms/password_form.rb
+++ b/app/forms/password_form.rb
@@ -2,9 +2,9 @@ class PasswordForm
   include ActiveModel::Model
   include FormPasswordValidator
 
-  def initialize(user, options = {})
+  def initialize(user)
     @user = user
-    @validate_confirmation = options.fetch(:validate_confirmation, false)
+    @validate_confirmation = true
   end
 
   def submit(params)
diff --git a/app/forms/reset_password_form.rb b/app/forms/reset_password_form.rb
index f9ed09dc00e..96c8f7fb051 100644
--- a/app/forms/reset_password_form.rb
+++ b/app/forms/reset_password_form.rb
@@ -8,14 +8,15 @@ class ResetPasswordForm
 
   def initialize(user)
     @user = user
+    @reset_password_token = @user.reset_password_token
+    @validate_confirmation = true
     @active_profile = user.active_profile
     @pending_profile = user.pending_profile
-
-    self.reset_password_token = @user.reset_password_token
   end
 
   def submit(params)
-    self.password = params[:password]
+    @password = params[:password]
+    @password_confirmation = params[:password_confirmation]
 
     @success = valid?
 
diff --git a/app/forms/two_factor_options_form.rb b/app/forms/two_factor_options_form.rb
index 57166649c50..491c2344ade 100644
--- a/app/forms/two_factor_options_form.rb
+++ b/app/forms/two_factor_options_form.rb
@@ -60,7 +60,13 @@ def has_no_configured_mfa?
     mfa_user.enabled_mfa_methods_count == 0
   end
 
+  def platform_auth_only_option?
+    mfa_user.enabled_mfa_methods_count == 1 &&
+      mfa_user.webauthn_platform_configurations.count == 1
+  end
+
   def has_no_mfa_or_in_required_flow?
-    has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow?
+    has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow? ||
+      platform_auth_only_option?
   end
 end
diff --git a/app/forms/update_user_password_form.rb b/app/forms/update_user_password_form.rb
index d2e9ec11cbc..8c2032577fa 100644
--- a/app/forms/update_user_password_form.rb
+++ b/app/forms/update_user_password_form.rb
@@ -7,10 +7,12 @@ class UpdateUserPasswordForm
   def initialize(user, user_session = nil)
     @user = user
     @user_session = user_session
+    @validate_confirmation = true
   end
 
   def submit(params)
-    self.password = params[:password]
+    @password = params[:password]
+    @password_confirmation = params[:password_confirmation]
     success = valid?
     process_valid_submission if success
     FormResponse.new(success: success, errors: errors)
diff --git a/app/javascript/packages/document-capture/components/acuant-capture-canvas.jsx b/app/javascript/packages/document-capture/components/acuant-capture-canvas.jsx
index 9e9dc448bcb..88361795a83 100644
--- a/app/javascript/packages/document-capture/components/acuant-capture-canvas.jsx
+++ b/app/javascript/packages/document-capture/components/acuant-capture-canvas.jsx
@@ -59,11 +59,7 @@ function AcuantCaptureCanvas() {
     <>
       {!isReady && (
         <img
-          src={getAssetPath('spinner.gif')}
-          srcSet={`
-            ${getAssetPath('spinner.gif')},
-            ${getAssetPath('spinner@2x.gif')} 2x
-          `}
+          src={getAssetPath('loading-badge.gif')}
           alt=""
           width="144"
           height="144"
diff --git a/app/javascript/packages/phone-input/package.json b/app/javascript/packages/phone-input/package.json
index 538375d3bd3..c8f0d8a0018 100644
--- a/app/javascript/packages/phone-input/package.json
+++ b/app/javascript/packages/phone-input/package.json
@@ -4,6 +4,6 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^17.0.19",
-    "libphonenumber-js": "^1.10.11"
+    "libphonenumber-js": "^1.10.39"
   }
 }
diff --git a/app/javascript/packs/document-capture-welcome.ts b/app/javascript/packs/document-capture-welcome.ts
index 1d07dc59ed2..57d5d85e1f9 100644
--- a/app/javascript/packs/document-capture-welcome.ts
+++ b/app/javascript/packs/document-capture-welcome.ts
@@ -9,10 +9,4 @@ if (isCameraCapableMobile()) {
   input.type = 'hidden';
   input.name = 'skip_hybrid_handoff';
   form.appendChild(input);
-
-  // TEMP: Send skip_upload as well to account for 50/50 state during deploy
-  const compatibilityInput = document.createElement('input');
-  compatibilityInput.type = 'hidden';
-  compatibilityInput.name = 'skip_upload';
-  form.appendChild(compatibilityInput);
 }
diff --git a/app/javascript/packs/webauthn-setup.ts b/app/javascript/packs/webauthn-setup.ts
index 582d3d28e46..4ca696f7da9 100644
--- a/app/javascript/packs/webauthn-setup.ts
+++ b/app/javascript/packs/webauthn-setup.ts
@@ -36,8 +36,7 @@ function webauthn() {
   const form = document.getElementById('webauthn_form') as HTMLFormElement;
   form.addEventListener('submit', (event) => {
     event.preventDefault();
-    document.getElementById('spinner')!.classList.remove('display-none');
-    document.getElementById('continue-button')!.className = 'display-none';
+    document.getElementById('spinner')!.hidden = false;
 
     const platformAuthenticator =
       (document.getElementById('platform_authenticator') as HTMLInputElement).value === 'true';
diff --git a/app/models/profile.rb b/app/models/profile.rb
index 46a3e655bc1..ee755bfdfd2 100644
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -17,6 +17,11 @@ class Profile < ApplicationRecord
   scope(:active, -> { where(active: true) })
   scope(:verified, -> { where.not(verified_at: nil) })
 
+  has_one :establishing_in_person_enrollment,
+          -> { where(status: :establishing).order(created_at: :desc) },
+          class_name: 'InPersonEnrollment', foreign_key: :profile_id, inverse_of: :profile,
+          dependent: :destroy
+
   enum deactivation_reason: {
     password_reset: 1,
     encryption_error: 2,
diff --git a/app/policies/service_provider_mfa_policy.rb b/app/policies/service_provider_mfa_policy.rb
index 156bc9882a5..fdf62e5a694 100644
--- a/app/policies/service_provider_mfa_policy.rb
+++ b/app/policies/service_provider_mfa_policy.rb
@@ -50,12 +50,6 @@ def piv_cac_required?
     piv_cac_requested?
   end
 
-  def allow_user_to_switch_method?
-    return false if piv_cac_required?
-    return true unless phishing_resistant_required?
-    piv_cac_enabled? && webauthn_enabled?
-  end
-
   def multiple_factors_enabled?
     mfa_context.enabled_mfa_methods_count > 1
   end
diff --git a/app/presenters/image_upload_response_presenter.rb b/app/presenters/image_upload_response_presenter.rb
index 27aab0ca155..bec72692816 100644
--- a/app/presenters/image_upload_response_presenter.rb
+++ b/app/presenters/image_upload_response_presenter.rb
@@ -37,7 +37,7 @@ def as_json(*)
       json = { success: false, errors: errors, remaining_attempts: remaining_attempts }
       if remaining_attempts&.zero?
         if @form_response.extra[:flow_path] == 'standard'
-          json[:redirect] = idv_session_errors_throttled_url
+          json[:redirect] = idv_session_errors_rate_limited_url
         else # hybrid flow on mobile
           json[:redirect] = idv_hybrid_mobile_capture_complete_url
         end
diff --git a/app/presenters/two_factor_auth_code/authenticator_delivery_presenter.rb b/app/presenters/two_factor_auth_code/authenticator_delivery_presenter.rb
index c85fc9e4071..5ff7bc822d3 100644
--- a/app/presenters/two_factor_auth_code/authenticator_delivery_presenter.rb
+++ b/app/presenters/two_factor_auth_code/authenticator_delivery_presenter.rb
@@ -4,10 +4,6 @@ def header
       t('two_factor_authentication.totp_header_text')
     end
 
-    def fallback_question
-      t('two_factor_authentication.totp_fallback.question')
-    end
-
     def cancel_link
       if reauthn
         account_path
@@ -15,5 +11,9 @@ def cancel_link
         sign_out_path
       end
     end
+
+    def redirect_location_step
+      :totp_verification
+    end
   end
 end
diff --git a/app/presenters/two_factor_auth_code/backup_code_presenter.rb b/app/presenters/two_factor_auth_code/backup_code_presenter.rb
index 9ff4e35abb7..4dd6a264147 100644
--- a/app/presenters/two_factor_auth_code/backup_code_presenter.rb
+++ b/app/presenters/two_factor_auth_code/backup_code_presenter.rb
@@ -10,8 +10,8 @@ def cancel_link
       end
     end
 
-    def fallback_question
-      t('two_factor_authentication.backup_code_fallback.question')
+    def redirect_location_step
+      :backup_code_verification
     end
   end
 end
diff --git a/app/presenters/two_factor_auth_code/generic_delivery_presenter.rb b/app/presenters/two_factor_auth_code/generic_delivery_presenter.rb
index 28d6d6fc4a6..5bb04e1b33c 100644
--- a/app/presenters/two_factor_auth_code/generic_delivery_presenter.rb
+++ b/app/presenters/two_factor_auth_code/generic_delivery_presenter.rb
@@ -4,7 +4,7 @@ class GenericDeliveryPresenter
     include ActionView::Helpers::TranslationHelper
     include Rails.application.routes.url_helpers
 
-    attr_reader :code_value, :reauthn
+    attr_reader :code_value, :reauthn, :service_provider
 
     def initialize(data:, view:, service_provider:, remember_device_default: true)
       data.each do |key, value|
@@ -19,16 +19,30 @@ def header
       raise NotImplementedError
     end
 
-    def link_text
-      t('two_factor_authentication.login_options_link_text')
+    def redirect_location_step; end
+
+    def troubleshooting_options
+      [
+        choose_another_method_troubleshooting_option,
+        learn_more_about_authentication_options_troubleshooting_option,
+      ]
     end
 
-    def link_path
-      login_two_factor_options_path
+    def choose_another_method_troubleshooting_option
+      BlockLinkComponent.new(url: login_two_factor_options_path).
+        with_content(t('two_factor_authentication.login_options_link_text'))
     end
 
-    def fallback_links
-      raise NotImplementedError
+    def learn_more_about_authentication_options_troubleshooting_option
+      BlockLinkComponent.new(
+        url: help_center_redirect_path(
+          category: 'get-started',
+          article: 'authentication-options',
+          flow: :two_factor_authentication,
+          step: redirect_location_step,
+        ),
+        new_tab: true,
+      ).with_content(t('two_factor_authentication.learn_more'))
     end
 
     def remember_device_box_checked?
diff --git a/app/presenters/two_factor_auth_code/personal_key_presenter.rb b/app/presenters/two_factor_auth_code/personal_key_presenter.rb
index 5a1aeee1e06..b9820962987 100644
--- a/app/presenters/two_factor_auth_code/personal_key_presenter.rb
+++ b/app/presenters/two_factor_auth_code/personal_key_presenter.rb
@@ -2,8 +2,8 @@ module TwoFactorAuthCode
   class PersonalKeyPresenter < TwoFactorAuthCode::GenericDeliveryPresenter
     def initialize; end
 
-    def fallback_question
-      t('two_factor_authentication.personal_key_fallback.question')
+    def redirect_location_step
+      :personal_key_verification
     end
   end
 end
diff --git a/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb b/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb
index 21e4663fd80..1fc5f0ba08d 100644
--- a/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb
+++ b/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb
@@ -37,18 +37,10 @@ def phone_call_text
       t('two_factor_authentication.otp_delivery_preference.phone_call')
     end
 
-    def fallback_question
-      t('two_factor_authentication.phone_fallback.question')
-    end
-
-    def troubleshooting_header
-      t('components.troubleshooting_options.default_heading')
-    end
-
     def troubleshooting_options
       [
         troubleshoot_change_phone_or_method_option,
-        {
+        BlockLinkComponent.new(
           url: help_center_redirect_path(
             category: 'get-started',
             article: 'authentication-options',
@@ -56,19 +48,11 @@ def troubleshooting_options
             flow: :two_factor_authentication,
             step: :otp_confirmation,
           ),
-          text: t('two_factor_authentication.phone_verification.troubleshooting.code_not_received'),
-          new_tab: true,
-        },
-        {
-          url: help_center_redirect_path(
-            category: 'get-started',
-            article: 'authentication-options',
-            flow: :two_factor_authentication,
-            step: :otp_confirmation,
-          ),
-          text: t('two_factor_authentication.learn_more'),
           new_tab: true,
-        },
+        ).with_content(
+          t('two_factor_authentication.phone_verification.troubleshooting.code_not_received'),
+        ),
+        learn_more_about_authentication_options_troubleshooting_option,
       ]
     end
 
@@ -81,19 +65,21 @@ def cancel_link
       end
     end
 
+    def redirect_location_step
+      :otp_confirmation
+    end
+
     private
 
     def troubleshoot_change_phone_or_method_option
       if unconfirmed_phone
-        {
-          url: add_phone_path,
-          text: t('two_factor_authentication.phone_verification.troubleshooting.change_number'),
-        }
+        BlockLinkComponent.new(url: add_phone_path).with_content(
+          t('two_factor_authentication.phone_verification.troubleshooting.change_number'),
+        )
       else
-        {
-          url: login_two_factor_options_path,
-          text: t('two_factor_authentication.login_options_link_text'),
-        }
+        BlockLinkComponent.new(url: login_two_factor_options_path).with_content(
+          t('two_factor_authentication.login_options_link_text'),
+        )
       end
     end
 
diff --git a/app/presenters/two_factor_auth_code/piv_cac_authentication_presenter.rb b/app/presenters/two_factor_auth_code/piv_cac_authentication_presenter.rb
index ab67d0327f3..4e77b7851ad 100644
--- a/app/presenters/two_factor_auth_code/piv_cac_authentication_presenter.rb
+++ b/app/presenters/two_factor_auth_code/piv_cac_authentication_presenter.rb
@@ -6,46 +6,10 @@ def header
       t('two_factor_authentication.piv_cac_header_text')
     end
 
-    def piv_cac_help
-      if service_provider_mfa_policy.phishing_resistant_required? &&
-         service_provider_mfa_policy.allow_user_to_switch_method?
-        t('instructions.mfa.piv_cac.confirm_piv_cac_or_aal3')
-      elsif service_provider_mfa_policy.phishing_resistant_required? ||
-            service_provider_mfa_policy.piv_cac_required?
-        t('instructions.mfa.piv_cac.confirm_piv_cac_only')
-      else
-        t('instructions.mfa.piv_cac.confirm_piv_cac')
-      end
-    end
-
     def piv_cac_capture_text
       t('forms.piv_cac_mfa.submit')
     end
 
-    def link_text
-      if service_provider_mfa_policy.phishing_resistant_required?
-        if service_provider_mfa_policy.allow_user_to_switch_method?
-          t('two_factor_authentication.piv_cac_webauthn_available')
-        else
-          ''
-        end
-      else
-        super
-      end
-    end
-
-    def link_path
-      if service_provider_mfa_policy.phishing_resistant_required?
-        if service_provider_mfa_policy.allow_user_to_switch_method?
-          login_two_factor_webauthn_url
-        else
-          ''
-        end
-      else
-        super
-      end
-    end
-
     def cancel_link
       if reauthn
         account_path
@@ -54,17 +18,12 @@ def cancel_link
       end
     end
 
-    def piv_cac_service_link
-      login_two_factor_piv_cac_present_piv_cac_url
+    def redirect_location_step
+      :piv_cac_verification
     end
 
-    def fallback_question
-      return if @hide_fallback_question
-      if service_provider_mfa_policy.allow_user_to_switch_method?
-        t('two_factor_authentication.piv_cac_fallback.question')
-      else
-        ''
-      end
+    def piv_cac_service_link
+      login_two_factor_piv_cac_present_piv_cac_url
     end
   end
 end
diff --git a/app/presenters/two_factor_auth_code/webauthn_authentication_presenter.rb b/app/presenters/two_factor_auth_code/webauthn_authentication_presenter.rb
index 7b143474850..392f2a06d91 100644
--- a/app/presenters/two_factor_auth_code/webauthn_authentication_presenter.rb
+++ b/app/presenters/two_factor_auth_code/webauthn_authentication_presenter.rb
@@ -17,12 +17,7 @@ def initialize(data:, view:, service_provider:, remember_device_default: true,
     end
 
     def webauthn_help
-      if service_provider_mfa_policy.phishing_resistant_required? &&
-         service_provider_mfa_policy.allow_user_to_switch_method?
-        t('instructions.mfa.webauthn.confirm_webauthn_or_aal3')
-      elsif service_provider_mfa_policy.phishing_resistant_required?
-        t('instructions.mfa.webauthn.confirm_webauthn_only')
-      elsif platform_authenticator?
+      if platform_authenticator?
         t('instructions.mfa.webauthn.confirm_webauthn_platform', app_name: APP_NAME)
       else
         t('instructions.mfa.webauthn.confirm_webauthn')
@@ -45,28 +40,21 @@ def header
       end
     end
 
-    def link_text
-      if service_provider_mfa_policy.phishing_resistant_required?
-        if service_provider_mfa_policy.allow_user_to_switch_method?
-          t('two_factor_authentication.webauthn_piv_available')
-        else
-          ''
-        end
-      else
-        super
-      end
-    end
-
-    def link_path
-      if service_provider_mfa_policy.phishing_resistant_required?
-        if service_provider_mfa_policy.allow_user_to_switch_method?
-          login_two_factor_piv_cac_url
-        else
-          ''
-        end
-      else
-        super
+    def troubleshooting_options
+      options = [choose_another_method_troubleshooting_option]
+      if platform_authenticator?
+        options << BlockLinkComponent.new(
+          url: help_center_redirect_path(
+            category: 'trouble-signing-in',
+            article: 'face-or-touch-unlock',
+            flow: :two_factor_authentication,
+            step: redirect_location_step,
+          ),
+          new_tab: true,
+        ).with_content(t('instructions.mfa.webauthn_platform.learn_more_help'))
       end
+      options << learn_more_about_authentication_options_troubleshooting_option
+      options
     end
 
     def cancel_link
@@ -77,6 +65,10 @@ def cancel_link
       end
     end
 
+    def redirect_location_step
+      :webauthn_verification
+    end
+
     def multiple_factors_enabled?
       service_provider_mfa_policy.multiple_factors_enabled?
     end
diff --git a/app/presenters/two_factor_login_options_presenter.rb b/app/presenters/two_factor_login_options_presenter.rb
index fca7e808f19..355e06fc5ad 100644
--- a/app/presenters/two_factor_login_options_presenter.rb
+++ b/app/presenters/two_factor_login_options_presenter.rb
@@ -1,7 +1,10 @@
 class TwoFactorLoginOptionsPresenter < TwoFactorAuthCode::GenericDeliveryPresenter
   include ActionView::Helpers::TranslationHelper
 
-  attr_reader :user
+  attr_reader :user, :phishing_resistant_required, :piv_cac_required
+
+  alias_method :phishing_resistant_required?, :phishing_resistant_required
+  alias_method :piv_cac_required?, :piv_cac_required
 
   def initialize(
     user:,
@@ -31,6 +34,14 @@ def info
     t('two_factor_authentication.login_intro')
   end
 
+  def restricted_options_warning_text
+    if piv_cac_required?
+      t('two_factor_authentication.aal2_request.piv_cac_only_html', sp_name:)
+    elsif phishing_resistant_required?
+      t('two_factor_authentication.aal2_request.phishing_resistant_html', sp_name:)
+    end
+  end
+
   def options
     mfa = MfaContext.new(user)
 
@@ -107,4 +118,12 @@ def account_reset_token
   def account_reset_token_valid?
     user&.account_reset_request&.granted_token_valid?
   end
+
+  def sp_name
+    if service_provider
+      service_provider.friendly_name
+    else
+      APP_NAME
+    end
+  end
 end
diff --git a/app/presenters/webauthn_setup_presenter.rb b/app/presenters/webauthn_setup_presenter.rb
index 8541894641a..d931f55cab9 100644
--- a/app/presenters/webauthn_setup_presenter.rb
+++ b/app/presenters/webauthn_setup_presenter.rb
@@ -86,20 +86,4 @@ def button_text
       t('forms.webauthn_setup.continue')
     end
   end
-
-  def setup_heading
-    if @platform_authenticator
-      t('forms.webauthn_platform_setup.instructions_title')
-    else
-      t('forms.webauthn_setup.instructions_title')
-    end
-  end
-
-  def setup_instructions
-    if @platform_authenticator
-      t('forms.webauthn_platform_setup.instructions_text', app_name: APP_NAME)
-    else
-      t('forms.webauthn_setup.instructions_text', app_name: APP_NAME)
-    end
-  end
 end
diff --git a/app/services/doc_auth/errors.rb b/app/services/doc_auth/errors.rb
index e223bdef05a..d93a101ac5c 100644
--- a/app/services/doc_auth/errors.rb
+++ b/app/services/doc_auth/errors.rb
@@ -83,25 +83,18 @@ module Errors
       BARCODE_CONTENT_CHECK => { long_msg: BARCODE_CONTENT_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       BARCODE_READ_CHECK => { long_msg: BARCODE_READ_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       BIRTH_DATE_CHECKS => { long_msg: BIRTH_DATE_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      BIRTH_DATE_CHECKS => { long_msg: BIRTH_DATE_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       CONTROL_NUMBER_CHECK => { long_msg: CONTROL_NUMBER_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       ID_NOT_RECOGNIZED => { long_msg: ID_NOT_RECOGNIZED, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       DOC_CROSSCHECK => { long_msg: DOC_CROSSCHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       DOCUMENT_EXPIRED_CHECK => { long_msg: DOCUMENT_EXPIRED_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       DOC_NUMBER_CHECKS => { long_msg: DOC_NUMBER_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       EXPIRATION_CHECKS => { long_msg: EXPIRATION_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      EXPIRATION_CHECKS => { long_msg: EXPIRATION_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       FULL_NAME_CHECK => { long_msg: FULL_NAME_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       ISSUE_DATE_CHECKS => { long_msg: ISSUE_DATE_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      ISSUE_DATE_CHECKS => { long_msg: ISSUE_DATE_CHECKS, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      ID_NOT_VERIFIED => { long_msg: ID_NOT_VERIFIED, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       ID_NOT_VERIFIED => { long_msg: ID_NOT_VERIFIED, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       VISIBLE_PHOTO_CHECK => { long_msg: VISIBLE_PHOTO_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      ID_NOT_VERIFIED => { long_msg: ID_NOT_VERIFIED, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       SEX_CHECK => { long_msg: SEX_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       VISIBLE_COLOR_CHECK => { long_msg: VISIBLE_COLOR_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      ID_NOT_VERIFIED => { long_msg: ID_NOT_VERIFIED, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
-      VISIBLE_PHOTO_CHECK => { long_msg: VISIBLE_PHOTO_CHECK, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       # Multiple Errors
       MULTIPLE_FRONT_ID_FAILURES => { long_msg: MULTIPLE_FRONT_ID_FAILURES, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
       MULTIPLE_BACK_ID_FAILURES => { long_msg: MULTIPLE_BACK_ID_FAILURES, field_msg: FALLBACK_FIELD_LEVEL, hints: true },
diff --git a/app/services/idv/steps/doc_auth_base_step.rb b/app/services/idv/steps/doc_auth_base_step.rb
index a55a79bcdea..593bb51d77a 100644
--- a/app/services/idv/steps/doc_auth_base_step.rb
+++ b/app/services/idv/steps/doc_auth_base_step.rb
@@ -26,25 +26,6 @@ def save_proofing_components
         ProofingComponent.create_or_find_by(user: current_user).update(component_attributes)
       end
 
-      # @param [DocAuth::Response,
-      #   DocumentCaptureSessionAsyncResult,
-      #   DocumentCaptureSessionResult] response
-      def extract_pii_from_doc(response, store_in_session: false)
-        pii_from_doc = response.pii_from_doc.merge(
-          uuid: effective_user.uuid,
-          phone: effective_user.phone_configurations.take&.phone,
-          uuid_prefix: ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id,
-        )
-
-        flow_session[:had_barcode_read_failure] = response.attention_with_barcode?
-        if store_in_session
-          flow_session[:pii_from_doc] ||= {}
-          flow_session[:pii_from_doc].merge!(pii_from_doc)
-          idv_session.delete('applicant')
-        end
-        track_document_state(pii_from_doc[:state])
-      end
-
       def user_id_from_token
         flow_session[:doc_capture_user_id]
       end
@@ -66,7 +47,7 @@ def rate_limited_response
       end
 
       def rate_limited_url
-        idv_session_errors_throttled_url
+        idv_session_errors_rate_limited_url
       end
 
       # Ideally we would not have to re-implement the EffectiveUser mixin
diff --git a/app/views/accounts/_header.html.erb b/app/views/accounts/_header.html.erb
index cae5b301c54..46f293e67e4 100644
--- a/app/views/accounts/_header.html.erb
+++ b/app/views/accounts/_header.html.erb
@@ -1,15 +1,15 @@
 <div class="grid-row flex-justify padding-y-2 tablet:padding-y-0 margin-bottom-4 bg-primary-lightest tablet:bg-transparent position-relative <% if presenter.showing_any_badges? %>padding-bottom-4<% end %>">
   <div class="grid-col-12 tablet:grid-col-auto">
-    <h1 class="margin-0 text-center sm-left-align">
-      <span class="text-normal tablet:display-none">
+    <h1 class="margin-0">
+      <div class="text-normal tablet:display-none text-center">
         <%= t('account.welcome') %>,
         <span class="text-bold text-wrap-anywhere">
           <%= presenter.header_personalization %>
         </span>
-      </span>
-      <span class="display-none tablet:display-inline">
+      </div>
+      <div class="display-none tablet:display-inline">
         <%= t('headings.account.login_info') %>
-      </span>
+      </div>
     </h1>
   </div>
   <div class="account-header__badges grid-col-12 tablet:grid-col-auto">
diff --git a/app/views/devise/passwords/edit.html.erb b/app/views/devise/passwords/edit.html.erb
index 0994a48f129..3a281792416 100644
--- a/app/views/devise/passwords/edit.html.erb
+++ b/app/views/devise/passwords/edit.html.erb
@@ -2,7 +2,9 @@
 
 <%= render PageHeadingComponent.new.with_content(t('headings.passwords.change')) %>
 
-<p><%= t('instructions.password.password_key') %></p>
+<p id="password-description">
+  <%= t('instructions.password.password_key') %>
+</p>
 
 <%= simple_form_for(
       @reset_password_form,
@@ -12,13 +14,12 @@
     ) do |f| %>
   <%= f.input :reset_password_token, as: :hidden %>
   <%= f.full_error :reset_password_token %>
-  <%= render PasswordToggleComponent.new(
+  <%= render PasswordConfirmationComponent.new(
         form: f,
+        password_label: t('forms.passwords.edit.labels.password'),
         field_options: {
-          label: t('forms.passwords.edit.labels.password'),
-          required: true,
           input_html: {
-            autocomplete: 'new-password',
+            aria: { describedby: 'password-description' },
           },
         },
       ) %>
diff --git a/app/views/idv/phone/new.html.erb b/app/views/idv/phone/new.html.erb
index 8676e1d388a..ad97b710ce5 100644
--- a/app/views/idv/phone/new.html.erb
+++ b/app/views/idv/phone/new.html.erb
@@ -83,6 +83,8 @@
               idv_gpo_path,
             ),
           ) %>
+    <% else %>
+      <%= t('idv.messages.phone.failed_number.try_again_html') %>
     <% end %>
   <% end %>
 
diff --git a/app/views/idv/phone_errors/failure.html.erb b/app/views/idv/phone_errors/failure.html.erb
index 43e8895946a..594d7837e8f 100644
--- a/app/views/idv/phone_errors/failure.html.erb
+++ b/app/views/idv/phone_errors/failure.html.erb
@@ -4,11 +4,6 @@
       heading: t('idv.failure.phone.rate_limited.heading'),
       current_step: :verify_phone_or_address,
       options: [
-        decorated_session.sp_name && {
-          url: return_to_sp_failure_to_proof_path(step: 'phone', location: request.params[:action]),
-          text: t('idv.troubleshooting.options.get_help_at_sp', sp_name: decorated_session.sp_name),
-          new_tab: true,
-        },
         {
           url: MarketingSite.contact_url,
           text: t('idv.troubleshooting.options.contact_support', app_name: APP_NAME),
@@ -17,19 +12,26 @@
       ].select(&:present?),
     ) do %>
       <p>
-        <%= t(
-              'idv.failure.phone.rate_limited.body',
-              time_left: distance_of_time_in_words(
-                Time.zone.now,
-                [@expires_at, Time.zone.now].compact.max,
-                except: :seconds,
-              ),
-            ) %>
+        <%= t('idv.failure.phone.rate_limited.body') %>
       </p>
+      <%= t('idv.failure.phone.rate_limited.options_header') %>
+      <ul>
+        <% if @gpo_letter_available %>
+          <li><%= t('idv.failure.phone.rate_limited.option_verify_by_mail_html') %></li>
+        <% end %>
+        <li>
+          <%= t(
+                'idv.failure.phone.rate_limited.option_try_again_later_html',
+                time_left: distance_of_time_in_words(
+                  Time.zone.now,
+                  [@expires_at, Time.zone.now].compact.max,
+                  except: :seconds,
+                ),
+              ) %>
+        </li>
+      </ul>
+
       <% if @gpo_letter_available %>
-        <p>
-          <strong><%= t('idv.failure.phone.rate_limited.gpo.prompt') %></strong>
-        </p>
         <div class="margin-y-5">
           <%= render ButtonComponent.new(
                 action: ->(**tag_options, &block) { link_to idv_gpo_path, **tag_options, &block },
@@ -39,3 +41,7 @@
         </div>
       <% end %>
     <% end %>
+    <%= render PageFooterComponent.new do %>
+      <%= link_to(t('links.cancel'), idv_cancel_path) %>
+    <% end %>
+
diff --git a/app/views/shared/_fallback_links.html.erb b/app/views/shared/_fallback_links.html.erb
deleted file mode 100644
index b24bc11988b..00000000000
--- a/app/views/shared/_fallback_links.html.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-<div>
-  <h2 class="h3 margin-top-4 margin-bottom-1">
-    <%= @presenter.fallback_question %>
-  </h2>
-  <% if @presenter.link_path %>
-    <%= link_to(@presenter.link_text, @presenter.link_path) %>
-  <% end %>
-</div>
diff --git a/app/views/two_factor_authentication/_troubleshooting_options.html.erb b/app/views/two_factor_authentication/_troubleshooting_options.html.erb
new file mode 100644
index 00000000000..5faa16cf596
--- /dev/null
+++ b/app/views/two_factor_authentication/_troubleshooting_options.html.erb
@@ -0,0 +1,3 @@
+<%= render TroubleshootingOptionsComponent.new(options: @presenter.troubleshooting_options) do |c| %>
+  <% c.with_header { t('components.troubleshooting_options.default_heading') } %>
+<% end %>
diff --git a/app/views/two_factor_authentication/backup_code_verification/show.html.erb b/app/views/two_factor_authentication/backup_code_verification/show.html.erb
index 9626d5e4345..f717229662e 100644
--- a/app/views/two_factor_authentication/backup_code_verification/show.html.erb
+++ b/app/views/two_factor_authentication/backup_code_verification/show.html.erb
@@ -25,5 +25,5 @@
   <%= f.submit t('forms.buttons.submit.default'), class: 'display-block margin-y-5' %>
 <% end %>
 
-<%= render 'shared/fallback_links', presenter: @presenter %>
+<%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 <%= render 'shared/cancel', link: sign_out_path %>
diff --git a/app/views/two_factor_authentication/options/index.html.erb b/app/views/two_factor_authentication/options/index.html.erb
index 6983bca9aba..63d8d8ab883 100644
--- a/app/views/two_factor_authentication/options/index.html.erb
+++ b/app/views/two_factor_authentication/options/index.html.erb
@@ -8,6 +8,12 @@
   <%= @presenter.info %>
 </p>
 
+<% if @presenter.restricted_options_warning_text.present? %>
+  <%= render AlertComponent.new(type: :warning, class: 'margin-top-4') do %>
+    <%= @presenter.restricted_options_warning_text %>
+  <% end %>
+<% end %>
+
 <%= simple_form_for(
       @two_factor_options_form,
       html: { autocomplete: 'off' },
diff --git a/app/views/two_factor_authentication/otp_verification/show.html.erb b/app/views/two_factor_authentication/otp_verification/show.html.erb
index 0211287c69d..fed58b72d88 100644
--- a/app/views/two_factor_authentication/otp_verification/show.html.erb
+++ b/app/views/two_factor_authentication/otp_verification/show.html.erb
@@ -61,12 +61,7 @@
       ).with_content(t('links.two_factor_authentication.send_another_code')) %>
 <% end %>
 
-
-<%= render(
-      'shared/troubleshooting_options',
-      heading: @presenter.troubleshooting_header,
-      options: @presenter.troubleshooting_options,
-    ) %>
+<%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 
 <% if MfaPolicy.new(current_user).two_factor_enabled? %>
   <%= render 'shared/cancel', link: @presenter.cancel_link %>
diff --git a/app/views/two_factor_authentication/personal_key_verification/show.html.erb b/app/views/two_factor_authentication/personal_key_verification/show.html.erb
index 0e15b428285..9d564407d71 100644
--- a/app/views/two_factor_authentication/personal_key_verification/show.html.erb
+++ b/app/views/two_factor_authentication/personal_key_verification/show.html.erb
@@ -14,5 +14,5 @@
   <%= f.submit t('forms.buttons.submit.default'), class: 'display-block margin-y-5' %>
 <% end %>
 
-<%= render 'shared/fallback_links', presenter: @presenter %>
+<%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 <%= render 'shared/cancel', link: sign_out_path %>
diff --git a/app/views/two_factor_authentication/piv_cac_verification/show.html.erb b/app/views/two_factor_authentication/piv_cac_verification/show.html.erb
index 81d64fa01d1..2608296466a 100644
--- a/app/views/two_factor_authentication/piv_cac_verification/show.html.erb
+++ b/app/views/two_factor_authentication/piv_cac_verification/show.html.erb
@@ -3,7 +3,7 @@
 <%= render PageHeadingComponent.new.with_content(@presenter.header) %>
 
 <p>
-  <%= @presenter.piv_cac_help %>
+  <%= t('instructions.mfa.piv_cac.confirm_piv_cac') %>
 </p>
 
 <div class="margin-y-5">
@@ -15,5 +15,6 @@
         wide: true,
       ).with_content(@presenter.piv_cac_capture_text) %>
 </div>
-<%= render 'shared/fallback_links', presenter: @presenter %>
+
+<%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 <%= render 'shared/cancel', link: @presenter.cancel_link %>
diff --git a/app/views/two_factor_authentication/totp_verification/show.html.erb b/app/views/two_factor_authentication/totp_verification/show.html.erb
index 6285af8c435..23faf7f04b6 100644
--- a/app/views/two_factor_authentication/totp_verification/show.html.erb
+++ b/app/views/two_factor_authentication/totp_verification/show.html.erb
@@ -33,5 +33,5 @@
       ) %>
 </p>
 
-<%= render 'shared/fallback_links', presenter: @presenter %>
+<%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 <%= render 'shared/cancel', link: @presenter.cancel_link %>
diff --git a/app/views/two_factor_authentication/webauthn_verification/show.html.erb b/app/views/two_factor_authentication/webauthn_verification/show.html.erb
index 4da63216a14..72e5c774e33 100644
--- a/app/views/two_factor_authentication/webauthn_verification/show.html.erb
+++ b/app/views/two_factor_authentication/webauthn_verification/show.html.erb
@@ -33,31 +33,6 @@
         },
       ) %>
 
-  <%= render TroubleshootingOptionsComponent.new do |c| %>
-    <% c.with_header { t('components.troubleshooting_options.default_heading') } %>
-    <% if @presenter.link_path.present? %>
-      <% c.with_option(url: @presenter.link_path).with_content(@presenter.link_text) %>
-    <% end %>
-    <% if @presenter.platform_authenticator? %>
-      <% c.with_option(
-           url: help_center_redirect_path(
-             category: 'trouble-signing-in',
-             article: 'face-or-touch-unlock',
-             flow: :two_factor_authentication,
-             step: :webauthn_verification,
-           ),
-           new_tab: true,
-         ).with_content(t('instructions.mfa.webauthn_platform.learn_more_help')) %>
-    <% end %>
-    <% c.with_option(
-         url: help_center_redirect_path(
-           category: 'get-started',
-           article: 'authentication-options',
-           flow: :two_factor_authentication,
-           step: :webauthn_verification,
-         ),
-         new_tab: true,
-       ).with_content(t('two_factor_authentication.learn_more')) %>
-  <% end %>
+  <%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
 <% end %>
 <%= render 'shared/cancel', link: @presenter.cancel_link %>
diff --git a/app/views/users/authorization_confirmation/new.html.erb b/app/views/users/authorization_confirmation/new.html.erb
index 0a9d09812a1..1fe25a712b7 100644
--- a/app/views/users/authorization_confirmation/new.html.erb
+++ b/app/views/users/authorization_confirmation/new.html.erb
@@ -6,23 +6,21 @@
   <%= render PageHeadingComponent.new.with_content(decorated_session.new_session_heading) %>
 <% end %>
 
-<div class='sm-left-align'>
-  <div class='margin-top-4'>
-    <div class='margin-left-1 margin-bottom-1 text-bold'>
-      <%= t('user_authorization_confirmation.currently_logged_in') %>
-    </div>
-    <div class='tablet:margin-left-1 tablet:margin-right-1' >
-      <ul class='margin-bottom-4 usa-list--unstyled border-bottom border-primary-light success-bullets requested-attributes'>
-        <li class='success-bullet border-top border-primary-light'>
-          <span class='text-bold'>
-            <%= t('help_text.requested_attributes.email') %>
-          </span>
-          <span class='padding-left-2'>
-            <%= @email %>
-          </span>
-        </li>
-      </ul>
-    </div>
+<div class='margin-top-4'>
+  <div class='margin-left-1 margin-bottom-1 text-bold'>
+    <%= t('user_authorization_confirmation.currently_logged_in') %>
+  </div>
+  <div class='tablet:margin-left-1 tablet:margin-right-1' >
+    <ul class='margin-bottom-4 usa-list--unstyled border-bottom border-primary-light success-bullets requested-attributes'>
+      <li class='success-bullet border-top border-primary-light'>
+        <span class='text-bold'>
+          <%= t('help_text.requested_attributes.email') %>
+        </span>
+        <span class='padding-left-2'>
+          <%= @email %>
+        </span>
+      </li>
+    </ul>
   </div>
 
   <div class='margin-top-4 text-center'>
diff --git a/app/views/users/passwords/edit.html.erb b/app/views/users/passwords/edit.html.erb
index 926bd819196..88aa0bbfe02 100644
--- a/app/views/users/passwords/edit.html.erb
+++ b/app/views/users/passwords/edit.html.erb
@@ -11,15 +11,12 @@
                                   html: { autocomplete: 'off', method: :patch }
     ) do |f| %>
   <%= f.error_notification %>
-  <%= render PasswordToggleComponent.new(
+  <%= render PasswordConfirmationComponent.new(
         form: f,
+        password_label: t('forms.passwords.edit.labels.password'),
         field_options: {
-          name: :password,
-          label: t('forms.passwords.edit.labels.password'),
-          required: true,
           input_html: {
             aria: { describedby: 'password-description' },
-            autocomplete: 'new-password',
           },
         },
       ) %>
diff --git a/app/views/users/two_factor_authentication_setup/index.html.erb b/app/views/users/two_factor_authentication_setup/index.html.erb
index 8436464e321..74c49fa5625 100644
--- a/app/views/users/two_factor_authentication_setup/index.html.erb
+++ b/app/views/users/two_factor_authentication_setup/index.html.erb
@@ -20,7 +20,9 @@
                     url: authentication_methods_setup_path do |f| %>
   <div class="margin-bottom-4">
     <fieldset class="margin-0 padding-0 border-0">
-      <legend class="margin-bottom-2 usa-sr-only"><%= @presenter.intro %></legend>
+      <legend class="margin-bottom-2 usa-sr-only">
+        <%= t('two_factor_authentication.form_legend') %>
+      </legend>
       <%= hidden_field_tag 'two_factor_options_form[selection][]', nil %>
       <% @presenter.options.each do |option| %>
         <%= render(option) do %>
diff --git a/app/views/users/webauthn_setup/new.html.erb b/app/views/users/webauthn_setup/new.html.erb
index 8db8a5fe9c9..d4ac3d9660a 100644
--- a/app/views/users/webauthn_setup/new.html.erb
+++ b/app/views/users/webauthn_setup/new.html.erb
@@ -45,11 +45,21 @@
           maxlength: 20,
         },
       ) %>
+  <div class="margin-y-4 text-center" id="spinner" hidden>
+    <%= image_tag(
+          asset_url('loading-badge.gif'),
+          height: 144,
+          width: 144,
+          alt: '',
+        ) %>
+    <strong class="display-block margin-top-2">
+      <%= t('forms.webauthn_setup.saving') %>
+    </strong>
+  </div>
   <%= f.input(
         :remember_device,
         as: :boolean,
         label: t('forms.messages.remember_device'),
-        wrapper_html: { class: 'margin-top-4' },
         input_html: {
           class: 'usa-checkbox__input--bordered',
           checked: @presenter.remember_device_box_checked?,
@@ -62,20 +72,6 @@
       ) %>
 <% end %>
 
-<div class="spinner display-none margin-y-4" id='spinner'>
-  <div class='text-center'>
-    <%= image_tag(
-          asset_url('spinner.gif'),
-          srcset: asset_url('spinner@2x.gif'),
-          height: 144,
-          width: 144,
-          alt: '',
-        ) %>
-  </div>
-  <h2 class='h4 half-center'><%= @presenter.setup_heading %></h2>
-  <p class='half-center'><%= @presenter.setup_instructions %></p>
-</div>
-
 <%= render 'shared/cancel_or_back_to_options' %>
 
 <%= javascript_packs_tag_once 'webauthn-setup' %>
diff --git a/config/database.yml b/config/database.yml
index ecf5d1fb863..a6b5a6a2a4c 100644
--- a/config/database.yml
+++ b/config/database.yml
@@ -1,5 +1,5 @@
 postgresql: &postgresql
-  adapter: postgis
+  adapter: postgresql
   encoding: utf8
   database: identity_idp_<%= Rails.env %>
   port: 5432
@@ -24,9 +24,11 @@ defaults: &defaults
 development:
   primary:
     <<: *defaults
+    adapter: postgis
     migrations_paths: db/primary_migrate
   read_replica:
     <<: *defaults
+    adapter: postgis
     replica: true
   worker_jobs:
     <<: *defaults
@@ -36,6 +38,7 @@ development:
 test:
   primary: &test
     <<: *defaults
+    adapter: postgis
     pool: 10
     checkout_timeout: 10
     database: <%= ENV['POSTGRES_DB'] || "identity_idp_test#{ENV['TEST_ENV_NUMBER']}" %>
@@ -44,6 +47,7 @@ test:
     migrations_paths: db/primary_migrate
   read_replica:
     <<: *test
+    adapter: postgis
     replica: true
   worker_jobs:
     <<: *test
@@ -76,6 +80,7 @@ test:
 production:
   primary:
     <<: *defaults
+    adapter: postgis
     database: <%= IdentityConfig.store.database_name %>
     username: <%= IdentityConfig.store.database_username %>
     host: <%= IdentityConfig.store.database_socket.present? ?  IdentityConfig.store.database_socket : IdentityConfig.store.database_host %>
@@ -88,6 +93,7 @@ production:
     migrations_paths: db/primary_migrate
   read_replica:
     <<: *defaults
+    adapter: postgis
     database: <%= IdentityConfig.store.database_name %>
     username: <%= IdentityConfig.store.database_readonly_username %>
     host: <%= IdentityConfig.store.database_read_replica_host %>
diff --git a/config/locales/forms/en.yml b/config/locales/forms/en.yml
index 7d372c045c9..53bff772edf 100644
--- a/config/locales/forms/en.yml
+++ b/config/locales/forms/en.yml
@@ -151,8 +151,6 @@ en:
       continue: Continue
       info_text: You’ll need to set up an additional authentication method after you
         set up face or touch unlock.
-      instructions_text: Use Touch or Face Unlock to access your account with %{app_name}
-      instructions_title: Use Touch or Face Unlock to access your account.
       intro_html: '<p>Save your face or fingerprint as a credential on your device, so
         you can access your account with it. %{app_name} does not store your
         face or fingerprint.</p><p>You may need to use the same device to sign
@@ -163,9 +161,8 @@ en:
         which one is which.
     webauthn_setup:
       continue: Continue
-      instructions_text: Press the button on your security key to register it with %{app_name}
-      instructions_title: Connect your security key
       intro_html: '<p>Add a security key that meets the FIDO standard as your
         authentication method. You can add as many security keys as you want. To
         get started, first give your security key a nickname.</p>'
       nickname: Security key nickname
+      saving: Saving your credentials …
diff --git a/config/locales/forms/es.yml b/config/locales/forms/es.yml
index 30ecba5f82a..25bd8e8182a 100644
--- a/config/locales/forms/es.yml
+++ b/config/locales/forms/es.yml
@@ -159,9 +159,6 @@ es:
       continue: Continuar
       info_text: Tendrá que configurar un método de autenticación adicional después de
         establecer el desbloqueo con la cara o con la huella digital.
-      instructions_text: Use el desbloqueo facial o táctil para acceder a su cuenta
-        con %{app_name}.
-      instructions_title: Use el desbloqueo facial o táctil para acceder a su cuenta.
       intro_html: '<p>Guarde la cara o la huella digital como credencial en su
         dispositivo. De esta forma, accederá a su cuenta con una de ellas.
         %{app_name} no almacena la cara ni la huella digital.</p><p>Es posible
@@ -174,11 +171,9 @@ es:
         huella digital, podrá distinguirlos.
     webauthn_setup:
       continue: Continuar
-      instructions_text: Presione el botón en su clave de seguridad para registrarlo
-        con %{app_name}
-      instructions_title: Conecte su llave de seguridad
       intro_html: '<p>Añada una clave de seguridad que cumpla el estándar FIDO como
         método de autenticación. Puede añadir tantas claves de seguridad como
         desee. Para empezar, primero asigne un apodo a su clave de
         seguridad.</p>'
       nickname: Apodo clave de seguridad
+      saving: Guardando sus credenciales …
diff --git a/config/locales/forms/fr.yml b/config/locales/forms/fr.yml
index 69d914a1915..4c22557f40f 100644
--- a/config/locales/forms/fr.yml
+++ b/config/locales/forms/fr.yml
@@ -165,10 +165,6 @@ fr:
       info_text: Vous aurez besoin de configurer une méthode d’authentification
         supplémentaire après que vous aurez configuré le déverrouillage facial
         ou le déverrouillage tactile.
-      instructions_text: Utilisez le déverrouillage par empreinte digitale ou le
-        déverouillage facial pour accéder à votre compte avec %{app_name}.
-      instructions_title: Utilisez le déverrouillage par empreinte digitale ou le
-        déverouillage facial pour accéder à votre compte.
       intro_html: '<p>Enregistrez votre visage ou votre empreinte digitale en tant
         qu’identifiant sur votre appareil, afin de pouvoir les utiliser pour
         accéder à votre compte. %{app_name} ne stocke pas votre visage ni votre
@@ -182,11 +178,9 @@ fr:
         reconnaître.
     webauthn_setup:
       continue: Continuer
-      instructions_text: Appuyez sur le bouton de votre clé de sécurité pour
-        l’enregistrer avec %{app_name}
-      instructions_title: Connectez votre clé de sécurité
       intro_html: '<p>Ajoutez une clé de sécurité conforme à la norme FIDO comme
         méthode d’authentification. Vous pouvez ajouter autant de clés de
         sécurité que vous le souhaitez. Pour commencer, donnez d’abord un surnom
         à votre clé de sécurité.</p>'
       nickname: Pseudo clé de sécurité
+      saving: Enregistrement de vos informations d’identification …
diff --git a/config/locales/idv/en.yml b/config/locales/idv/en.yml
index 0d64e1e0cab..a3db94032d8 100644
--- a/config/locales/idv/en.yml
+++ b/config/locales/idv/en.yml
@@ -97,13 +97,13 @@ en:
           Please try again.
         rate_limited:
           body: For security reasons, we limit the number of times you can attempt to
-            verify your phone number online. You will need to wait %{time_left}
-            and start over before trying to verify by phone again.
+            verify your phone number online.
           gpo:
             button: Verify by mail
-            prompt: Continue now by verifying by mail, which typically takes 3 - 7 business
-              days.
           heading: 'We couldn’t verify your identity by phone'
+          option_try_again_later_html: 'Cancel and start over again after <b>%{time_left}</b>'
+          option_verify_by_mail_html: 'Verify by mail, which typically takes <b>3-7 business days</b>'
+          options_header: 'You can:'
         timeout: Our request to verify your information timed out. Please try again.
         warning:
           attempts_html:
@@ -216,9 +216,9 @@ en:
           This is to help verify your identity.
         failed_number:
           alert_text: We couldn’t match you to this number.
-          gpo_alert_html: If you don’t have <strong>another</strong> number to try,
-            %{link_html} instead.
+          gpo_alert_html: Try <strong>another</strong> number or %{link_html}.
           gpo_verify_link: verify by mail
+          try_again_html: Try <strong>another</strong> number.
         rules:
           - Based in the United States (including U.S. territories)
           - Your primary number (the one you use the most often)
diff --git a/config/locales/idv/es.yml b/config/locales/idv/es.yml
index a41780bcc1d..e71881294a4 100644
--- a/config/locales/idv/es.yml
+++ b/config/locales/idv/es.yml
@@ -103,14 +103,14 @@ es:
           Vuelve a intentarlo.
         rate_limited:
           body: Por motivos de seguridad, se limita el número de veces que puede intentar
-            verificar su número de teléfono por Internet. Tendrás que esperar
-            %{time_left} y volver a empezar antes de volver a intentar la
-            verificación por teléfono.
+            verificar su número de teléfono por Internet.
           gpo:
             button: Verificar por correo
-            prompt: Continúa ahora con la verificación por correo, que suele tardar entre 3
-              y 7 días laborables.
-          heading: 'No hemos podido verificar su identidad por teléfono'
+          heading: No pudimos asociarlo a este número
+          option_try_again_later_html: 'Cancelar y empezar de nuevo transcurridas <b>%{time_left}</b>'
+          option_verify_by_mail_html: 'Verificar por correo, lo que suele demorar de <b>3
+            a 7 días hábiles</b>'
+          options_header: 'Puede:'
         timeout: Nuestra solicitud para verificar tu información ha caducado. Vuelve a
           intentarlo.
         warning:
@@ -226,9 +226,9 @@ es:
           código único. Esto es para ayudar a verificar su identidad.
         failed_number:
           alert_text: No pudimos asociarlo a este número.
-          gpo_alert_html: Si no dispone de <strong>otro</strong> número de teléfono,
-            %{link_html}.
-          gpo_verify_link: realice la verificación por correo
+          gpo_alert_html: Pruebe con <strong>otro</strong> número o %{link_html}.
+          gpo_verify_link: verifique por correo
+          try_again_html: Pruebe con <strong>otro</strong> número.
         rules:
           - Con base en Estados Unidos (incluidos los territorios de EE.UU.)
           - Su número principal (el que utiliza con más frecuencia)
diff --git a/config/locales/idv/fr.yml b/config/locales/idv/fr.yml
index ceb0c4ba01e..ea26a7730eb 100644
--- a/config/locales/idv/fr.yml
+++ b/config/locales/idv/fr.yml
@@ -108,14 +108,14 @@ fr:
           pour le moment. Veuillez réessayer.
         rate_limited:
           body: Pour des raisons de sécurité, nous limitons le nombre de tentatives de
-            vérification de votre numéro de téléphone en ligne. Vous devrez
-            attendre %{time_left} et recommencer avant d’essayer à nouveau de
-            vérifier votre identité par téléphone.
+            vérification de votre numéro de téléphone en ligne.
           gpo:
             button: Vérifier par courrier
-            prompt: Continuez maintenant en vérifiant par courrier, ce qui prend
-              généralement de 3 à 7 jours ouvrables.
           heading: Nous n’avons pas pu vérifier votre identité par téléphone
+          option_try_again_later_html: 'Annuler et recommencer après <b>%{time_left}</b>'
+          option_verify_by_mail_html: Vérifier par courrier, ce qui prend généralement de
+            <b>trois à sept jours ouvrables</b>.
+          options_header: 'Vous Pouvez :'
         timeout: Notre demande de vérification de vos renseignements a expiré. Veuillez
           réessayer.
         warning:
@@ -240,9 +240,9 @@ fr:
           code à usage unique. Ceci est pour aider à vérifier votre identité.
         failed_number:
           alert_text: Nous n’avons pas pu vous associer à ce numéro.
-          gpo_alert_html: Si vous n’avez pas <strong>d’autre</strong> numéro de téléphone
-            à essayer, %{link_html}.
-          gpo_verify_link: vérifiez plutôt par courrier
+          gpo_alert_html: Essayez un <strong>autre</strong> numéro ou %{link_html}.
+          gpo_verify_link: vérifiez par courrier
+          try_again_html: Essayez un <strong>autre</strong> numéro.
         rules:
           - Basé aux Etats-Unis (y compris les territoires américains)
           - Votre numéro principal (celui que vous utilisez le plus souvent)
diff --git a/config/locales/in_person_proofing/es.yml b/config/locales/in_person_proofing/es.yml
index d37e5cde735..f0ec2b0fecc 100644
--- a/config/locales/in_person_proofing/es.yml
+++ b/config/locales/in_person_proofing/es.yml
@@ -92,9 +92,10 @@ es:
         id_types:
           - Licencia para conducir estatal
           - Identificación estatal que no sea la licencia para conducir
-        info_html: Ingrese la información <strong>exactamente como aparece en su cédula
-          de identidad emitida por el estado.</strong> Utilizaremos esta
-          información para confirmar que coincide con su cédula en persona.
+        info_html: Ingrese la información <strong>exactamente como aparece en su
+          documento de identidad emitido por el estado.</strong> Utilizaremos
+          esta información para confirmar que coincide con su documento en
+          persona.
         learn_more_link: Obtenga más información sobre los documentos de identificación
           aceptados.
         questions: '¿Alguna pregunta?'
@@ -143,7 +144,7 @@ es:
         state_id_jurisdiction: Estado emisor
         state_id_jurisdiction_hint: Este es el estado que emitió su identificación
         state_id_jurisdiction_prompt: '- Seleccione -'
-        state_id_number: Número de cédula
+        state_id_number: Número de identidad
         state_id_number_hint_html: "Puede incluir letras, números y los siguientes
           símbolos: <span class='usa-sr-only'>espacios, </span><span
           aria-hidden='true'> </span> <span class='usa-sr-only'>barras
@@ -161,7 +162,7 @@ es:
       po_search:
         location: Encuentre una oficina de correos participante
       prepare: Verifique su identidad en persona
-      state_id_milestone_2: Ingresa la información de tu identificación emitida por el estado
+      state_id_milestone_2: Ingrese la información de su identificación emitida por el estado
       switch_back: Vuelva a su computadora para prepararse para verificar su identidad
         en persona
       update_address: Actualizar su dirección actual
diff --git a/config/locales/instructions/en.yml b/config/locales/instructions/en.yml
index b09dda48ba9..b414a32ed19 100644
--- a/config/locales/instructions/en.yml
+++ b/config/locales/instructions/en.yml
@@ -37,12 +37,6 @@ en:
           you think this is an error, %{try_again_html}.
         back_to_sign_in: Go back to sign in
         confirm_piv_cac: Present the PIV/CAC that you associated with your account.
-        confirm_piv_cac_only: This app requires a higher level of security. You need to
-          verify your identity using a government employee ID that you
-          previously set up to access your information.
-        confirm_piv_cac_or_aal3: This app requires a higher level of security. You need
-          to verify your identity using a physical device such as a security key
-          or government employee ID (PIV or CAC) to access your information.
         did_not_work_html: Please %{please_try_again_html}. If this problem continues,
           contact your agency administrator.
         http_failure: The server took too long to respond. Please try again.
@@ -72,12 +66,6 @@ en:
           code will expire in %{expiration} minutes.
       webauthn:
         confirm_webauthn: Present the security key that you associated with your account.
-        confirm_webauthn_only: This app requires a higher level of security. You need to
-          verify your identity using a security key that you previously set up
-          to access your information.
-        confirm_webauthn_or_aal3: This app requires a higher level of security. You need
-          to verify your identity using a physical device such as a security key
-          or government employee ID (PIV or CAC) to access your information.
         confirm_webauthn_platform: You have face or touch unlock enabled for your %{app_name} account.
       webauthn_platform:
         learn_more_help: Learn more about face or touch unlock
diff --git a/config/locales/instructions/es.yml b/config/locales/instructions/es.yml
index d98d0e83add..e18e74d0dd2 100644
--- a/config/locales/instructions/es.yml
+++ b/config/locales/instructions/es.yml
@@ -39,13 +39,6 @@ es:
           día. Si cree que se trata de un error, %{try_again_html}.
         back_to_sign_in: Regrese para iniciar sesión
         confirm_piv_cac: Presenta la PIV/CAC que asociaste con tu cuenta.
-        confirm_piv_cac_only: Esta aplicación requiere un mayor nivel de seguridad. Debe
-          verificar su identidad con una identificación de empleado del Gobierno
-          que haya configurado previamente para acceder a su información.
-        confirm_piv_cac_or_aal3: Esta aplicación requiere un mayor nivel de seguridad.
-          Debe verificar su identidad con un dispositivo físico, como una llave
-          de seguridad o una identificación de empleado del Gobierno (PIV o CAC)
-          para acceder a su información.
         did_not_work_html: '%{please_try_again_html}. Comuníquese con el encargado de su
           organismo si persiste este problema.'
         http_failure: El servidor tardó demasiado en responder. Inténtalo de nuevo.
@@ -75,13 +68,6 @@ es:
           %{number_html}. Este código expirará en %{expiration} minutos.
       webauthn:
         confirm_webauthn: Presente la clave de seguridad que asoció con su cuenta.
-        confirm_webauthn_only: Esta aplicación requiere un mayor nivel de seguridad.
-          Debe verificar su identidad con una llave de seguridad que haya
-          configurado previamente para acceder a su información.
-        confirm_webauthn_or_aal3: Esta aplicación requiere un mayor nivel de seguridad.
-          Debe verificar su identidad con un dispositivo físico, como una llave
-          de seguridad o una identificación de empleado del Gobierno (PIV o CAC)
-          para acceder a su información.
         confirm_webauthn_platform: Tiene activado el desbloqueo facial o táctil para su
           cuenta de %{app_name}.
       webauthn_platform:
diff --git a/config/locales/instructions/fr.yml b/config/locales/instructions/fr.yml
index 15a7213007c..dddca997dd2 100644
--- a/config/locales/instructions/fr.yml
+++ b/config/locales/instructions/fr.yml
@@ -45,14 +45,6 @@ fr:
         back_to_sign_in: Retourner à vous connecter
         confirm_piv_cac: Veuillez présenter la carte PIV/CAC que vous avez associée à
           votre compte.
-        confirm_piv_cac_only: Cette application nécessite un niveau de sécurité plus
-          élevé. Vous devez vérifier votre identité à l’aide d’un badge
-          d’employé du gouvernement que vous avez précédemment configuré pour
-          accéder à vos informations.
-        confirm_piv_cac_or_aal3: Cette application nécessite un niveau de sécurité plus
-          élevé. Vous devez vérifier votre identité à l’aide d’un dispositif
-          physique tel qu’une clé de sécurité ou un badge d’employé du
-          gouvernement (PIV ou CAC) pour accéder à vos informations.
         did_not_work_html: Veuillez %{please_try_again_html}. Si ce problème persiste,
           contactez l’administrateur de votre agence.
         http_failure: Le serveur a mis trop de temps à répondre. Veuillez réessayer.
@@ -85,14 +77,6 @@ fr:
           %{number_html}. Ce code expirera dans %{expiration} minutes.
       webauthn:
         confirm_webauthn: Présentez la clé de sécurité associée à votre compte.
-        confirm_webauthn_only: Cette application nécessite un niveau de sécurité plus
-          élevé. Vous devez vérifier votre identité à l’aide d’une clé de
-          sécurité que vous avez précédemment configurée pour accéder à vos
-          informations.
-        confirm_webauthn_or_aal3: Cette application nécessite un niveau de sécurité plus
-          élevé. Vous devez vérifier votre identité à l’aide d’un dispositif
-          physique tel qu’une clé de sécurité ou un badge d’employé du
-          gouvernement (PIV ou CAC) pour accéder à vos informations.
         confirm_webauthn_platform: Vous avez activé le déverrouillage facial ou tactile
           pour votre compte %{app_name}.
       webauthn_platform:
diff --git a/config/locales/mfa/en.yml b/config/locales/mfa/en.yml
index d22ed8108a4..d0f2a7d360a 100644
--- a/config/locales/mfa/en.yml
+++ b/config/locales/mfa/en.yml
@@ -7,8 +7,8 @@ en:
     additional_mfa_required:
       heading: Add another authentication method.
     info: Add another layer of security by selecting a multi-factor authentication
-      method. We recommend you select at least (2) two different options in case
-      you lose one of your methods.
+      method. We recommend you select at least two different options in case you
+      lose one of your methods.
     second_method_warning:
       link: Add a second authentication method.
       text: You will have to delete your account and start over if you lose your only
diff --git a/config/locales/two_factor_authentication/en.yml b/config/locales/two_factor_authentication/en.yml
index b059550795c..a0655bb0881 100644
--- a/config/locales/two_factor_authentication/en.yml
+++ b/config/locales/two_factor_authentication/en.yml
@@ -1,6 +1,12 @@
 ---
 en:
   two_factor_authentication:
+    aal2_request:
+      phishing_resistant_html: '<strong>%{sp_name}</strong> requires a high-security
+        authentication method, such as face or touch unlock, a security key or a
+        government employee ID.'
+      piv_cac_only_html: '<strong>%{sp_name}</strong> requires your government
+        employee ID, a high-security authentication method.'
     account_reset:
       cancel_link: Cancel your request
       link: deleting your account
@@ -14,8 +20,6 @@ en:
     attempt_remaining_warning_html:
       one: You have <strong>%{count} attempt</strong> remaining.
       other: You have <strong>%{count} attempts</strong> remaining.
-    backup_code_fallback:
-      question: Don’t have your backup codes available?
     backup_code_header_text: Enter your backup security code
     backup_code_prompt: You can use this security code once. After you enter it,
       you’ll need to use a new key.
@@ -30,6 +34,7 @@ en:
         </strong>If you have access to another device, such as a phone, protect
         your account with another authentication method.
     choose_another_option: '‹ Choose another authentication method'
+    form_legend: Choose your authentication methods
     header_text: Enter your one-time code
     important_alert_icon: important alert icon
     invalid_backup_code: That backup code is invalid.
@@ -111,8 +116,6 @@ en:
         a default phone number.
       one_number_title: This is your default number
       title: Make this your default phone number?
-    personal_key_fallback:
-      question: Don’t have your personal key?
     personal_key_header_text: Enter your personal key
     personal_key_prompt: You can use this personal key once. After you enter it,
       you’ll be provided a new key.
@@ -120,8 +123,6 @@ en:
       delete:
         failure: Unable to remove your phone.
         success: Your phone has been removed.
-    phone_fallback:
-      question: Can’t use your phone?
     phone_fee_disclosure: Message and data rates may apply.
     phone_info: We’ll send you a one-time code each time you sign in.
     phone_label: Phone number
@@ -129,10 +130,7 @@ en:
       troubleshooting:
         change_number: Use another phone number
         code_not_received: I didn’t receive my one-time code
-    piv_cac_fallback:
-      question: Don’t have your PIV or CAC available?
     piv_cac_header_text: Present your PIV/CAC
-    piv_cac_webauthn_available: Use your security key
     please_try_again_html: Please try again in <strong>%{countdown}</strong>.
     read_about_two_factor_authentication: Read about two-factor authentication
     recaptcha:
@@ -142,8 +140,6 @@ en:
       google_policy_link: Privacy Policy
       google_tos_link: Terms of Service
       login_tos_link: Mobile Terms of Use
-    totp_fallback:
-      question: Don’t have your authenticator app?
     totp_header_text: Enter your authentication app code
     two_factor_aal3_choice: Additional authentication required
     two_factor_aal3_choice_intro: This app requires a higher level of security. You
@@ -188,7 +184,6 @@ en:
       additional_methods_link: choose another authentication method
       try_again: Face or touch unlock was unsuccessful. Please try again or %{link}.
     webauthn_header_text: Connect your security key
-    webauthn_piv_available: Use your PIV or CAC
     webauthn_platform_header_text: Use face or touch unlock
     webauthn_platform_use_key: Use face or touch unlock
     webauthn_use_key: Use security key
diff --git a/config/locales/two_factor_authentication/es.yml b/config/locales/two_factor_authentication/es.yml
index 35dd7722654..31227966b1c 100644
--- a/config/locales/two_factor_authentication/es.yml
+++ b/config/locales/two_factor_authentication/es.yml
@@ -1,6 +1,12 @@
 ---
 es:
   two_factor_authentication:
+    aal2_request:
+      phishing_resistant_html: '<strong>%{sp_name}</strong> requiere un método de
+        autenticación de alta seguridad, como el desbloqueo facial o táctil, una
+        llave de seguridad o una identificación de empleado público.'
+      piv_cac_only_html: '<strong>%{sp_name}</strong> requiere su identificación de
+        empleado público, un método de autenticación de alta seguridad.'
     account_reset:
       cancel_link: Cancelar su solicitud
       link: eliminando su cuenta
@@ -14,8 +20,6 @@ es:
     attempt_remaining_warning_html:
       one: Le quedan <strong>%{count} intento</strong>.
       other: Le quedan <strong>%{count} intentos</strong>.
-    backup_code_fallback:
-      question: '¿No tienes tus códigos de seguridad disponibles?'
     backup_code_header_text: Ingrese su código de seguridad de respaldo
     backup_code_prompt: Puede utilizar este código de seguridad una vez. Después de
       ingresarlo, deberá usar una nueva clave.
@@ -30,6 +34,7 @@ es:
         </strong>Si tiene acceso a otro dispositivo, como un celular, proteja su
         cuenta mediante otro método de autenticación.
     choose_another_option: '‹ Elige otra opción de seguridad'
+    form_legend: Elija sus métodos de autenticación
     header_text: Introduzca su código único
     important_alert_icon: ícono de aviso importante
     invalid_backup_code: Esa código de respaldo no es válida.
@@ -119,8 +124,6 @@ es:
         seleccionar un número de teléfono predeterminado.
       one_number_title: Este es tu número predeterminado
       title: '¿Es este tu número de teléfono predeterminado?'
-    personal_key_fallback:
-      question: '¿No tiene su clave personal?'
     personal_key_header_text: Ingrese su clave personal
     personal_key_prompt: Puede usar esta clave personal una vez. Después de
       ingresarlo, se le dará una nueva clave.
@@ -128,8 +131,6 @@ es:
       delete:
         failure: No se puede eliminar el teléfono.
         success: Su teléfono ha sido eliminado.
-    phone_fallback:
-      question: '¿No puede utilizar su teléfono?'
     phone_fee_disclosure: Se pueden aplicar tarifas por mensajes y datos.
     phone_info: Le enviaremos un código de un solo uso cada vez que ingrese.
     phone_label: Número de teléfono
@@ -137,10 +138,7 @@ es:
       troubleshooting:
         change_number: Utilice otro número de teléfono.
         code_not_received: No recibí mi código de un solo uso.
-    piv_cac_fallback:
-      question: '¿No tienes su PIV o CAC disponibles?'
     piv_cac_header_text: Presenta tu PIV/CAC
-    piv_cac_webauthn_available: Utilice su llave de seguridad
     please_try_again_html: Inténtelo de nuevo en <strong>%{countdown}</strong>.
     read_about_two_factor_authentication: Conozca la autenticación de dos factores
     recaptcha:
@@ -150,8 +148,6 @@ es:
       google_policy_link: aplican la política de privacidad
       google_tos_link: las condiciones de servicio
       login_tos_link: las condiciones de uso
-    totp_fallback:
-      question: '¿No tiene su aplicación de autenticación?'
     totp_header_text: Ingrese su código de la app de autenticación
     two_factor_aal3_choice: Se requiere autenticación adicional
     two_factor_aal3_choice_intro: Esta aplicación requiere un mayor nivel de
@@ -203,7 +199,6 @@ es:
       try_again: El desbloqueo facial o táctil no fue exitoso. Por favor, inténtelo de
         nuevo o %{link}.
     webauthn_header_text: Conecte su llave de seguridad
-    webauthn_piv_available: Utilice su PIV o CAC
     webauthn_platform_header_text: Usar desbloqueo facial o táctil
     webauthn_platform_use_key: Usar desbloqueo facial o táctil
     webauthn_use_key: Usar llave de seguridad
diff --git a/config/locales/two_factor_authentication/fr.yml b/config/locales/two_factor_authentication/fr.yml
index 11d35425dd5..eb26c1035a1 100644
--- a/config/locales/two_factor_authentication/fr.yml
+++ b/config/locales/two_factor_authentication/fr.yml
@@ -1,6 +1,14 @@
 ---
 fr:
   two_factor_authentication:
+    aal2_request:
+      phishing_resistant_html: '<strong>%{sp_name}</strong> nécessite une méthode
+        d’authentification de haute sécurité, telle que le déverrouillage du
+        visage ou du tactile, une clé de sécurité ou un identifiant d’employé du
+        gouvernement.'
+      piv_cac_only_html: '<strong>%{sp_name}</strong> nécessite votre identifiant
+        d’employé du gouvernement, une méthode d’authentification de haute
+        sécurité.'
     account_reset:
       cancel_link: Annuler votre demande
       link: supprimer votre compte
@@ -14,8 +22,6 @@ fr:
     attempt_remaining_warning_html:
       one: Il vous reste <strong>%{count} tentative</strong>.
       other: Il vous reste <strong>%{count} tentatives</strong>.
-    backup_code_fallback:
-      question: Vous n’avez pas vos codes de secours disponibles?
     backup_code_header_text: Entrez votre code de sécurité de secours
     backup_code_prompt: Vous pouvez utiliser ce code de sécurité une fois. Après
       l’avoir entré, vous devrez utiliser une nouvelle clé.
@@ -31,6 +37,7 @@ fr:
         téléphone, protégez votre compte à l’aide d’une autre méthode
         d’authentification.
     choose_another_option: '‹ Choisissez une autre option de sécurité'
+    form_legend: Choisissez vos méthodes d’authentification
     header_text: Entrez votre code à usage unique
     important_alert_icon: Icône d’alerte importante
     invalid_backup_code: Ce code de sauvegarde est invalide.
@@ -124,8 +131,6 @@ fr:
         pour pouvoir sélectionner un numéro de téléphone par défaut.
       one_number_title: Il s’agit de votre numéro par défaut
       title: Faites-en votre numéro de téléphone par défaut?
-    personal_key_fallback:
-      question: Vous n’avez pas votre clé personnelle?
     personal_key_header_text: Entrez votre clé personnelle
     personal_key_prompt: Vous pouvez utiliser cette clé personnelle une fois
       seulement. Une fois que vous l’entrez, vous recevrez une nouvelle clé.
@@ -133,8 +138,6 @@ fr:
       delete:
         failure: Impossible de supprimer votre numéro de téléphone.
         success: Votre numéro de téléphone a été supprimé.
-    phone_fallback:
-      question: Vous ne pouvez pas utiliser votre téléphone?
     phone_fee_disclosure: Des messages et débits de données peuvent être appliqués.
     phone_info: Nous vous enverrons un code à usage unique à chaque fois que vous
       vous connecterez.
@@ -143,10 +146,7 @@ fr:
       troubleshooting:
         change_number: Utilisez un autre numéro de téléphone
         code_not_received: Je n’ai pas reçu mon code à usage unique
-    piv_cac_fallback:
-      question: Votre PIV ou CAC n’est pas disponible?
     piv_cac_header_text: Veuillez présenter votre carte PIV/CAC
-    piv_cac_webauthn_available: Utilisez votre clé de sécurité
     please_try_again_html: Veuillez essayer de nouveau dans <strong>%{countdown}</strong>.
     read_about_two_factor_authentication: En savoir plus sur l’authentification à deux facteurs
     recaptcha:
@@ -157,8 +157,6 @@ fr:
       google_policy_link: règles de confidentialité
       google_tos_link: conditions de service
       login_tos_link: conditions d’utilisation
-    totp_fallback:
-      question: Vous n’avez pas votre application d’authentification?
     totp_header_text: Entrez votre code d’application d’authentification
     two_factor_aal3_choice: Authentification supplémentaire requise
     two_factor_aal3_choice_intro: Cette application nécessite un niveau de sécurité
@@ -209,7 +207,6 @@ fr:
       try_again: Le déverrouillage facial ou tactile n’a pas fonctionné. Veuillez
         réessayer ou %{link}.
     webauthn_header_text: Connectez votre clé de sécurité
-    webauthn_piv_available: Utilisez votre PIV ou CAC
     webauthn_platform_header_text: Utilisez le déverrouillage facial ou tactile
     webauthn_platform_use_key: Utilisez le déverrouillage facial ou tactile
     webauthn_use_key: Utiliser la clé de sécurité
diff --git a/config/routes.rb b/config/routes.rb
index 7a46ada2705..13d094cfb3f 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -367,7 +367,6 @@
       get '/session/errors/failure' => 'session_errors#failure'
       get '/session/errors/ssn_failure' => 'session_errors#ssn_failure'
       get '/session/errors/exception' => 'session_errors#exception'
-      get '/session/errors/throttled' => 'session_errors#rate_limited'
       get '/session/errors/rate_limited' => 'session_errors#rate_limited'
       get '/setup_errors', to: redirect('/please_call')
       get '/not_verified' => 'not_verified#show'
@@ -412,6 +411,7 @@
       post '/confirmations' => 'personal_key#update'
       get '/doc_auth/:step', to: redirect('/verify/welcome')
       get '/doc_auth/link_sent/poll' => 'capture_doc_status#show'
+      get '/session/errors/throttled', to: redirect('/verify/session/errors/rate_limited')
     end
 
     # Old paths to GPO outside of IdV.
diff --git a/db/primary_migrate/20230727195406_add_in_person_verification_pending_at_to_profiles.rb b/db/primary_migrate/20230727195406_add_in_person_verification_pending_at_to_profiles.rb
new file mode 100644
index 00000000000..d81b49e9ee0
--- /dev/null
+++ b/db/primary_migrate/20230727195406_add_in_person_verification_pending_at_to_profiles.rb
@@ -0,0 +1,7 @@
+class AddInPersonVerificationPendingAtToProfiles < ActiveRecord::Migration[7.0]
+  disable_ddl_transaction!
+
+  def change
+    add_column :profiles, :in_person_verification_pending_at, :datetime
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 7be3591d79e..8b753ccd5a3 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_07_20_183509) do
+ActiveRecord::Schema[7.0].define(version: 2023_07_27_195406) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "pg_stat_statements"
   enable_extension "pgcrypto"
@@ -446,6 +446,7 @@
     t.datetime "fraud_rejection_at"
     t.datetime "gpo_verification_pending_at"
     t.integer "fraud_pending_reason"
+    t.datetime "in_person_verification_pending_at"
     t.index ["fraud_pending_reason"], name: "index_profiles_on_fraud_pending_reason"
     t.index ["fraud_rejection_at"], name: "index_profiles_on_fraud_rejection_at"
     t.index ["fraud_review_pending_at"], name: "index_profiles_on_fraud_review_pending_at"
diff --git a/spec/components/password_confirmation_component_spec.rb b/spec/components/password_confirmation_component_spec.rb
index 755d198e4d9..0116d517731 100644
--- a/spec/components/password_confirmation_component_spec.rb
+++ b/spec/components/password_confirmation_component_spec.rb
@@ -20,4 +20,24 @@
       type: :checkbox,
     )
   end
+
+  context 'with labels passed in' do
+    subject(:rendered) do
+      render_inline PasswordConfirmationComponent.new(
+        form:,
+        password_label: password_label,
+        confirmation_label: confirmation_label,
+      )
+    end
+    let(:password_label) { 'edited password label' }
+    let(:confirmation_label) { 'edited password confirmation label' }
+
+    it 'renders custom password label' do
+      expect(rendered).to have_content(password_label)
+    end
+
+    it 'renders custom password confirmation label' do
+      expect(rendered).to have_content(confirmation_label)
+    end
+  end
 end
diff --git a/spec/components/troubleshooting_options_component_spec.rb b/spec/components/troubleshooting_options_component_spec.rb
index 15dfb5021f4..180d8978c22 100644
--- a/spec/components/troubleshooting_options_component_spec.rb
+++ b/spec/components/troubleshooting_options_component_spec.rb
@@ -10,11 +10,26 @@
   context 'with options' do
     it 'renders troubleshooting options' do
       rendered = render_inline(TroubleshootingOptionsComponent.new) do |c|
-        c.with_option(url: '/').with_content('Link Text')
+        c.with_option(url: '/1').with_content('Link Text 1')
+        c.with_option(url: '/2') { 'Link Text 2' }
       end
 
       expect(rendered).to have_css('.troubleshooting-options')
-      expect(rendered).to have_link('Link Text', href: '/')
+      expect(rendered).to have_link('Link Text 1', href: '/1')
+      expect(rendered).to have_link('Link Text 2', href: '/2')
+    end
+
+    context 'with options specified by constructor' do
+      it 'renders troubleshooting options' do
+        rendered = render_inline(
+          TroubleshootingOptionsComponent.new(
+            options: [BlockLinkComponent.new(url: '/').with_content('Link Text')],
+          ),
+        )
+
+        expect(rendered).to have_css('.troubleshooting-options')
+        expect(rendered).to have_link('Link Text', href: '/')
+      end
     end
 
     context 'with tag options' do
diff --git a/spec/controllers/concerns/rate_limit_concern_spec.rb b/spec/controllers/concerns/rate_limit_concern_spec.rb
index b34aa79b3c7..0237c82c52c 100644
--- a/spec/controllers/concerns/rate_limit_concern_spec.rb
+++ b/spec/controllers/concerns/rate_limit_concern_spec.rb
@@ -51,7 +51,7 @@ def update
 
         get :show
 
-        expect(response).to redirect_to idv_session_errors_throttled_url
+        expect(response).to redirect_to idv_session_errors_rate_limited_url
       end
     end
 
diff --git a/spec/controllers/idv/agreement_controller_spec.rb b/spec/controllers/idv/agreement_controller_spec.rb
index fd3a00a24d7..be297d25082 100644
--- a/spec/controllers/idv/agreement_controller_spec.rb
+++ b/spec/controllers/idv/agreement_controller_spec.rb
@@ -97,8 +97,6 @@
       }.merge(ab_test_args)
     end
 
-    let(:skip_upload) { nil }
-
     let(:skip_hybrid_handoff) { nil }
 
     let(:params) do
@@ -107,7 +105,6 @@
           ial2_consent_given: 1,
         },
         skip_hybrid_handoff: skip_hybrid_handoff,
-        skip_upload: skip_upload,
       }.compact
     end
 
@@ -130,38 +127,6 @@
       expect(response).to redirect_to(idv_hybrid_handoff_url)
     end
 
-    context 'skip_upload present in params' do
-      let(:skip_upload) { '' }
-      it 'sets flow_path to standard' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.idv_session.flow_path
-        }.from(nil).to('standard')
-      end
-
-      it 'sets flow_session[:skip_upload_step] to true' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.flow_session[:skip_upload_step]
-        }.from(nil).to(true)
-      end
-
-      it 'sets idv_session.skip_hybrid_handoff? to true' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.idv_session.skip_hybrid_handoff?
-        }.from(false).to(true)
-      end
-
-      it 'redirects to hybrid handoff' do
-        put :update, params: params
-        expect(response).to redirect_to(idv_hybrid_handoff_url)
-      end
-    end
-
     context 'skip_hybrid_handoff present in params' do
       let(:skip_hybrid_handoff) { '' }
       it 'sets flow_path to standard' do
diff --git a/spec/controllers/idv/document_capture_controller_spec.rb b/spec/controllers/idv/document_capture_controller_spec.rb
index e5beb10e1f5..3ee4e408da0 100644
--- a/spec/controllers/idv/document_capture_controller_spec.rb
+++ b/spec/controllers/idv/document_capture_controller_spec.rb
@@ -130,7 +130,7 @@
 
         get :show
 
-        expect(response).to redirect_to(idv_session_errors_throttled_url)
+        expect(response).to redirect_to(idv_session_errors_rate_limited_url)
       end
     end
   end
diff --git a/spec/controllers/idv/getting_started_controller_spec.rb b/spec/controllers/idv/getting_started_controller_spec.rb
index b5355d155b0..1257f9e3653 100644
--- a/spec/controllers/idv/getting_started_controller_spec.rb
+++ b/spec/controllers/idv/getting_started_controller_spec.rb
@@ -104,8 +104,6 @@
       }.merge(ab_test_args)
     end
 
-    let(:skip_upload) { nil }
-
     let(:skip_hybrid_handoff) { nil }
 
     let(:params) do
@@ -114,7 +112,6 @@
           ial2_consent_given: 1,
         },
         skip_hybrid_handoff: skip_hybrid_handoff,
-        skip_upload: skip_upload,
       }.compact
     end
 
@@ -157,38 +154,6 @@
       expect(response).to redirect_to(idv_hybrid_handoff_url)
     end
 
-    context 'skip_upload present in params' do
-      let(:skip_upload) { '' }
-      it 'sets flow_path to standard' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.idv_session.flow_path
-        }.from(nil).to('standard')
-      end
-
-      it 'sets flow_session[:skip_upload_step] to true' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.flow_session[:skip_upload_step]
-        }.from(nil).to(true)
-      end
-
-      it 'sets idv_session.skip_hybrid_handoff? to true' do
-        expect do
-          put :update, params: params
-        end.to change {
-          subject.idv_session.skip_hybrid_handoff?
-        }.from(false).to(true)
-      end
-
-      it 'redirects to hybrid handoff' do
-        put :update, params: params
-        expect(response).to redirect_to(idv_hybrid_handoff_url)
-      end
-    end
-
     context 'skip_hybrid_handoff present in params' do
       let(:skip_hybrid_handoff) { '' }
       it 'sets flow_path to standard' do
diff --git a/spec/controllers/idv/image_uploads_controller_spec.rb b/spec/controllers/idv/image_uploads_controller_spec.rb
index 08def1c0bf0..f7904e283dc 100644
--- a/spec/controllers/idv/image_uploads_controller_spec.rb
+++ b/spec/controllers/idv/image_uploads_controller_spec.rb
@@ -205,7 +205,7 @@
       end
 
       context 'when rate limited' do
-        let(:redirect_url) { idv_session_errors_throttled_url }
+        let(:redirect_url) { idv_session_errors_rate_limited_url }
         let(:error_json) do
           {
             success: false,
diff --git a/spec/controllers/idv/phone_errors_controller_spec.rb b/spec/controllers/idv/phone_errors_controller_spec.rb
index 370bfd50e05..09d57c3d1a9 100644
--- a/spec/controllers/idv/phone_errors_controller_spec.rb
+++ b/spec/controllers/idv/phone_errors_controller_spec.rb
@@ -8,57 +8,74 @@
       end
     end
 
-    context 'the user is authenticated and has not confirmed their phone' do
+    context 'authenticated user' do
       let(:user) { create(:user) }
 
-      it 'renders the error' do
-        get action
-
-        expect(response).to render_template(template)
-      end
-
-      it 'logs an event' do
-        expect(@analytics).to receive(:track_event).with(
-          'IdV: phone error visited',
-          hash_including(
-            type: action,
-          ),
-        )
-        get action
-      end
+      context 'the user has not submtted a phone number' do
+        it 'redirects to phone step' do
+          allow(idv_session).to receive(:previous_phone_step_params).
+            and_return(nil)
 
-      context 'fetch() request from form-steps-wait JS' do
-        before do
-          request.headers['X-Form-Steps-Wait'] = '1'
-        end
-        it 'returns an empty response' do
-          get action
-          expect(response).to have_http_status(204)
-        end
-        it 'does not log an event' do
-          expect(@analytics).not_to receive(:track_event).with('IdV: phone error visited', anything)
           get action
+
+          expect(response).to redirect_to(idv_phone_url)
         end
       end
-    end
 
-    context 'the user is authenticated and has confirmed their phone' do
-      let(:user) { create(:user) }
-      let(:idv_session_user_phone_confirmation) { true }
-
-      it 'redirects to the review url' do
-        get action
+      context 'with already submitted phone number' do
+        context 'the user has not confirmed their phone' do
+          it 'renders the error' do
+            get action
+
+            expect(response).to render_template(template)
+          end
+
+          it 'logs an event' do
+            expect(@analytics).to receive(:track_event).with(
+              'IdV: phone error visited',
+              hash_including(
+                type: action,
+              ),
+            )
+            get action
+          end
+
+          context 'fetch() request from form-steps-wait JS' do
+            before do
+              request.headers['X-Form-Steps-Wait'] = '1'
+            end
+            it 'returns an empty response' do
+              get action
+              expect(response).to have_http_status(204)
+            end
+            it 'does not log an event' do
+              expect(@analytics).not_to receive(:track_event).with(
+                'IdV: phone error visited',
+                anything,
+              )
+              get action
+            end
+          end
+        end
 
-        expect(response).to redirect_to(idv_review_url)
-      end
-      it 'does not log an event' do
-        expect(@analytics).not_to receive(:track_event).with(
-          'IdV: phone error visited',
-          hash_including(
-            type: action,
-          ),
-        )
-        get action
+        context 'the user has confirmed their phone' do
+          let(:idv_session_user_phone_confirmation) { true }
+
+          it 'redirects to the review url' do
+            get action
+
+            expect(response).to redirect_to(idv_review_url)
+          end
+          it 'does not log an event' do
+            expect(@analytics).not_to receive(:track_event).with(
+              'IdV: phone error visited',
+              hash_including(
+                type: action,
+              ),
+            )
+            get action
+          end
+        end
       end
     end
 
@@ -114,26 +131,26 @@
 
     it_behaves_like 'an idv phone errors controller action'
 
-    it 'assigns phone' do
-      get action
-      expect(assigns(:phone)).to eql(phone)
-    end
+    context 'with rate limit attempts' do
+      before do
+        RateLimiter.new(rate_limit_type: :proof_address, user: user).increment!
+      end
 
-    it 'assigns country_code' do
-      get action
-      expect(assigns(:country_code)).to eql(country_code)
-    end
+      it 'assigns phone' do
+        get action
+        expect(assigns(:phone)).to eql(phone)
+      end
 
-    context 'not knowing about a phone just entered' do
-      let(:previous_phone_step_params) { nil }
-      it 'does not crash' do
+      it 'assigns country_code' do
         get action
+        expect(assigns(:country_code)).to eql(country_code)
       end
-    end
 
-    context 'with rate limit attempts' do
-      before do
-        RateLimiter.new(rate_limit_type: :proof_address, user: user).increment!
+      context 'not knowing about a phone just entered' do
+        let(:previous_phone_step_params) { nil }
+        it 'does not crash' do
+          get action
+        end
       end
 
       it 'assigns remaining count' do
diff --git a/spec/controllers/idv_controller_spec.rb b/spec/controllers/idv_controller_spec.rb
index d77a39a1125..f1ef9da9402 100644
--- a/spec/controllers/idv_controller_spec.rb
+++ b/spec/controllers/idv_controller_spec.rb
@@ -89,7 +89,7 @@
       it 'redirects to rate limited page' do
         get :index
 
-        expect(response).to redirect_to idv_session_errors_throttled_url
+        expect(response).to redirect_to idv_session_errors_rate_limited_url
       end
     end
 
diff --git a/spec/controllers/openid_connect/authorization_controller_spec.rb b/spec/controllers/openid_connect/authorization_controller_spec.rb
index 5d89f9e6669..e1149dec658 100644
--- a/spec/controllers/openid_connect/authorization_controller_spec.rb
+++ b/spec/controllers/openid_connect/authorization_controller_spec.rb
@@ -61,6 +61,7 @@
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
                  code_challenge_present: false,
+                 service_provider_pkce: nil,
                  scope: 'openid')
           expect(@analytics).to receive(:track_event).
             with('OpenID Connect: authorization request handoff',
@@ -130,6 +131,7 @@
                      user_fully_authenticated: true,
                      acr_values: 'http://idmanagement.gov/ns/assurance/ial/2',
                      code_challenge_present: false,
+                     service_provider_pkce: nil,
                      scope: 'openid profile')
               expect(@analytics).to receive(:track_event).
                 with('OpenID Connect: authorization request handoff',
@@ -293,6 +295,7 @@
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
                        code_challenge_present: false,
+                       service_provider_pkce: nil,
                        scope: 'openid profile')
                 expect(@analytics).to receive(:track_event).
                   with('OpenID Connect: authorization request handoff',
@@ -344,6 +347,7 @@
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
                        code_challenge_present: false,
+                       service_provider_pkce: nil,
                        scope: 'openid profile')
                 expect(@analytics).to receive(:track_event).
                   with('OpenID Connect: authorization request handoff',
@@ -396,6 +400,7 @@
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
                        code_challenge_present: false,
+                       service_provider_pkce: nil,
                        scope: 'openid profile')
                 expect(@analytics).to receive(:track_event).
                   with('OpenID Connect: authorization request handoff',
@@ -485,6 +490,7 @@
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
                  code_challenge_present: false,
+                 service_provider_pkce: nil,
                  scope: 'openid')
           expect(@analytics).to_not receive(:track_event).with('SP redirect initiated')
 
@@ -517,6 +523,7 @@
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
                  code_challenge_present: false,
+                 service_provider_pkce: nil,
                  scope: 'openid')
           expect(@analytics).to_not receive(:track_event).with('SP redirect initiated')
 
@@ -579,6 +586,7 @@
                user_fully_authenticated: false,
                acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
                code_challenge_present: false,
+               service_provider_pkce: nil,
                scope: 'openid')
 
         action
diff --git a/spec/controllers/openid_connect/token_controller_spec.rb b/spec/controllers/openid_connect/token_controller_spec.rb
index 8b2c7f2ca77..8fc0b36c51a 100644
--- a/spec/controllers/openid_connect/token_controller_spec.rb
+++ b/spec/controllers/openid_connect/token_controller_spec.rb
@@ -60,6 +60,7 @@
             errors: {},
             code_digest: kind_of(String),
             code_verifier_present: false,
+            service_provider_pkce: nil,
           })
         action
       end
@@ -87,6 +88,7 @@
             errors: hash_including(:grant_type),
             code_digest: kind_of(String),
             code_verifier_present: false,
+            service_provider_pkce: nil,
             error_details: hash_including(:grant_type),
           })
 
diff --git a/spec/controllers/sign_up/passwords_controller_spec.rb b/spec/controllers/sign_up/passwords_controller_spec.rb
index a33fbabb111..bb7a1a1e975 100644
--- a/spec/controllers/sign_up/passwords_controller_spec.rb
+++ b/spec/controllers/sign_up/passwords_controller_spec.rb
@@ -83,11 +83,11 @@
           {
             password:
               [t(
-                'errors.attributes.password.too_short.other',
+                'errors.attributes.password.too_short',
                 count: Devise.password_length.first,
               )],
             password_confirmation:
-              ["is too short (minimum is #{Devise.password_length.first} characters)"],
+              [I18n.t('errors.messages.too_short', count: Devise.password_length.first)],
           }
         end
         let(:error_details) do
diff --git a/spec/controllers/users/passwords_controller_spec.rb b/spec/controllers/users/passwords_controller_spec.rb
index 5ce540db7c9..f4143aaf2f3 100644
--- a/spec/controllers/users/passwords_controller_spec.rb
+++ b/spec/controllers/users/passwords_controller_spec.rb
@@ -12,7 +12,10 @@
         expect(@irs_attempts_api_tracker).to receive(:logged_in_password_change).
           with(failure_reason: nil, success: true)
 
-        params = { password: 'salty new password' }
+        params = {
+          password: 'salty new password',
+          password_confirmation: 'salty new password',
+        }
         patch :update, params: { update_user_password_form: params }
 
         expect(@analytics).to have_received(:track_event).
@@ -29,7 +32,10 @@
           { ssn: '111-222-3333' }.to_json,
         )
 
-        params = { password: 'strong password' }
+        params = {
+          password: 'strong password',
+          password_confirmation: 'strong password',
+        }
 
         expect do
           patch :update, params: { update_user_password_form: params }
@@ -56,7 +62,10 @@
         security_event = PushNotification::PasswordResetEvent.new(user: user)
         expect(PushNotification::HttpPush).to receive(:deliver).with(security_event)
 
-        params = { password: 'salty new password' }
+        params = {
+          password: 'salty new password',
+          password_confirmation: 'salty new password',
+        }
         patch :update, params: { update_user_password_form: params }
       end
 
@@ -65,7 +74,10 @@
 
         stub_sign_in(user)
 
-        params = { password: 'salty new password' }
+        params = {
+          password: 'salty new password',
+          password_confirmation: 'salty new password',
+        }
         patch :update, params: { update_user_password_form: params }
 
         expect_delivered_email_count(1)
@@ -77,42 +89,104 @@
     end
 
     context 'form returns failure' do
-      it 'renders edit' do
-        password_short_error = { password: [:too_short] }
-        stub_sign_in
+      let(:password) { 'new' }
+      let(:params) do
+        {
+          password: password,
+          password_confirmation: password,
+        }
+      end
 
-        stub_analytics
-        stub_attempts_tracker
-        allow(@analytics).to receive(:track_event)
+      it 'does not create a password_changed user Event' do
+        stub_sign_in
 
-        expect(@irs_attempts_api_tracker).to receive(:logged_in_password_change).with(
-          success: false,
-          failure_reason: password_short_error,
-        )
+        expect(controller).to_not receive(:create_user_event)
 
-        params = { password: 'new' }
         patch :update, params: { update_user_password_form: params }
+      end
 
-        expect(@analytics).to have_received(:track_event).with(
-          'Password Changed',
-          success: false,
-          errors: {
-            password: [
-              t('errors.attributes.password.too_short.other', count: Devise.password_length.first),
-            ],
-          },
-          error_details: password_short_error,
-        )
-        expect(response).to render_template(:edit)
+      context 'when password is too short' do
+        before do
+          stub_sign_in
+          stub_analytics
+          stub_attempts_tracker
+          allow(@analytics).to receive(:track_event)
+        end
+
+        it 'renders edit' do
+          password_short_error = {
+            password: [:too_short],
+            password_confirmation: [:too_short],
+          }
+
+          expect(@irs_attempts_api_tracker).to receive(:logged_in_password_change).with(
+            success: false,
+            failure_reason: password_short_error,
+          )
+
+          patch :update, params: { update_user_password_form: params }
+
+          expect(@analytics).to have_received(:track_event).with(
+            'Password Changed',
+            success: false,
+            errors: {
+              password: [
+                t(
+                  'errors.attributes.password.too_short.other',
+                  count: Devise.password_length.first,
+                ),
+              ],
+              password_confirmation: [t(
+                'errors.messages.too_short.other',
+                count: Devise.password_length.first,
+              )],
+            },
+            error_details: password_short_error,
+          )
+          expect(response).to render_template(:edit)
+        end
       end
 
-      it 'does not create a password_changed user Event' do
-        stub_sign_in
+      context 'when passwords do not match' do
+        let(:password) { 'salty pickles' }
+        let(:password_confirmation) { 'salty pickles2' }
+
+        let(:params) do
+          {
+            password: password,
+            password_confirmation: password_confirmation,
+          }
+        end
+
+        before do
+          stub_sign_in
+          stub_analytics
+          stub_attempts_tracker
+          allow(@analytics).to receive(:track_event)
+        end
+
+        it 'renders edit' do
+          expect(@irs_attempts_api_tracker).to receive(:logged_in_password_change).with(
+            success: false,
+            failure_reason: {
+              password_confirmation: [t('errors.messages.password_mismatch')],
+            },
+          )
 
-        expect(controller).to_not receive(:create_user_event)
+          patch :update, params: { update_user_password_form: params }
 
-        params = { password: 'new' }
-        patch :update, params: { update_user_password_form: params }
+          expect(@analytics).to have_received(:track_event).with(
+            'Password Changed',
+            success: false,
+            errors: {
+              password_confirmation: [t('errors.messages.password_mismatch')],
+            },
+            error_details: {
+              password_confirmation: [t('errors.messages.password_mismatch')],
+            },
+          )
+          expect(response).to render_template(:edit)
+        end
       end
     end
   end
diff --git a/spec/controllers/users/reset_passwords_controller_spec.rb b/spec/controllers/users/reset_passwords_controller_spec.rb
index a7350fba80b..09c557774cf 100644
--- a/spec/controllers/users/reset_passwords_controller_spec.rb
+++ b/spec/controllers/users/reset_passwords_controller_spec.rb
@@ -193,11 +193,13 @@
 
   describe '#update' do
     let(:password_short_error) { { password: [:too_short] } }
+
     let(:password_token_error) { { reset_password_token: [token_expired_error] } }
     context 'user submits new password after token expires' do
       let(:reset_password_error_details) do
         {
           **password_short_error,
+          password_confirmation: [:too_short],
           **password_token_error,
         }
       end
@@ -221,7 +223,11 @@
           reset_password_token: db_confirmation_token,
         )
 
-        params = { password: 'short', reset_password_token: raw_reset_token }
+        params = {
+          password: 'short',
+          password_confirmation: 'short',
+          reset_password_token: raw_reset_token,
+        }
 
         get :edit, params: { reset_password_token: raw_reset_token }
         put :update, params: { reset_password_form: params }
@@ -230,6 +236,10 @@
           success: false,
           errors: {
             password: [password_error_message],
+            password_confirmation: [t(
+              'errors.messages.too_short.other',
+              count: Devise.password_length.first,
+            )],
             **password_token_error,
           },
           error_details: reset_password_error_details,
@@ -247,6 +257,9 @@
     end
 
     context 'user submits invalid new password' do
+      let(:password) { 'short' }
+      let(:password_confirmation) { 'short' }
+
       it 'renders edit' do
         stub_analytics
         stub_attempts_tracker
@@ -259,13 +272,24 @@
           reset_password_token: db_confirmation_token,
           reset_password_sent_at: Time.zone.now,
         )
-        form_params = { password: 'short', reset_password_token: raw_reset_token }
+        form_params = {
+          password: password,
+          password_confirmation: password_confirmation,
+          reset_password_token: raw_reset_token,
+        }
         analytics_hash = {
           success: false,
           errors: {
             password: [password_error_message],
+            password_confirmation: [t(
+              'errors.messages.too_short.other',
+              count: Devise.password_length.first,
+            )],
+          },
+          error_details: {
+            password: [:too_short],
+            password_confirmation: [:too_short],
           },
-          error_details: password_short_error,
           user_id: user.uuid,
           profile_deactivated: false,
           pending_profile_invalidated: false,
@@ -276,7 +300,61 @@
           with('Password Reset: Password Submitted', analytics_hash)
         expect(@irs_attempts_api_tracker).to receive(:forgot_password_new_password_submitted).with(
           success: false,
-          failure_reason: password_short_error,
+          failure_reason: {
+            password: [:too_short],
+            password_confirmation: [:too_short],
+          },
+        )
+
+        put :update, params: { reset_password_form: form_params }
+
+        expect(assigns(:forbidden_passwords)).to all(be_a(String))
+        expect(response).to render_template(:edit)
+      end
+    end
+
+    context 'user submits password confirmation that does not match' do
+      let(:password) { 'salty pickles' }
+      let(:password_confirmation) { 'salty pickles2' }
+
+      it 'renders edit' do
+        stub_analytics
+        stub_attempts_tracker
+
+        raw_reset_token, db_confirmation_token =
+          Devise.token_generator.generate(User, :reset_password_token)
+        user = create(
+          :user,
+          :fully_registered,
+          reset_password_token: db_confirmation_token,
+          reset_password_sent_at: Time.zone.now,
+        )
+        form_params = {
+          password: password,
+          password_confirmation: password_confirmation,
+          reset_password_token: raw_reset_token,
+        }
+        analytics_hash = {
+          success: false,
+          errors: {
+            password_confirmation: [t('errors.messages.password_mismatch')],
+          },
+          error_details: {
+            password_confirmation: [t('errors.messages.password_mismatch')],
+          },
+          user_id: user.uuid,
+          profile_deactivated: false,
+          pending_profile_invalidated: false,
+          pending_profile_pending_reasons: '',
+        }
+
+        expect(@analytics).to receive(:track_event).
+          with('Password Reset: Password Submitted', analytics_hash)
+        expect(@irs_attempts_api_tracker).to receive(:forgot_password_new_password_submitted).with(
+          success: false,
+          failure_reason: {
+            password_confirmation: [t('errors.messages.password_mismatch')],
+          },
         )
 
         put :update, params: { reset_password_form: form_params }
@@ -287,6 +365,8 @@
     end
 
     context 'user submits the reset password form twice' do
+      let(:password) { 'a really long passw0rd' }
+
       it 'shows an invalid token error' do
         raw_reset_token, db_confirmation_token =
           Devise.token_generator.generate(User, :reset_password_token)
@@ -296,7 +376,11 @@
           reset_password_token: db_confirmation_token,
           reset_password_sent_at: Time.zone.now,
         )
-        form_params = { password: 'a really long passw0rd', reset_password_token: raw_reset_token }
+        form_params = {
+          password: password,
+          password_confirmation: password,
+          reset_password_token: raw_reset_token,
+        }
 
         put :update, params: { reset_password_form: form_params }
         put :update, params: { reset_password_form: form_params }
@@ -307,6 +391,8 @@
     end
 
     context 'IAL1 user submits valid new password' do
+      let(:password) { 'a really long passw0rd' }
+
       it 'redirects to sign in page' do
         stub_analytics
         stub_attempts_tracker
@@ -334,8 +420,11 @@
             :forgot_password_new_password_submitted,
           ).with(success_properties)
 
-          password = 'a really long passw0rd'
-          params = { password: password, reset_password_token: raw_reset_token }
+          params = {
+            password: password,
+            password_confirmation: password,
+            reset_password_token: raw_reset_token,
+          }
 
           get :edit, params: { reset_password_token: raw_reset_token }
           put :update, params: { reset_password_form: params }
@@ -361,6 +450,8 @@
     end
 
     context 'ial2 user submits valid new password' do
+      let(:password) { 'a really long passw0rd' }
+
       it 'deactivates the active profile and redirects' do
         stub_analytics
         stub_attempts_tracker
@@ -385,8 +476,11 @@
         )
 
         get :edit, params: { reset_password_token: raw_reset_token }
-        password = 'a really long passw0rd'
-        params = { password: password, reset_password_token: raw_reset_token }
+        params = {
+          password: password,
+          password_confirmation: password,
+          reset_password_token: raw_reset_token,
+        }
 
         put :update, params: { reset_password_form: params }
 
@@ -407,6 +501,8 @@
     end
 
     context 'unconfirmed user submits valid new password' do
+      let(:password) { 'a really long passw0rd' }
+
       it 'confirms the user' do
         stub_analytics
         stub_attempts_tracker
@@ -431,8 +527,11 @@
           success_properties,
         )
 
-        password = 'a really long passw0rd'
-        params = { password: password, reset_password_token: raw_reset_token }
+        params = {
+          password: password,
+          password_confirmation: password,
+          reset_password_token: raw_reset_token,
+        }
 
         get :edit, params: { reset_password_token: raw_reset_token }
         put :update, params: { reset_password_form: params }
diff --git a/spec/features/account_email_language_spec.rb b/spec/features/account_email_language_spec.rb
index d9ba00ea2b6..a43cba59786 100644
--- a/spec/features/account_email_language_spec.rb
+++ b/spec/features/account_email_language_spec.rb
@@ -41,8 +41,11 @@
         within(page.find('.profile-info-box', text: 'Password')) do
           click_link('Edit')
         end
+
         fill_in t('forms.passwords.edit.labels.password'),
                 with: Features::SessionHelper::VALID_PASSWORD
+        fill_in t('components.password_confirmation.confirm_label'),
+                with: Features::SessionHelper::VALID_PASSWORD
         click_button 'Update'
 
         mail = ActionMailer::Base.deliveries.last
diff --git a/spec/features/event_disavowal_spec.rb b/spec/features/event_disavowal_spec.rb
index c288683f6b6..e837a4c5c13 100644
--- a/spec/features/event_disavowal_spec.rb
+++ b/spec/features/event_disavowal_spec.rb
@@ -11,7 +11,11 @@
   scenario 'disavowing a password update' do
     sign_in_and_2fa_user(user)
     visit manage_password_path
-    fill_in 'New password', with: 'OldVal!dPassw0rd'
+    password = 'OldVal!dPassw0rd'
+    fill_in t('forms.passwords.edit.labels.password'), with: password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: password
+
     click_on t('forms.buttons.submit.update')
     Capybara.reset_sessions!
 
@@ -108,14 +112,14 @@
 
     expect(page).to have_content(t('headings.passwords.change'))
 
-    fill_in 'New password', with: 'invalid'
+    fill_in t('forms.passwords.edit.labels.password'), with: 'invalid'
     click_button t('forms.passwords.edit.buttons.submit')
 
     expect(page).to have_content t(
       'errors.attributes.password.too_short.other', count: Devise.password_length.first
     )
 
-    fill_in 'New password', with: 'NewVal!dPassw0rd'
+    fill_in t('forms.passwords.edit.labels.password'), with: 'NewVal!dPassw0rd'
     click_button t('forms.passwords.edit.buttons.submit')
 
     expect(page).to have_content(t('devise.passwords.updated_not_active'))
@@ -140,7 +144,9 @@ def perform_disavowable_password_reset
     click_continue
     open_last_email
     click_email_link_matching(/reset_password_token/)
-    fill_in 'New password', with: 'OldVal!dPassw0rd'
+    password = 'OldVal!dPassw0rd'
+    fill_in t('forms.passwords.edit.labels.password'), with: password
+    fill_in t('components.password_confirmation.confirm_label'), with: password
     click_button t('forms.passwords.edit.buttons.submit')
   end
 
@@ -152,7 +158,7 @@ def disavow_last_action_and_reset_password
 
     expect(page).to have_content(t('headings.passwords.change'))
 
-    fill_in 'New password', with: 'NewVal!dPassw0rd'
+    fill_in t('forms.passwords.edit.labels.password'), with: 'NewVal!dPassw0rd'
     click_button t('forms.passwords.edit.buttons.submit')
 
     expect(page).to have_content(t('devise.passwords.updated_not_active'))
diff --git a/spec/features/idv/doc_auth/document_capture_spec.rb b/spec/features/idv/doc_auth/document_capture_spec.rb
index 49a12d796c5..6b00559857a 100644
--- a/spec/features/idv/doc_auth/document_capture_spec.rb
+++ b/spec/features/idv/doc_auth/document_capture_spec.rb
@@ -69,7 +69,7 @@
           )
           message = strip_tags(t('errors.doc_auth.rate_limited_text_html', timeout: timeout))
           expect(page).to have_content(message)
-          expect(page).to have_current_path(idv_session_errors_throttled_path)
+          expect(page).to have_current_path(idv_session_errors_rate_limited_path)
         end
       end
 
diff --git a/spec/features/idv/hybrid_mobile/hybrid_mobile_spec.rb b/spec/features/idv/hybrid_mobile/hybrid_mobile_spec.rb
index 72d008befb8..4c98274d58a 100644
--- a/spec/features/idv/hybrid_mobile/hybrid_mobile_spec.rb
+++ b/spec/features/idv/hybrid_mobile/hybrid_mobile_spec.rb
@@ -160,7 +160,7 @@
       end
 
       perform_in_browser(:desktop) do
-        expect(page).to have_current_path(idv_session_errors_throttled_path, wait: 10)
+        expect(page).to have_current_path(idv_session_errors_rate_limited_path, wait: 10)
       end
     end
   end
diff --git a/spec/features/idv/pending_profile_password_reset_spec.rb b/spec/features/idv/pending_profile_password_reset_spec.rb
index 7911ca94e3a..dd2421c7cda 100644
--- a/spec/features/idv/pending_profile_password_reset_spec.rb
+++ b/spec/features/idv/pending_profile_password_reset_spec.rb
@@ -12,6 +12,8 @@
 
     new_password = '$alty pickles'
     fill_in t('forms.passwords.edit.labels.password'), with: new_password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: new_password
     click_button t('forms.passwords.edit.buttons.submit')
 
     user.password = new_password
@@ -32,6 +34,10 @@
 
     new_password = '$alty pickles'
     fill_in t('forms.passwords.edit.labels.password'), with: new_password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: new_password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: new_password
     click_button t('forms.passwords.edit.buttons.submit')
 
     user.password = new_password
@@ -52,6 +58,8 @@
 
     new_password = '$alty pickles'
     fill_in t('forms.passwords.edit.labels.password'), with: new_password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: new_password
     click_button t('forms.passwords.edit.buttons.submit')
 
     user.password = new_password
diff --git a/spec/features/idv/phone_errors_spec.rb b/spec/features/idv/phone_errors_spec.rb
new file mode 100644
index 00000000000..fa19f851ab6
--- /dev/null
+++ b/spec/features/idv/phone_errors_spec.rb
@@ -0,0 +1,60 @@
+require 'rails_helper'
+RSpec.feature 'phone errors', :js do
+  include IdvStepHelper
+  include IdvHelper
+
+  before do
+    sign_in_and_2fa_user
+    start_idv_from_sp
+  end
+
+  context 'user visits phone errors before submitting phone number' do
+    it 'only renders warning after phone has been submitted' do
+      verify_phone_submitted(idv_phone_errors_warning_url, idv_phone_errors_warning_path)
+    end
+
+    it 'only renders failure after phone has been submitted' do
+      verify_phone_submitted(idv_phone_errors_failure_url, idv_phone_errors_failure_path)
+    end
+
+    it 'only renders jobfail after phone has been submitted' do
+      verify_phone_submitted(idv_phone_errors_jobfail_url, idv_phone_errors_jobfail_path)
+    end
+  end
+
+  def verify_phone_submitted(phone_errors_url, phone_errors_path)
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_welcome_path)
+
+    complete_welcome_step
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_agreement_path)
+
+    complete_agreement_step
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_hybrid_handoff_path)
+
+    complete_hybrid_handoff_step # upload photos
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_document_capture_path)
+
+    complete_document_capture_step
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_ssn_path)
+
+    complete_ssn_step
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_verify_info_path)
+
+    complete_verify_step
+    visit(phone_errors_url)
+    expect(current_path).to eq(idv_phone_path)
+
+    fill_out_phone_form_fail
+    click_idv_send_security_code
+    expect(current_path).to eq(idv_phone_errors_warning_path)
+
+    visit(phone_errors_url)
+    expect(current_path).to eq(phone_errors_path)
+  end
+end
diff --git a/spec/features/idv/steps/phone_step_spec.rb b/spec/features/idv/steps/phone_step_spec.rb
index 924ebd6b120..fa619a15c8c 100644
--- a/spec/features/idv/steps/phone_step_spec.rb
+++ b/spec/features/idv/steps/phone_step_spec.rb
@@ -163,6 +163,11 @@
                 ),
               ),
             )
+            expect(page).to have_content(
+              strip_tags(
+                t('idv.messages.phone.failed_number.try_again_html'),
+              ),
+            )
 
             click_idv_send_security_code
             click_on t('idv.failure.phone.warning.try_again_button')
@@ -274,6 +279,11 @@
       click_idv_continue_for_step(:phone)
     end
 
+    it 'takes them to the IdV cancel screen if they hit cancel', js: true do
+      click_on 'Cancel'
+      expect(current_path).to eq(idv_cancel_path)
+    end
+
     it 'still lets them access the GPO flow and return to the error' do
       click_on t('idv.failure.phone.rate_limited.gpo.button')
       expect(page).to have_content(t('idv.titles.mail.verify'))
@@ -285,7 +295,8 @@
       let(:gpo_enabled) { false }
 
       it 'does not link out to GPO flow' do
-        expect(page).not_to have_content(t('idv.failure.phone.rate_limited.gpo.prompt'))
+        prompt_text = t('idv.failure.phone.rate_limited.option_verify_by_mail_html')
+        expect(page).not_to have_content(prompt_text)
         expect(page).not_to have_content(t('idv.failure.phone.rate_limited.gpo.button'))
       end
     end
diff --git a/spec/features/remember_device/webauthn_spec.rb b/spec/features/remember_device/webauthn_spec.rb
index 3d4b7f78fc1..dbe6a964564 100644
--- a/spec/features/remember_device/webauthn_spec.rb
+++ b/spec/features/remember_device/webauthn_spec.rb
@@ -97,17 +97,48 @@ def remember_device_and_sign_out_user
     end
 
     context 'sign up' do
+      before do
+        allow(IdentityConfig.store).to receive(:platform_auth_set_up_enabled).and_return(true)
+        allow(IdentityConfig.store).
+          to receive(:show_unsupported_passkey_platform_authentication_setup).
+          and_return(true)
+      end
+
+      def click_2fa_option(option)
+        find("label[for='two_factor_options_form_selection_#{option}']").click
+      end
+
       def remember_device_and_sign_out_user
         mock_webauthn_setup_challenge
         user = sign_up_and_set_password
         user.password = Features::SessionHelper::VALID_PASSWORD
 
         # webauthn option is hidden in browsers that don't support it
-        select_2fa_option('webauthn', visible: :all)
+        select_2fa_option('webauthn_platform', visible: :all)
         fill_in_nickname_and_click_continue
         check t('forms.messages.remember_device')
         mock_press_button_on_hardware_key_on_setup
-        skip_second_mfa_prompt
+
+        expect(page).to_not have_button(t('mfa.skip'))
+
+        click_link t('mfa.add')
+
+        expect(page).to have_current_path(second_mfa_setup_path)
+
+        click_2fa_option('phone')
+
+        click_continue
+
+        expect(page).
+          to have_content t('titles.phone_setup')
+
+        expect(current_path).to eq phone_setup_path
+
+        fill_in 'new_phone_form_phone', with: '703-555-1212'
+        click_send_one_time_code
+
+        fill_in_code_with_last_phone_otp
+        click_submit_default
 
         first(:link, t('links.sign_out')).click
         user
diff --git a/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb b/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb
index c2905b8c7d7..bb67f6d5a03 100644
--- a/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb
+++ b/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb
@@ -1,6 +1,8 @@
 require 'rails_helper'
 
 RSpec.feature 'Multi Two Factor Authentication' do
+  include WebAuthnHelper
+
   describe 'When the user has not set up 2FA' do
     scenario 'user can set up 2 MFA methods properly' do
       sign_in_before_2fa
@@ -180,6 +182,41 @@
 
       expect(page).to have_current_path(account_path)
     end
+
+    scenario 'user cannot select Platform Auth as only MFA and must select second mfa setup' do
+      allow(IdentityConfig.store).to receive(:platform_auth_set_up_enabled).and_return(true)
+      allow(IdentityConfig.store).
+        to receive(:show_unsupported_passkey_platform_authentication_setup).
+        and_return(true)
+      mock_webauthn_setup_challenge
+      user = sign_up_and_set_password
+      user.password = Features::SessionHelper::VALID_PASSWORD
+      expect(current_path).to eq authentication_methods_setup_path
+      # webauthn option is hidden in browsers that don't support it
+      select_2fa_option('webauthn_platform', visible: :all)
+
+      click_continue
+
+      expect(page).to have_current_path webauthn_setup_path(platform: true)
+
+      fill_in_nickname_and_click_continue
+      mock_press_button_on_hardware_key_on_setup
+
+      expect(page).to have_current_path(
+        auth_method_confirmation_path,
+      )
+
+      expect(page).to_not have_button(t('mfa.skip'))
+
+      click_link t('mfa.add')
+
+      expect(page).to have_current_path(second_mfa_setup_path)
+
+      click_continue
+
+      expect(page).to have_current_path(second_mfa_setup_path)
+      expect(page).to have_content(t('errors.two_factor_auth_setup.must_select_additional_option'))
+    end
   end
 
   context 'when backup codes are the only selected option' do
diff --git a/spec/features/two_factor_authentication/sign_in_spec.rb b/spec/features/two_factor_authentication/sign_in_spec.rb
index 20d9ba7ab64..0e8338fff64 100644
--- a/spec/features/two_factor_authentication/sign_in_spec.rb
+++ b/spec/features/two_factor_authentication/sign_in_spec.rb
@@ -413,15 +413,6 @@ def attempt_to_bypass_2fa
     end
   end
 
-  describe 'when the user is not piv/cac enabled' do
-    it 'has no link to piv/cac during login' do
-      user = create(:user, :fully_registered)
-      sign_in_before_2fa(user)
-
-      expect(page).not_to have_link(t('two_factor_authentication.piv_cac_fallback.question'))
-    end
-  end
-
   describe 'when the user is TOTP enabled and phone enabled' do
     it 'allows SMS and Voice fallbacks' do
       user = create(:user, :with_authentication_app, :with_phone)
diff --git a/spec/features/users/sign_in_spec.rb b/spec/features/users/sign_in_spec.rb
index 6cc534dbbb7..615be823875 100644
--- a/spec/features/users/sign_in_spec.rb
+++ b/spec/features/users/sign_in_spec.rb
@@ -761,11 +761,6 @@
 
       expect(page).to have_current_path login_two_factor_authenticator_path
     end
-
-    it 'does not display OTP Fallback text and links' do
-      expect(page).
-        to_not have_content t('two_factor_authentication.phone_fallback.question')
-    end
   end
 
   context 'visiting via SP1, then via SP2, then signing in' do
diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb
index 41eb12c4753..c47b196bfbb 100644
--- a/spec/features/users/sign_up_spec.rb
+++ b/spec/features/users/sign_up_spec.rb
@@ -404,14 +404,8 @@ def clipboard_text
     visit_idp_from_oidc_sp_with_hspd12_and_require_piv_cac
     sign_up_and_set_password
 
-    expect(page).to_not have_selector('#two_factor_options_form_selection_phone', count: 1)
-    expect(page).to_not have_selector('#two_factor_options_form_selection_webauthn', count: 1)
-    expect(page).to_not have_selector('#two_factor_options_form_selection_auth_app', count: 1)
-    expect(page).to_not have_selector('#two_factor_options_form_selection_backup_code', count: 1)
-    expect(page).to have_selector('#two_factor_options_form_selection_piv_cac', count: 1)
-
-    select_2fa_option('piv_cac')
-    expect(page).to_not have_content(t('two_factor_authentication.piv_cac_fallback.question'))
+    expect(page).to have_field('two_factor_options_form[selection][]', count: 1)
+    expect(page).to have_field(t('two_factor_authentication.two_factor_choice_options.piv_cac'))
   end
 
   it 'allows a user to sign up with backup codes and add methods after without reauthentication' do
diff --git a/spec/features/users/user_edit_spec.rb b/spec/features/users/user_edit_spec.rb
index 7871d98e970..f59179ed579 100644
--- a/spec/features/users/user_edit_spec.rb
+++ b/spec/features/users/user_edit_spec.rb
@@ -10,7 +10,9 @@
     end
 
     scenario 'user sees error message if form is submitted with invalid password' do
-      fill_in 'New password', with: 'foo'
+      password = 'foo'
+      fill_in t('forms.passwords.edit.labels.password'), with: password
+      fill_in t('components.password_confirmation.confirm_label'), with: password
       click_button 'Update'
 
       expect(page).to have_css '.usa-alert', text: 'Please review the problems below:'
diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb
index 46b05b8ff56..3c134230883 100644
--- a/spec/features/users/user_profile_spec.rb
+++ b/spec/features/users/user_profile_spec.rb
@@ -119,6 +119,9 @@
       expect(page).not_to have_content(t('instructions.password.strength.intro'))
 
       fill_in t('forms.passwords.edit.labels.password'), with: 'this is a great sentence'
+      fill_in t('components.password_confirmation.confirm_label'),
+              with: 'this is a great sentence'
+
       expect(page).to have_content(t('instructions.password.strength.intro'))
       expect(page).to have_content t('instructions.password.strength.v')
 
@@ -139,6 +142,8 @@
 
         visit manage_password_path
         fill_in t('forms.passwords.edit.labels.password'), with: 'this is a great sentence'
+        fill_in t('components.password_confirmation.confirm_label'),
+                with: 'this is a great sentence'
         click_button 'Update'
 
         expect(current_path).to eq account_path
diff --git a/spec/features/visitors/password_recovery_spec.rb b/spec/features/visitors/password_recovery_spec.rb
index 14b66cc2c3e..5bb404bfc59 100644
--- a/spec/features/visitors/password_recovery_spec.rb
+++ b/spec/features/visitors/password_recovery_spec.rb
@@ -48,7 +48,10 @@
 
       expect(current_path).to eq edit_user_password_path
 
-      fill_in t('forms.passwords.edit.labels.password'), with: 'NewVal!dPassw0rd'
+      password = 'NewVal!dPassw0rd'
+      fill_in t('forms.passwords.edit.labels.password'), with: password
+      fill_in t('components.password_confirmation.confirm_label'),
+              with: password
       click_button t('forms.passwords.edit.buttons.submit')
 
       expect(current_path).to eq new_user_session_path
@@ -83,7 +86,9 @@
     end
 
     it 'keeps user signed out after they successfully reset their password' do
-      fill_in 'New password', with: 'NewVal!dPassw0rd'
+      password = 'NewVal!dPassw0rd'
+      fill_in t('forms.passwords.edit.labels.password'), with: password
+      fill_in t('components.password_confirmation.confirm_label'), with: password
       click_button t('forms.passwords.edit.buttons.submit')
 
       expect(current_path).to eq new_user_session_path
@@ -121,7 +126,10 @@
     end
 
     it 'redirects user to profile after signing back in' do
-      fill_in t('forms.passwords.edit.labels.password'), with: 'a real secure password'
+      password = 'a real secure password'
+      fill_in t('forms.passwords.edit.labels.password'), with: password
+      fill_in t('components.password_confirmation.confirm_label'),
+              with: password
       click_button t('forms.passwords.edit.buttons.submit')
       fill_in_credentials_and_submit(@user.email, 'a real secure password')
       click_button t('forms.buttons.submit.default')
@@ -160,7 +168,10 @@
 
     context 'when password form values are valid' do
       it 'changes the password, sends an email about the change, and does not sign the user in' do
-        fill_in t('forms.passwords.edit.labels.password'), with: 'NewVal!dPassw0rd'
+        password = 'NewVal!dPassw0rd'
+        fill_in t('forms.passwords.edit.labels.password'), with: password
+        fill_in t('components.password_confirmation.confirm_label'),
+                with: password
 
         click_button t('forms.passwords.edit.buttons.submit')
 
@@ -176,7 +187,10 @@
       end
 
       it 'allows the user to continue to the service provider' do
-        fill_in t('forms.passwords.edit.labels.password'), with: 'NewVal!dPassw0rd'
+        password = 'NewVal!dPassw0rd'
+        fill_in t('forms.passwords.edit.labels.password'), with: password
+        fill_in t('components.password_confirmation.confirm_label'),
+                with: password
         click_button t('forms.passwords.edit.buttons.submit')
 
         expect(page).to have_content(t('devise.passwords.updated_not_active'))
@@ -195,7 +209,10 @@
 
     context 'when password form values are invalid' do
       it 'does not allow the user to submit until password score is good', js: true do
-        fill_in t('forms.passwords.edit.labels.password'), with: 'invalid'
+        password = 'invalid'
+        fill_in t('forms.passwords.edit.labels.password'), with: password
+        fill_in t('components.password_confirmation.confirm_label'),
+                with: password
         click_button t('forms.passwords.edit.buttons.submit')
 
         expect(page).to have_css('.usa-error-message', text: t('errors.messages.stronger_password'))
@@ -207,7 +224,8 @@
       end
 
       it 'displays field validation error when password field is too short' do
-        fill_in 'New password', with: '1234'
+        fill_in t('forms.passwords.edit.labels.password'), with: '1234'
+        fill_in t('components.password_confirmation.confirm_label'), with: '1234'
         click_button t('forms.passwords.edit.buttons.submit')
 
         expect(page).
@@ -217,7 +235,8 @@
       end
 
       it "does not update the user's password when password is invalid" do
-        fill_in 'New password', with: '1234'
+        fill_in t('forms.passwords.edit.labels.password'), with: '1234'
+        fill_in t('components.password_confirmation.confirm_label'), with: '1234'
         click_button t('forms.passwords.edit.buttons.submit')
 
         signin(@user.email, '1234')
@@ -225,14 +244,16 @@
       end
 
       it 'allows multiple attempts with invalid password' do
-        fill_in 'New password', with: '1234'
+        fill_in t('forms.passwords.edit.labels.password'), with: '1234'
+        fill_in t('components.password_confirmation.confirm_label'), with: '1234'
         click_button t('forms.passwords.edit.buttons.submit')
 
         expect(page).to have_content t(
           'errors.attributes.password.too_short.other', count: Devise.password_length.first
         )
 
-        fill_in 'New password', with: '5678'
+        fill_in t('forms.passwords.edit.labels.password'), with: '5678'
+        fill_in t('components.password_confirmation.confirm_label'), with: '5678'
         click_button t('forms.passwords.edit.buttons.submit')
 
         expect(page).to have_content t(
diff --git a/spec/forms/backup_code_verification_form_spec.rb b/spec/forms/backup_code_verification_form_spec.rb
new file mode 100644
index 00000000000..1fe95724b75
--- /dev/null
+++ b/spec/forms/backup_code_verification_form_spec.rb
@@ -0,0 +1,57 @@
+require 'rails_helper'
+
+RSpec.describe BackupCodeVerificationForm do
+  subject(:result) { described_class.new(user).submit(params).to_h }
+
+  let(:user) { create(:user) }
+  let(:backup_codes) { BackupCodeGenerator.new(user).create }
+  let(:backup_code_config) do
+    BackupCodeConfiguration.find_with_code(code: code, user_id: user.id)
+  end
+
+  describe '#submit' do
+    let(:params) do
+      {
+        backup_code: code,
+      }
+    end
+
+    context 'with a valid backup code' do
+      let(:code) { backup_codes.first }
+      let(:expected_response) do
+        {
+          success: true,
+          errors: {},
+          multi_factor_auth_method: 'backup_code',
+          multi_factor_auth_method_created_at: backup_code_config.created_at,
+        }
+      end
+
+      it 'returns succcess' do
+        expect(result).to eq(expected_response)
+      end
+
+      it 'marks code as used' do
+        expect { subject }.to change {
+                                backup_code_config.reload.used_at
+                              }.from(nil).to kind_of(Time)
+      end
+    end
+
+    context 'with an invalid backup code' do
+      let(:code) { 'invalid' }
+      let(:expected_response) do
+        {
+          success: false,
+          errors: {},
+          multi_factor_auth_method: 'backup_code',
+          multi_factor_auth_method_created_at: nil,
+        }
+      end
+
+      it 'returns failure' do
+        expect(result).to eq(expected_response)
+      end
+    end
+  end
+end
diff --git a/spec/forms/idv/phone_form_spec.rb b/spec/forms/idv/phone_form_spec.rb
index d168236f981..d07897c019a 100644
--- a/spec/forms/idv/phone_form_spec.rb
+++ b/spec/forms/idv/phone_form_spec.rb
@@ -69,7 +69,7 @@
         let(:optional_params) { { delivery_methods: [:sms] } }
 
         it 'uses the user phone number as the initial phone value' do
-          expect(subject.phone).to eq('+1 787 234 5678')
+          expect(subject.phone).to eq('+1 787-234-5678')
         end
         it 'infers the country code from the user phone number' do
           expect(subject.international_code).to eq('PR')
@@ -125,7 +125,7 @@
           }
         end
         it 'uses the previously submitted phone + and infers country' do
-          expect(subject.phone).to eq('+1 787 234 5678')
+          expect(subject.phone).to eq('+1 787-234-5678')
           expect(subject.international_code).to eq('PR')
         end
       end
diff --git a/spec/forms/openid_connect_authorize_form_spec.rb b/spec/forms/openid_connect_authorize_form_spec.rb
index c5799dfc528..dce7824be51 100644
--- a/spec/forms/openid_connect_authorize_form_spec.rb
+++ b/spec/forms/openid_connect_authorize_form_spec.rb
@@ -51,6 +51,7 @@
           scope: 'openid',
           code_digest: nil,
           code_challenge_present: false,
+          service_provider_pkce: nil,
         )
       end
     end
@@ -74,6 +75,7 @@
             scope: 'openid',
             code_digest: nil,
             code_challenge_present: false,
+            service_provider_pkce: nil,
           )
         end
       end
diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb
index bf5af7f71f2..15880ab0576 100644
--- a/spec/forms/openid_connect_token_form_spec.rb
+++ b/spec/forms/openid_connect_token_form_spec.rb
@@ -380,6 +380,7 @@
           user_id: user.uuid,
           code_digest: Digest::SHA256.hexdigest(code),
           code_verifier_present: false,
+          service_provider_pkce: nil,
         )
       end
     end
diff --git a/spec/forms/password_form_spec.rb b/spec/forms/password_form_spec.rb
index 17c6010b6ef..0003a5f052f 100644
--- a/spec/forms/password_form_spec.rb
+++ b/spec/forms/password_form_spec.rb
@@ -4,7 +4,7 @@
   subject(:form) { described_class.new(user) }
   let(:user) { build_stubbed(:user, uuid: '123') }
   let(:password) { 'Valid Password!' }
-  let(:password_confirmation) { nil }
+  let(:password_confirmation) { password }
   let(:extra) do
     {
       user_id: user.uuid,
@@ -33,11 +33,7 @@
       end
 
       context 'with password confirmation' do
-        subject(:form) { described_class.new(user, validate_confirmation) }
-
-        let(:validate_confirmation) do
-          { validate_confirmation: true }
-        end
+        subject(:form) { described_class.new(user) }
 
         let(:password_confirmation) { password }
 
@@ -67,11 +63,7 @@
       end
 
       context 'with password confirmation' do
-        subject(:form) { described_class.new(user, validate_confirmation) }
-
-        let(:validate_confirmation) do
-          { validate_confirmation: true }
-        end
+        subject(:form) { described_class.new(user) }
 
         context 'when the passwords are invalid' do
           let(:password_confirmation) { password }
@@ -114,23 +106,42 @@
       let(:params) do
         {
           password: password,
-          request_id: request_id,
+          password_confirmation: password,
+          request_id: 'foo',
+        }
+      end
+      let(:expected_response) do
+        {
+          success: true,
+          errors: {},
+          user_id: user.uuid,
+          request_id_present: true,
         }
       end
-      let(:request_id) { 'foo' }
-      let(:request_id_present) { true }
 
       it 'tracks that it is present' do
-        expect(result.success?).to eq true
-        expect(result.extra).to eq extra
+        expect(result.to_h).to eq(expected_response)
       end
 
       context 'when the request_id is not properly encoded' do
-        let(:request_id) { "\xFFbar\xF8" }
+        let(:params) do
+          {
+            password: password,
+            password_confirmation: password,
+            request_id: "\xFFbar\xF8",
+          }
+        end
+        let(:expected_response) do
+          {
+            success: true,
+            errors: {},
+            user_id: user.uuid,
+            request_id_present: true,
+          }
+        end
 
         it 'does not throw an exception' do
-          expect(result.success?).to eq true
-          expect(result.extra).to eq extra
+          expect(result.to_h).to eq(expected_response)
         end
       end
     end
diff --git a/spec/forms/reset_password_form_spec.rb b/spec/forms/reset_password_form_spec.rb
index 45c16209764..9901b5fdaf9 100644
--- a/spec/forms/reset_password_form_spec.rb
+++ b/spec/forms/reset_password_form_spec.rb
@@ -3,6 +3,15 @@
 RSpec.describe ResetPasswordForm, type: :model do
   subject { ResetPasswordForm.new(build_stubbed(:user, uuid: '123')) }
 
+  let(:password) { 'a good and powerful password' }
+  let(:password_confirmation) { password }
+  let(:params) do
+    {
+      password: password,
+      password_confirmation: password,
+    }
+  end
+
   it_behaves_like 'password validation'
 
   describe '#submit' do
@@ -19,7 +28,12 @@
 
         extra = { user_id: '123', profile_deactivated: false }
 
-        expect(form.submit(password: password).to_h).to include(
+        expect(
+          form.submit(
+            password: password,
+            password_confirmation: password,
+          ).to_h,
+        ).to include(
           success: false,
           errors: errors,
           error_details: hash_including(*errors.keys),
@@ -40,11 +54,20 @@
         errors = {
           password:
             ["Password must be at least #{Devise.password_length.first} characters long"],
+          password_confirmation: [I18n.t(
+            'errors.messages.too_short',
+            count: Devise.password_length.first,
+          )],
         }
 
         extra = { user_id: '123', profile_deactivated: false }
 
-        expect(form.submit(password: password).to_h).to include(
+        expect(
+          form.submit(
+            password: password,
+            password_confirmation: password,
+          ).to_h,
+        ).to include(
           success: false,
           errors: errors,
           error_details: hash_including(*errors.keys),
@@ -65,7 +88,12 @@
           with(user: user, attributes: { password: password }).and_return(user_updater)
 
         expect(user_updater).to receive(:call)
-        expect(form.submit(password: password).to_h).to eq(
+        expect(
+          form.submit(
+            password: password,
+            password_confirmation: password,
+          ).to_h,
+        ).to eq(
           success: true,
           errors: {},
           user_id: '123',
@@ -89,12 +117,21 @@
           password: [
             t('errors.attributes.password.too_short.other', count: Devise.password_length.first),
           ],
+          password_confirmation: [I18n.t(
+            'errors.messages.too_short',
+            count: Devise.password_length.first,
+          )],
           reset_password_token: ['token_expired'],
         }
 
         extra = { user_id: '123', profile_deactivated: false }
 
-        expect(form.submit(password: password).to_h).to include(
+        expect(
+          form.submit(
+            password: password,
+            password_confirmation: password,
+          ).to_h,
+        ).to include(
           success: false,
           errors: errors,
           error_details: hash_including(*errors.keys),
@@ -109,12 +146,25 @@
 
         form = ResetPasswordForm.new(user)
         errors = {
+          password: [
+            t('errors.attributes.password.too_short.other', count: Devise.password_length.first),
+          ],
+          password_confirmation: [I18n.t(
+            'errors.messages.too_short',
+            count: Devise.password_length.first,
+          )],
           reset_password_token: ['invalid_token'],
         }
 
         extra = { user_id: nil, profile_deactivated: false }
+        password = 'short'
 
-        expect(form.submit(password: 'a good and powerful password').to_h).to include(
+        expect(
+          form.submit(
+            password: password,
+            password_confirmation: password,
+          ).to_h,
+        ).to include(
           success: false,
           errors: errors,
           error_details: hash_including(*errors.keys),
@@ -131,7 +181,7 @@
 
         form = ResetPasswordForm.new(user)
 
-        result = form.submit(password: 'a good and powerful password')
+        result = form.submit(params)
 
         expect(result.success?).to eq(true)
         expect(result.extra[:profile_deactivated]).to eq(true)
@@ -146,7 +196,7 @@
 
         form = ResetPasswordForm.new(user)
 
-        result = form.submit(password: 'a good and powerful password')
+        result = form.submit(params)
 
         expect(result.success?).to eq(true)
         expect(result.extra[:profile_deactivated]).to eq(false)
@@ -160,8 +210,7 @@
         user.update(reset_password_sent_at: Time.zone.now)
 
         form = ResetPasswordForm.new(user)
-
-        result = form.submit(password: 'a good and powerful password')
+        result = form.submit(params)
 
         expect(result.success?).to eq(true)
         expect(result.extra[:pending_profile_invalidated]).to eq(true)
@@ -178,7 +227,7 @@
 
         form = ResetPasswordForm.new(user)
 
-        result = form.submit(password: 'a good and powerful password')
+        result = form.submit(params)
 
         expect(result.success?).to eq(true)
         expect(result.extra[:pending_profile_invalidated]).to eq(false)
@@ -198,7 +247,7 @@
 
         form = ResetPasswordForm.new(user)
 
-        result = form.submit(password: 'a good and powerful password')
+        result = form.submit(params)
 
         expect(result.success?).to eq(false)
         expect(result.errors).to eq({ reset_password_token: ['token_expired'] })
diff --git a/spec/forms/two_factor_options_form_spec.rb b/spec/forms/two_factor_options_form_spec.rb
index a03e1685621..5fb12016609 100644
--- a/spec/forms/two_factor_options_form_spec.rb
+++ b/spec/forms/two_factor_options_form_spec.rb
@@ -48,6 +48,13 @@
       expect(result.success?).to eq true
     end
 
+    it 'is unsuccessful if user has 1 method and its platform auth and no option' do
+      create(:webauthn_configuration, :platform_authenticator, user: user)
+
+      result = subject.submit(selection: [])
+      expect(result.success?).to eq false
+    end
+
     it 'includes analytics hash with a methods count of zero' do
       result = subject.submit(selection: 'piv_cac')
 
diff --git a/spec/forms/update_user_password_form_spec.rb b/spec/forms/update_user_password_form_spec.rb
index 3ff5ca155b4..4371044d942 100644
--- a/spec/forms/update_user_password_form_spec.rb
+++ b/spec/forms/update_user_password_form_spec.rb
@@ -4,7 +4,12 @@
   let(:user) { build(:user, password: 'old strong password') }
   let(:user_session) { {} }
   let(:password) { 'salty new password' }
-  let(:params) { { password: password } }
+  let(:params) do
+    {
+      password: password,
+      password_confirmation: password,
+    }
+  end
   let(:subject) do
     UpdateUserPasswordForm.new(user, user_session)
   end
@@ -22,6 +27,10 @@
             'errors.attributes.password.too_short.other',
             count: Devise.password_length.first,
           )],
+          password_confirmation: [I18n.t(
+            'errors.messages.too_short',
+            count: Devise.password_length.first,
+          )],
         }
 
         expect(UpdateUser).not_to receive(:new)
@@ -29,7 +38,7 @@
         expect(subject.submit(params).to_h).to include(
           success: false,
           errors: errors,
-          error_details: hash_including(*errors.keys),
+          error_details: hash_including(:password, :password_confirmation),
         )
       end
     end
diff --git a/spec/lib/linters/errors_add_linter_spec.rb b/spec/lib/linters/errors_add_linter_spec.rb
index 3aa87f6d71a..083f52d7f1b 100644
--- a/spec/lib/linters/errors_add_linter_spec.rb
+++ b/spec/lib/linters/errors_add_linter_spec.rb
@@ -14,7 +14,7 @@
       class MyModel
         def my_method
           errors.add(:number, "is negative")
-          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please set a unique key for this error
+          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/ErrorsAddLinter: Please set a unique key for this error
         end
       end
     RUBY
@@ -25,7 +25,7 @@ def my_method
       class MyModel
         def my_method
           errors.add(:number, "is negative", foo: :bar)
-          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please set a unique key for this error
+          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/ErrorsAddLinter: Please set a unique key for this error
         end
       end
     RUBY
diff --git a/spec/lib/linters/image_size_linter_spec.rb b/spec/lib/linters/image_size_linter_spec.rb
index 91cf933af4a..9e183b4091a 100644
--- a/spec/lib/linters/image_size_linter_spec.rb
+++ b/spec/lib/linters/image_size_linter_spec.rb
@@ -12,14 +12,14 @@
   it 'registers offense when calling image_tag without any size attributes' do
     expect_offense(<<~RUBY)
       image_tag 'example.svg'
-      ^^^^^^^^^^^^^^^^^^^^^^^ Assign width and height to images
+      ^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/ImageSizeLinter: Assign width and height to images
     RUBY
   end
 
   it 'registers offense when calling image_tag with only one of width or height' do
     expect_offense(<<~RUBY)
       image_tag 'example.svg', width: 10
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Assign width and height to images
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/ImageSizeLinter: Assign width and height to images
     RUBY
   end
 
diff --git a/spec/lib/linters/localized_validation_message_linter_spec.rb b/spec/lib/linters/localized_validation_message_linter_spec.rb
index be2fe6a0219..5014e1f2e49 100644
--- a/spec/lib/linters/localized_validation_message_linter_spec.rb
+++ b/spec/lib/linters/localized_validation_message_linter_spec.rb
@@ -13,7 +13,7 @@
     it 'registers an offense when using static translated string as validation message' do
       expect_offense(<<~RUBY)
         validates :a, presence: { message: I18n.t('error') }
-        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use proc when translating validation message
+        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/LocalizedValidationMessageLinter: Use proc when translating validation message
       RUBY
     end
 
@@ -28,7 +28,7 @@
     it 'registers an offense when using static translated string as validation message' do
       expect_offense(<<~RUBY)
         validates_presence_of :a, message: I18n.t('error')
-        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Use proc when translating validation message
+        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/LocalizedValidationMessageLinter: Use proc when translating validation message
       RUBY
     end
 
diff --git a/spec/lib/linters/mail_later_linter_spec.rb b/spec/lib/linters/mail_later_linter_spec.rb
index 7c5f43600b6..dfe245e7755 100644
--- a/spec/lib/linters/mail_later_linter_spec.rb
+++ b/spec/lib/linters/mail_later_linter_spec.rb
@@ -13,21 +13,21 @@
   it 'registers offense when calling deliver_now method' do
     expect_offense(<<~RUBY)
       UserMailer.send_email(user).deliver_now
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please send mail using deliver_now_or_later instead
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/MailLaterLinter: Please send mail using deliver_now_or_later instead
     RUBY
   end
 
   it 'registers offense when calling deliver_later method' do
     expect_offense(<<~RUBY)
       UserMailer.send_email(user).deliver_later
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please send mail using deliver_now_or_later instead
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/MailLaterLinter: Please send mail using deliver_now_or_later instead
     RUBY
   end
 
   it 'registers offense when calling .with(...).deliver_now method' do
     expect_offense(<<~RUBY)
       UserMailer.with(user).send_email(params).deliver_now
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please send mail using deliver_now_or_later instead
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/MailLaterLinter: Please send mail using deliver_now_or_later instead
     RUBY
   end
 
diff --git a/spec/lib/linters/redirect_back_linter_spec.rb b/spec/lib/linters/redirect_back_linter_spec.rb
index dd35e484a19..fe9bc1a90ab 100644
--- a/spec/lib/linters/redirect_back_linter_spec.rb
+++ b/spec/lib/linters/redirect_back_linter_spec.rb
@@ -12,21 +12,21 @@
   it 'registers offenses when calling redirect_back with no arguments' do
     expect_offense(<<~RUBY)
       redirect_back
-      ^^^^^^^^^^^^^ Please set a fallback_location and the allow_other_host parameter to false
+      ^^^^^^^^^^^^^ IdentityIdp/RedirectBackLinter: Please set a fallback_location and the allow_other_host parameter to false
     RUBY
   end
 
   it 'registers offenses when calling redirect_back with only fallback location' do
     expect_offense(<<~RUBY)
       redirect_back fallback_location: '/'
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please set a fallback_location and the allow_other_host parameter to false
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/RedirectBackLinter: Please set a fallback_location and the allow_other_host parameter to false
     RUBY
   end
 
   it 'registers offenses when calling redirect_back with only allow_other_host set to false' do
     expect_offense(<<~RUBY)
       redirect_back allow_other_host: false
-      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please set a fallback_location and the allow_other_host parameter to false
+      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/RedirectBackLinter: Please set a fallback_location and the allow_other_host parameter to false
     RUBY
   end
 
diff --git a/spec/lib/linters/url_options_linter_spec.rb b/spec/lib/linters/url_options_linter_spec.rb
index 006f0cb911b..c9ba76b3ccc 100644
--- a/spec/lib/linters/url_options_linter_spec.rb
+++ b/spec/lib/linters/url_options_linter_spec.rb
@@ -13,7 +13,7 @@
     expect_offense(<<~RUBY)
       class MyViewModelClass
         include Rails.application.routes.url_helpers
-        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Please define url_options when including Rails.application.routes.url_helpers
+        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ IdentityIdp/UrlOptionsLinter: Please define url_options when including Rails.application.routes.url_helpers
 
         def my_method
           account_path
diff --git a/spec/lib/telephony/pinpoint/sms_sender_spec.rb b/spec/lib/telephony/pinpoint/sms_sender_spec.rb
index 5353255f28d..5b3d9ce7eae 100644
--- a/spec/lib/telephony/pinpoint/sms_sender_spec.rb
+++ b/spec/lib/telephony/pinpoint/sms_sender_spec.rb
@@ -33,7 +33,6 @@ def ==(other)
 
     around do |ex|
       ex.run
-
     ensure
       Telephony::Pinpoint::SmsSender::CLIENT_POOL.clear
     end
@@ -180,7 +179,6 @@ def ==(other)
 
     around do |ex|
       ex.run
-
     ensure
       Telephony::Pinpoint::SmsSender::CLIENT_POOL.clear
     end
diff --git a/spec/policies/service_provider_mfa_policy_spec.rb b/spec/policies/service_provider_mfa_policy_spec.rb
index f16cc9ab66e..8a30d8a1ee7 100644
--- a/spec/policies/service_provider_mfa_policy_spec.rb
+++ b/spec/policies/service_provider_mfa_policy_spec.rb
@@ -197,61 +197,6 @@
     end
   end
 
-  describe '#allow_user_to_switch_method?' do
-    context 'phishing-resistant required' do
-      let(:aal_level_requested) { 3 }
-
-      context 'the user has more than one phishing-resistant method' do
-        before do
-          setup_user_webauthn_token
-          setup_user_piv
-        end
-
-        it { expect(policy.allow_user_to_switch_method?).to eq(true) }
-      end
-
-      context 'the user does not have more than one aal3 method' do
-        before do
-          setup_user_webauthn_token
-        end
-
-        it { expect(policy.allow_user_to_switch_method?).to eq(false) }
-      end
-    end
-
-    context 'piv/cac required' do
-      let(:aal_level_requested) { 3 }
-      let(:piv_cac_requested) { true }
-
-      context 'the user has a PIV' do
-        before { setup_user_piv }
-
-        it { expect(policy.allow_user_to_switch_method?).to eq(false) }
-      end
-
-      context 'the user does not have a PIV' do
-        before { setup_user_webauthn_token }
-
-        it { expect(policy.allow_user_to_switch_method?).to eq(false) }
-      end
-
-      context 'the user has a PIV and webauthn token' do
-        before do
-          setup_user_webauthn_token
-          setup_user_piv
-        end
-
-        it { expect(policy.allow_user_to_switch_method?).to eq(false) }
-      end
-    end
-
-    context 'there are no MFA reqirements' do
-      before { setup_user_phone }
-
-      it { expect(policy.allow_user_to_switch_method?).to eq(true) }
-    end
-  end
-
   def setup_user_phone
     user.phone_configurations << build(:phone_configuration)
     user.save!
diff --git a/spec/presenters/image_upload_response_presenter_spec.rb b/spec/presenters/image_upload_response_presenter_spec.rb
index 93aee571862..f01a1949c85 100644
--- a/spec/presenters/image_upload_response_presenter_spec.rb
+++ b/spec/presenters/image_upload_response_presenter_spec.rb
@@ -124,7 +124,7 @@
           success: false,
           result_failed: false,
           errors: [{ field: :limit, message: t('errors.doc_auth.rate_limited_heading') }],
-          redirect: idv_session_errors_throttled_url,
+          redirect: idv_session_errors_rate_limited_url,
           remaining_attempts: 0,
           ocr_pii: nil,
         }
@@ -244,7 +244,7 @@
             result_failed: false,
             errors: [{ field: :front, message: t('doc_auth.errors.not_a_file') }],
             hints: true,
-            redirect: idv_session_errors_throttled_url,
+            redirect: idv_session_errors_rate_limited_url,
             remaining_attempts: 0,
             ocr_pii: nil,
           }
diff --git a/spec/presenters/two_factor_auth_code/authenticator_delivery_presenter_spec.rb b/spec/presenters/two_factor_auth_code/authenticator_delivery_presenter_spec.rb
index 8a6420590e2..fae72c6853d 100644
--- a/spec/presenters/two_factor_auth_code/authenticator_delivery_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/authenticator_delivery_presenter_spec.rb
@@ -13,13 +13,6 @@
     end
   end
 
-  describe '#fallback_question' do
-    it 'supplies a fallback_question' do
-      expect(presenter.fallback_question).to \
-        eq(t('two_factor_authentication.totp_fallback.question'))
-    end
-  end
-
   it 'handles multiple locales' do
     I18n.available_locales.each do |locale|
       I18n.locale = locale
diff --git a/spec/presenters/two_factor_auth_code/backup_code_presenter_spec.rb b/spec/presenters/two_factor_auth_code/backup_code_presenter_spec.rb
index 4206a4eb27f..0d27ec33362 100644
--- a/spec/presenters/two_factor_auth_code/backup_code_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/backup_code_presenter_spec.rb
@@ -9,13 +9,6 @@
     TwoFactorAuthCode::BackupCodePresenter.new(data: arguments, view: view, service_provider: nil)
   end
 
-  describe '#fallback_question' do
-    it 'returns the fallback question' do
-      expect(presenter.fallback_question).to eq \
-        t('two_factor_authentication.backup_code_fallback.question')
-    end
-  end
-
   describe '#cancel_link' do
     it 'returns the link for cancellation' do
       expect(presenter.cancel_link).to eq \
diff --git a/spec/presenters/two_factor_auth_code/generic_delivery_presenter_spec.rb b/spec/presenters/two_factor_auth_code/generic_delivery_presenter_spec.rb
index 23aecc25140..62ec8588ee5 100644
--- a/spec/presenters/two_factor_auth_code/generic_delivery_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/generic_delivery_presenter_spec.rb
@@ -3,14 +3,33 @@
 RSpec.describe TwoFactorAuthCode::GenericDeliveryPresenter do
   include Rails.application.routes.url_helpers
 
-  it 'is an abstract presenter with methods that should be implemented' do
-    presenter = presenter_with
+  let(:presenter) { presenter_with }
 
-    %w[header fallback_links].each do |m|
+  it 'is an abstract presenter with methods that should be implemented' do
+    %w[header].each do |m|
       expect { presenter.send(m.to_sym) }.to raise_error(NotImplementedError)
     end
   end
 
+  describe '#troubleshooting_options' do
+    it 'includes default troubleshooting options' do
+      expect(presenter.troubleshooting_options.size).to eq(2)
+      expect(presenter.troubleshooting_options[0]).to satisfy do |c|
+        c.url == login_two_factor_options_path &&
+          c.content == t('two_factor_authentication.login_options_link_text')
+      end
+      expect(presenter.troubleshooting_options[1]).to satisfy do |c|
+        c.content == t('two_factor_authentication.learn_more') &&
+          c.new_tab? &&
+          c.url == help_center_redirect_path(
+            category: 'get-started',
+            article: 'authentication-options',
+            flow: :two_factor_authentication,
+          )
+      end
+    end
+  end
+
   def presenter_with(arguments = {}, view = ActionController::Base.new.view_context)
     TwoFactorAuthCode::GenericDeliveryPresenter.new(
       data: arguments,
diff --git a/spec/presenters/two_factor_auth_code/personal_key_presenter_spec.rb b/spec/presenters/two_factor_auth_code/personal_key_presenter_spec.rb
deleted file mode 100644
index 9dcad3d0870..00000000000
--- a/spec/presenters/two_factor_auth_code/personal_key_presenter_spec.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe TwoFactorAuthCode::PersonalKeyPresenter do
-  include Rails.application.routes.url_helpers
-
-  let(:presenter) do
-    TwoFactorAuthCode::PersonalKeyPresenter.new
-  end
-
-  describe '#fallback_question' do
-    it 'returns the fallback question' do
-      expect(presenter.fallback_question).to eq \
-        t('two_factor_authentication.personal_key_fallback.question')
-    end
-  end
-end
diff --git a/spec/presenters/two_factor_auth_code/phone_delivery_presenter_spec.rb b/spec/presenters/two_factor_auth_code/phone_delivery_presenter_spec.rb
index b0a7b983c28..76c76dc30c2 100644
--- a/spec/presenters/two_factor_auth_code/phone_delivery_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/phone_delivery_presenter_spec.rb
@@ -58,14 +58,28 @@
   end
 
   describe '#troubleshooting_options' do
+    it { expect(presenter.troubleshooting_options.size).to eq(3) }
+
+    it 'includes a link to troubleshoot a missing one-time code' do
+      expect(presenter.troubleshooting_options).to include(
+        an_object_satisfying do |c|
+          c.content == t(
+            'two_factor_authentication.phone_verification.troubleshooting.code_not_received',
+          )
+        end,
+      )
+    end
+
     context 'when phone is unconfirmed' do
       let(:unconfirmed_phone) { true }
       it 'should show an option to change phone number' do
         expect(presenter.troubleshooting_options).to include(
-          {
-            url: add_phone_path,
-            text: t('two_factor_authentication.phone_verification.troubleshooting.change_number'),
-          },
+          an_object_satisfying do |c|
+            c.url == add_phone_path &&
+              c.content == t(
+                'two_factor_authentication.phone_verification.troubleshooting.change_number',
+              )
+          end,
         )
       end
     end
@@ -73,10 +87,10 @@
     context 'when phone is confirmed' do
       it 'shpould show an option to show to mfa options list' do
         expect(presenter.troubleshooting_options).to include(
-          {
-            url: login_two_factor_options_path,
-            text: t('two_factor_authentication.login_options_link_text'),
-          },
+          an_object_satisfying do |c|
+            c.url == login_two_factor_options_path &&
+              c.content == t('two_factor_authentication.login_options_link_text')
+          end,
         )
       end
     end
diff --git a/spec/presenters/two_factor_auth_code/piv_cac_authentication_presenter_spec.rb b/spec/presenters/two_factor_auth_code/piv_cac_authentication_presenter_spec.rb
index 936f16b3b51..2f73a7e8da2 100644
--- a/spec/presenters/two_factor_auth_code/piv_cac_authentication_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/piv_cac_authentication_presenter_spec.rb
@@ -8,7 +8,6 @@
   let(:reauthn) {}
   let(:presenter) { presenter_with(reauthn: reauthn) }
 
-  let(:allow_user_to_switch_method) { false }
   let(:phishing_resistant_required) { true }
   let(:piv_cac_required) { false }
   let(:service_provider_mfa_policy) do
@@ -16,7 +15,6 @@
       ServiceProviderMfaPolicy,
       phishing_resistant_required?: phishing_resistant_required,
       piv_cac_required?: piv_cac_required,
-      allow_user_to_switch_method?: allow_user_to_switch_method,
     )
   end
 
@@ -32,104 +30,6 @@
     it { expect(presenter.header).to eq expected_header }
   end
 
-  describe '#piv_cac_help' do
-    let(:phishing_resistant_required) { false }
-    let(:piv_cac_required) { false }
-
-    it 'returns help text' do
-      expect(presenter.piv_cac_help).to eq(t('instructions.mfa.piv_cac.confirm_piv_cac'))
-    end
-
-    context 'with PIV/CAC only requested' do
-      let(:phishing_resistant_required) { true }
-      let(:piv_cac_required) { true }
-
-      context 'with a user who only has a PIV' do
-        let(:allow_user_to_switch_method) { false }
-
-        it 'returns the PIV only help text' do
-          expect(presenter.piv_cac_help).to eq(
-            t('instructions.mfa.piv_cac.confirm_piv_cac_only'),
-          )
-        end
-      end
-
-      context 'with a user who has a PIV and security key' do
-        let(:allow_user_to_switch_method) { false }
-
-        it 'returns the PIV only help text' do
-          expect(presenter.piv_cac_help).to eq(
-            t('instructions.mfa.piv_cac.confirm_piv_cac_only'),
-          )
-        end
-      end
-    end
-
-    context 'with phishing-resistant requested' do
-      let(:phishing_resistant_required) { true }
-      let(:piv_cac_required) { false }
-
-      context 'with a user who only has a PIV' do
-        let(:allow_user_to_switch_method) { false }
-
-        it 'returns the PIV only help text' do
-          expect(presenter.piv_cac_help).to eq(
-            t('instructions.mfa.piv_cac.confirm_piv_cac_only'),
-          )
-        end
-      end
-
-      context 'with a user who has a PIV and security key' do
-        let(:allow_user_to_switch_method) { true }
-
-        it 'returns the PIV or phishing-resistant help text' do
-          expect(presenter.piv_cac_help).to eq(
-            t('instructions.mfa.piv_cac.confirm_piv_cac_or_aal3'),
-          )
-        end
-      end
-    end
-  end
-
-  describe '#link_text' do
-    let(:phishing_resistant_required) { true }
-
-    context 'with multiple phishing-resistant methods' do
-      let(:allow_user_to_switch_method) { true }
-
-      it 'supplies link text' do
-        expect(presenter.link_text).to eq(t('two_factor_authentication.piv_cac_webauthn_available'))
-      end
-    end
-    context 'with only one phishing-resistant method do' do
-      let(:allow_user_to_switch_method) { false }
-
-      it ' supplies no link text' do
-        expect(presenter.link_text).to eq('')
-      end
-    end
-  end
-
-  describe '#fallback_question' do
-    context 'when the user can switch to a different method' do
-      let(:allow_user_to_switch_method) { true }
-
-      it 'returns a question about switching methods' do
-        expect(presenter.fallback_question).to eq(
-          t('two_factor_authentication.piv_cac_fallback.question'),
-        )
-      end
-    end
-
-    context 'when the user cannot switch to a different method' do
-      let(:allow_user_to_switch_method) { false }
-
-      it 'returns an empty string' do
-        expect(presenter.fallback_question).to eq('')
-      end
-    end
-  end
-
   describe '#piv_cac_capture_text' do
     let(:expected_text) { t('forms.piv_cac_mfa.submit') }
 
diff --git a/spec/presenters/two_factor_auth_code/webauthn_authentication_presenter_spec.rb b/spec/presenters/two_factor_auth_code/webauthn_authentication_presenter_spec.rb
index 3a4ab64a054..c5bc98967cf 100644
--- a/spec/presenters/two_factor_auth_code/webauthn_authentication_presenter_spec.rb
+++ b/spec/presenters/two_factor_auth_code/webauthn_authentication_presenter_spec.rb
@@ -15,7 +15,6 @@
     )
   end
 
-  let(:allow_user_to_switch_method) { false }
   let(:phishing_resistant_required) { false }
   let(:platform_authenticator) { false }
   let(:multiple_factors_enabled) { false }
@@ -23,7 +22,6 @@
     instance_double(
       ServiceProviderMfaPolicy,
       phishing_resistant_required?: phishing_resistant_required,
-      allow_user_to_switch_method?: allow_user_to_switch_method,
       multiple_factors_enabled?: multiple_factors_enabled,
     )
   end
@@ -33,38 +31,10 @@
   end
 
   describe '#webauthn_help' do
-    context 'with phishing-resistant required' do
-      let(:phishing_resistant_required) { true }
+    let(:phishing_resistant_required) { false }
 
-      context 'the user only has a security key enabled' do
-        let(:allow_user_to_switch_method) { false }
-
-        it 'returns the help text for just the security key' do
-          expect(presenter.webauthn_help).to eq(
-            t('instructions.mfa.webauthn.confirm_webauthn_only'),
-          )
-        end
-      end
-
-      context 'the user has a security key and PIV enabled' do
-        let(:allow_user_to_switch_method) { true }
-
-        it 'returns the help text for the security key or PIV' do
-          expect(presenter.webauthn_help).to eq(
-            t('instructions.mfa.webauthn.confirm_webauthn_or_aal3'),
-          )
-        end
-      end
-    end
-
-    context 'with phishing-resistant not required' do
-      let(:phishing_resistant_required) { false }
-
-      it 'displays the help text' do
-        expect(presenter.webauthn_help).to eq(
-          t('instructions.mfa.webauthn.confirm_webauthn'),
-        )
-      end
+    it 'returns the help text for security key' do
+      expect(presenter.webauthn_help).to eq(t('instructions.mfa.webauthn.confirm_webauthn'))
     end
 
     context 'with a platform authenticator' do
@@ -137,20 +107,25 @@
     end
   end
 
-  describe '#link_text' do
-    let(:phishing_resistant_required) { true }
+  describe '#troubleshooting_options' do
+    let(:phishing_resistant_required) { false }
 
-    context 'with multiple phishing-resistant methods' do
-      let(:allow_user_to_switch_method) { true }
-
-      it 'supplies link text' do
-        expect(presenter.link_text).to eq(t('two_factor_authentication.webauthn_piv_available'))
+    it 'includes option to choose another authentication method' do
+      expect(presenter.troubleshooting_options.size).to eq(2)
+      expect(presenter.troubleshooting_options.first).to satisfy do |c|
+        c.url == login_two_factor_options_path &&
+          c.content == t('two_factor_authentication.login_options_link_text')
       end
     end
 
-    context 'with only one phishing-resistant method do' do
-      it 'supplies no link text' do
-        expect(presenter.link_text).to eq('')
+    context 'with platform authenticator' do
+      let(:platform_authenticator) { true }
+
+      it 'includes option to learn more about face or touch unlock' do
+        expect(presenter.troubleshooting_options.size).to eq(3)
+        expect(presenter.troubleshooting_options[1]).to satisfy do |c|
+          c.content == t('instructions.mfa.webauthn_platform.learn_more_help')
+        end
       end
     end
   end
diff --git a/spec/presenters/two_factor_login_options_presenter_spec.rb b/spec/presenters/two_factor_login_options_presenter_spec.rb
index 576a363ece6..926e6204f88 100644
--- a/spec/presenters/two_factor_login_options_presenter_spec.rb
+++ b/spec/presenters/two_factor_login_options_presenter_spec.rb
@@ -8,15 +8,16 @@
   let(:phishing_resistant_required) { false }
   let(:piv_cac_required) { false }
   let(:reauthentication_context) { false }
+  let(:service_provider) { nil }
 
   subject(:presenter) do
     TwoFactorLoginOptionsPresenter.new(
       user: user,
       view: view,
       reauthentication_context: reauthentication_context,
-      service_provider: nil,
-      phishing_resistant_required: false,
-      piv_cac_required: false,
+      service_provider: service_provider,
+      phishing_resistant_required: phishing_resistant_required,
+      piv_cac_required: piv_cac_required,
     )
   end
 
@@ -75,6 +76,81 @@
     end
   end
 
+  describe '#restricted_options_warning_text' do
+    subject(:restricted_options_warning_text) { presenter.restricted_options_warning_text }
+
+    it { should be_nil }
+
+    context 'phishing resistant required' do
+      let(:phishing_resistant_required) { true }
+
+      it 'returns phishing resistant required warning text for app' do
+        expect(restricted_options_warning_text).to eq(
+          t('two_factor_authentication.aal2_request.phishing_resistant_html', sp_name: APP_NAME),
+        )
+      end
+
+      context 'piv cac required' do
+        let(:piv_cac_required) { true }
+
+        it 'returns piv cac required warning text for app' do
+          expect(restricted_options_warning_text).to eq(
+            t('two_factor_authentication.aal2_request.piv_cac_only_html', sp_name: APP_NAME),
+          )
+        end
+
+        context 'with sp' do
+          let(:service_provider) { build(:service_provider) }
+
+          it 'returns piv cac required warning text for service provider' do
+            expect(restricted_options_warning_text).to eq(
+              t(
+                'two_factor_authentication.aal2_request.piv_cac_only_html',
+                sp_name: service_provider.friendly_name,
+              ),
+            )
+          end
+        end
+      end
+
+      context 'with sp' do
+        let(:service_provider) { build(:service_provider) }
+
+        it 'returns phishing resistant required warning text for service provider' do
+          expect(restricted_options_warning_text).to eq(
+            t(
+              'two_factor_authentication.aal2_request.phishing_resistant_html',
+              sp_name: service_provider.friendly_name,
+            ),
+          )
+        end
+      end
+    end
+
+    context 'piv cac required' do
+      let(:piv_cac_required) { true }
+
+      it 'returns piv cac required warning text for app' do
+        expect(restricted_options_warning_text).to eq(
+          t('two_factor_authentication.aal2_request.piv_cac_only_html', sp_name: APP_NAME),
+        )
+      end
+
+      context 'with sp' do
+        let(:service_provider) { build(:service_provider) }
+
+        it 'returns piv cac required warning text for service provider' do
+          expect(restricted_options_warning_text).to eq(
+            t(
+              'two_factor_authentication.aal2_request.piv_cac_only_html',
+              sp_name: service_provider.friendly_name,
+            ),
+          )
+        end
+      end
+    end
+  end
+
   describe '#cancel_link' do
     subject(:cancel_link) { presenter.cancel_link }
 
diff --git a/spec/presenters/webauthn_setup_presenter_spec.rb b/spec/presenters/webauthn_setup_presenter_spec.rb
index ceee1a43aa9..8902c9c2c19 100644
--- a/spec/presenters/webauthn_setup_presenter_spec.rb
+++ b/spec/presenters/webauthn_setup_presenter_spec.rb
@@ -37,7 +37,7 @@
   describe '#heading' do
     subject { presenter.heading }
 
-    it { is_expected.to  eq(t('headings.webauthn_setup.new')) }
+    it { is_expected.to eq(t('headings.webauthn_setup.new')) }
   end
 
   describe '#intro_html' do
@@ -68,13 +68,7 @@
   describe '#button_text' do
     subject { presenter.button_text }
 
-    it { is_expected.to  eq(t('forms.webauthn_setup.continue')) }
-  end
-
-  describe '#setup_heading' do
-    subject { presenter.setup_heading }
-
-    it { is_expected.to  eq(t('forms.webauthn_setup.instructions_title')) }
+    it { is_expected.to eq(t('forms.webauthn_setup.continue')) }
   end
 
   context 'with platform_authenticator' do
@@ -95,7 +89,7 @@
     describe '#heading' do
       subject { presenter.heading }
 
-      it { is_expected.to  eq(t('headings.webauthn_platform_setup.new')) }
+      it { is_expected.to eq(t('headings.webauthn_platform_setup.new')) }
     end
 
     describe '#nickname_label' do
@@ -113,13 +107,7 @@
     describe '#button_text' do
       subject { presenter.button_text }
 
-      it { is_expected.to  eq(t('forms.webauthn_platform_setup.continue')) }
-    end
-
-    describe '#setup_heading' do
-      subject { presenter.setup_heading }
-
-      it { is_expected.to  eq(t('forms.webauthn_platform_setup.instructions_title')) }
+      it { is_expected.to eq(t('forms.webauthn_platform_setup.continue')) }
     end
   end
 end
diff --git a/spec/services/id_token_builder_spec.rb b/spec/services/id_token_builder_spec.rb
index 6fcb810d10d..0e487fa8d60 100644
--- a/spec/services/id_token_builder_spec.rb
+++ b/spec/services/id_token_builder_spec.rb
@@ -85,7 +85,7 @@
         end
 
         context 'verified user' do
-          let(:user) {  create(:user, profiles: [create(:profile, :verified, :active)]) }
+          let(:user) { create(:user, profiles: [create(:profile, :verified, :active)]) }
 
           it 'sets the acr to the ial2 constant' do
             expect(decoded_payload[:acr]).to eq(Saml::Idp::Constants::IAL2_AUTHN_CONTEXT_CLASSREF)
diff --git a/spec/services/phone_formatter_spec.rb b/spec/services/phone_formatter_spec.rb
index bfbb67ed78f..7f607f8f9ab 100644
--- a/spec/services/phone_formatter_spec.rb
+++ b/spec/services/phone_formatter_spec.rb
@@ -27,7 +27,7 @@
       phone = '+13065550100'
       formatted_phone = PhoneFormatter.format(phone)
 
-      expect(formatted_phone).to eq('+1 306 555 0100')
+      expect(formatted_phone).to eq('+1 306-555-0100')
     end
 
     it 'uses +1 as the default international code' do
diff --git a/spec/support/features/personal_key_helper.rb b/spec/support/features/personal_key_helper.rb
index 8135f275641..282179cb2fe 100644
--- a/spec/support/features/personal_key_helper.rb
+++ b/spec/support/features/personal_key_helper.rb
@@ -7,6 +7,8 @@ def reset_password_and_sign_back_in(user, password = 'a really long password')
 
   def reset_password(_user, password = 'a really long password')
     fill_in t('forms.passwords.edit.labels.password'), with: password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: password
     click_button t('forms.passwords.edit.buttons.submit')
   end
 
diff --git a/spec/support/shared_examples/password_strength.rb b/spec/support/shared_examples/password_strength.rb
index c90fbb9d0d1..288b261d5d0 100644
--- a/spec/support/shared_examples/password_strength.rb
+++ b/spec/support/shared_examples/password_strength.rb
@@ -11,7 +11,10 @@
         ' Uncommon words are better'],
     }
 
-    result = form.submit(password: password)
+    result = form.submit(
+      password: password,
+      password_confirmation: password,
+    )
 
     expect(result.success?).to eq(false)
     expect(result.errors).to eq(errors)
@@ -29,7 +32,10 @@
         ' Uncommon words are better'],
     }
 
-    result = form.submit(password: password)
+    result = form.submit(
+      password: password,
+      password_confirmation: password,
+    )
 
     expect(result.success?).to eq(false)
     expect(result.errors).to eq(errors)
@@ -49,7 +55,10 @@
         ' Uncommon words are better'],
     }
 
-    result = form.submit(password: password)
+    result = form.submit(
+      password: password,
+      password_confirmation: password,
+    )
 
     expect(result.success?).to eq(false)
     expect(result.errors).to eq(errors)
@@ -66,7 +75,10 @@
         ' Add another word or two.' \
         ' Uncommon words are better'],
     }
-    result = form.submit(password: password)
+    result = form.submit(
+      password: password,
+      password_confirmation: password,
+    )
 
     expect(result.success?).to eq(false)
     expect(result.errors).to eq(errors)
@@ -81,7 +93,10 @@
     errors = {
       password: [t('errors.attributes.password.too_short', count: 12)],
     }
-    result = form.submit(password: password)
+    result = form.submit(
+      password: password,
+      password_confirmation: password,
+    )
 
     expect(result.success?).to eq(false)
     expect(result.errors).to eq(errors)
diff --git a/spec/support/shared_examples/sign_in.rb b/spec/support/shared_examples/sign_in.rb
index 9b60775c511..e202fab4faf 100644
--- a/spec/support/shared_examples/sign_in.rb
+++ b/spec/support/shared_examples/sign_in.rb
@@ -109,6 +109,8 @@
     visit_idp_from_sp_with_ial1(sp)
     trigger_reset_password_and_click_email_link(user.confirmed_email_addresses.first.email)
     fill_in t('forms.passwords.edit.labels.password'), with: new_password
+    fill_in t('components.password_confirmation.confirm_label'),
+            with: new_password
     click_button t('forms.passwords.edit.buttons.submit')
     fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, new_password)
     choose_another_security_option('personal_key')
diff --git a/spec/views/idv/phone_errors/failure.html.erb_spec.rb b/spec/views/idv/phone_errors/failure.html.erb_spec.rb
index 4fc735ba668..c1beaa6a718 100644
--- a/spec/views/idv/phone_errors/failure.html.erb_spec.rb
+++ b/spec/views/idv/phone_errors/failure.html.erb_spec.rb
@@ -21,16 +21,29 @@
   end
 
   it 'renders a list of troubleshooting options' do
-    expect(rendered).to have_link(
-      t('idv.troubleshooting.options.get_help_at_sp', sp_name: sp_name),
-      href: return_to_sp_failure_to_proof_path(step: 'phone', location: 'failure'),
-    )
     expect(rendered).to have_link(
       t('idv.troubleshooting.options.contact_support', app_name: APP_NAME),
       href: MarketingSite.contact_url,
     )
   end
 
+  it 'tells them they can try again later' do
+    raw_expected_text = t(
+      'idv.failure.phone.rate_limited.option_try_again_later_html',
+      time_left: distance_of_time_in_words(Time.zone.now, @expires_at, except: :seconds),
+    )
+    expected_text = ActionView::Base.full_sanitizer.sanitize(raw_expected_text)
+
+    expect(rendered).to have_text(expected_text)
+  end
+
+  it 'renders a cancel link' do
+    expect(rendered).to have_link(
+      t('links.cancel'),
+      href: idv_cancel_path,
+    )
+  end
+
   it 'includes a message instructing when they can try again' do
     expect(rendered).to have_text(
       strip_tags(
@@ -43,7 +56,9 @@
   end
 
   it 'describes GPO as an alternative' do
-    expect(rendered).to have_text(t('idv.failure.phone.rate_limited.gpo.prompt'))
+    raw_expected_text = t('idv.failure.phone.rate_limited.option_verify_by_mail_html')
+    expected_text = ActionView::Base.full_sanitizer.sanitize(raw_expected_text)
+    expect(rendered).to have_text(expected_text)
   end
 
   it 'includes a link to GPO flow' do
@@ -57,7 +72,10 @@
     let(:gpo_letter_available) { false }
 
     it 'does not describe GPO as an alternative' do
-      expect(rendered).not_to have_text(t('idv.failure.phone.rate_limited.gpo.prompt'))
+      raw_gpo_alternative = t('idv.failure.phone.rate_limited.option_verify_by_mail_html')
+      gpo_alternative = ActionView::Base.full_sanitizer.sanitize(raw_gpo_alternative)
+
+      expect(rendered).not_to have_text(gpo_alternative)
     end
 
     it 'does not include a link to GPO flow' do
diff --git a/spec/views/two_factor_authentication/options/index.html.erb_spec.rb b/spec/views/two_factor_authentication/options/index.html.erb_spec.rb
index e418a0a30a1..929a427f88d 100644
--- a/spec/views/two_factor_authentication/options/index.html.erb_spec.rb
+++ b/spec/views/two_factor_authentication/options/index.html.erb_spec.rb
@@ -2,6 +2,9 @@
 
 RSpec.describe 'two_factor_authentication/options/index.html.erb' do
   let(:user) { User.new }
+  let(:phishing_resistant_required) { false }
+  let(:piv_cac_required) { false }
+
   before do
     allow(view).to receive(:user_session).and_return({})
     allow(view).to receive(:current_user).and_return(User.new)
@@ -11,8 +14,8 @@
       view: view,
       reauthentication_context: false,
       service_provider: nil,
-      phishing_resistant_required: false,
-      piv_cac_required: false,
+      phishing_resistant_required: phishing_resistant_required,
+      piv_cac_required: piv_cac_required,
     )
     @two_factor_options_form = TwoFactorLoginOptionsForm.new(user)
   end
@@ -64,4 +67,34 @@
       )
     end
   end
+
+  context 'with phishing resistant required' do
+    let(:phishing_resistant_required) { true }
+
+    before { render }
+
+    it 'displays warning text' do
+      expect(rendered).to have_selector(
+        '.usa-alert.usa-alert--warning',
+        text: strip_tags(
+          t('two_factor_authentication.aal2_request.phishing_resistant_html', sp_name: APP_NAME),
+        ),
+      )
+    end
+  end
+
+  context 'with piv cac required' do
+    let(:piv_cac_required) { true }
+
+    before { render }
+
+    it 'displays warning text' do
+      expect(rendered).to have_selector(
+        '.usa-alert.usa-alert--warning',
+        text: strip_tags(
+          t('two_factor_authentication.aal2_request.piv_cac_only_html', sp_name: APP_NAME),
+        ),
+      )
+    end
+  end
 end
diff --git a/spec/views/two_factor_authentication/webauthn_verification/show.html.erb_spec.rb b/spec/views/two_factor_authentication/webauthn_verification/show.html.erb_spec.rb
index 6379cc04f80..56ffa23f8d9 100644
--- a/spec/views/two_factor_authentication/webauthn_verification/show.html.erb_spec.rb
+++ b/spec/views/two_factor_authentication/webauthn_verification/show.html.erb_spec.rb
@@ -64,24 +64,4 @@
       )
     end
   end
-
-  context 'with phishing-resistant MFA requirement' do
-    let(:phishing_resistant_required) { true }
-
-    it 'does not include a troubleshooting link for using another MFA method' do
-      expect(rendered).to have_css('.troubleshooting-options li', count: 1)
-    end
-
-    context 'with user having PIV/CAC configured' do
-      let(:user) { build(:user, :with_piv_or_cac, :with_webauthn) }
-
-      it 'includes troubleshooting link to use PIV/CAC' do
-        expect(rendered).to have_css('.troubleshooting-options li', count: 2)
-        expect(rendered).to have_link(
-          t('two_factor_authentication.webauthn_piv_available'),
-          href: login_two_factor_piv_cac_url,
-        )
-      end
-    end
-  end
 end
diff --git a/spec/views/users/backup_code_setup/create.html.erb_spec.rb b/spec/views/users/backup_code_setup/create.html.erb_spec.rb
index 13b3c4016ea..b2adeea39a2 100644
--- a/spec/views/users/backup_code_setup/create.html.erb_spec.rb
+++ b/spec/views/users/backup_code_setup/create.html.erb_spec.rb
@@ -21,7 +21,7 @@
     download_link = doc.at_css('a[download]')
     data_uri = Idv::DataUrlImage.new(download_link[:href])
 
-    expect(rendered).to have_content((t('components.download_button.label')))
+    expect(rendered).to have_content(t('components.download_button.label'))
     expect(data_uri.content_type).to include('text/plain')
     expect(data_uri.read).to eq(@codes.join("\n"))
   end
diff --git a/yarn.lock b/yarn.lock
index 1ddefdfbda6..ae4673c323d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4457,10 +4457,10 @@ levn@^0.4.1:
     prelude-ls "^1.2.1"
     type-check "~0.4.0"
 
-libphonenumber-js@^1.10.11:
-  version "1.10.11"
-  resolved "https://registry.yarnpkg.com/libphonenumber-js/-/libphonenumber-js-1.10.11.tgz#0078756857bcc5c9dfe097123c6e04ea930e309b"
-  integrity sha512-ehoihx4HpRXO6FH/uJ0EnaEV4dVU+FDny+jv0S6k9JPyPsAIr0eXDAFvGRMBKE1daCtyHAaFSKCiuCxrOjVAzQ==
+libphonenumber-js@^1.10.39:
+  version "1.10.39"
+  resolved "https://registry.yarnpkg.com/libphonenumber-js/-/libphonenumber-js-1.10.39.tgz#12dd512621c9ebb13402a694ac81dc78511cd982"
+  integrity sha512-iPMM/NbSNIrdwbr94rAOos6krB7snhfzEptmk/DJUtTPs+P9gOhZ1YXVPcRgjpp3jJByclfm/Igvz45spfJK7g==
 
 lightningcss-darwin-arm64@1.16.1:
   version "1.16.1"