diff --git a/administrator/components/com_menus/src/Controller/MenusController.php b/administrator/components/com_menus/src/Controller/MenusController.php
index 935906a981a30..3bde6a0490a23 100644
--- a/administrator/components/com_menus/src/Controller/MenusController.php
+++ b/administrator/components/com_menus/src/Controller/MenusController.php
@@ -115,6 +115,8 @@ public function delete()
 	 * @return  void
 	 *
 	 * @since   1.6
+	 *
+	 * @deprecated  5.0 Will be removed without replacement as it was only used for the 1.5 to 1.6 upgrade
 	 */
 	public function resync()
 	{
diff --git a/build/media_source/plg_system_webauthn/js/login.es6.js b/build/media_source/plg_system_webauthn/js/login.es6.js
index 97047b50c7344..ee98feee2409c 100644
--- a/build/media_source/plg_system_webauthn/js/login.es6.js
+++ b/build/media_source/plg_system_webauthn/js/login.es6.js
@@ -120,10 +120,8 @@ window.Joomla = window.Joomla || {};
    * internal page which handles the login server-side.
    *
    * @param {  Object}  publicKey     Public key request options, returned from the server
-   * @param   {String}  callbackUrl  The URL we will use to post back to the server. Must include
-   *   the anti-CSRF token.
    */
-  const handleLoginChallenge = (publicKey, callbackUrl) => {
+  const handleLoginChallenge = (publicKey) => {
     const arrayToBase64String = (a) => btoa(String.fromCharCode(...a));
 
     const base64url2base64 = (input) => {
@@ -172,7 +170,8 @@ window.Joomla = window.Joomla || {};
         };
 
         // Send the response to your server
-        window.location = `${callbackUrl}&option=com_ajax&group=system&plugin=webauthn&`
+        const paths = Joomla.getOptions('system.paths');
+        window.location = `${paths ? `${paths.base}/index.php` : window.location.pathname}?${Joomla.getOptions('csrf.token')}=1&option=com_ajax&group=system&plugin=webauthn&`
           + `format=raw&akaction=login&encoding=redirect&data=${
             btoa(JSON.stringify(publicKeyCredential))}`;
       })
@@ -187,13 +186,11 @@ window.Joomla = window.Joomla || {};
    * for the user.
    *
    * @param   {string}   formId       The login form's or login module's HTML ID
-   * @param   {string}   callbackUrl  The URL we will use to post back to the server. Must include
-   *   the anti-CSRF token.
    *
    * @returns {boolean}  Always FALSE to prevent BUTTON elements from reloading the page.
    */
   // eslint-disable-next-line no-unused-vars
-  Joomla.plgSystemWebauthnLogin = (formId, callbackUrl) => {
+  Joomla.plgSystemWebauthnLogin = (formId) => {
     // Get the username
     const elFormContainer = document.getElementById(formId);
     const elUsername = lookForField(elFormContainer, 'input[name=username]');
@@ -226,9 +223,14 @@ window.Joomla = window.Joomla || {};
       username,
       returnUrl,
     };
+    postBackData[Joomla.getOptions('csrf.token')] = 1;
+
+    const paths = Joomla.getOptions('system.paths');
 
     Joomla.request({
-      url: callbackUrl,
+      url: `${paths ? `${paths.base}/index.php` : window.location.pathname}?${Joomla.getOptions(
+        'csrf.token',
+      )}=1`,
       method: 'POST',
       data: interpolateParameters(postBackData),
       onSuccess(rawResponse) {
@@ -243,7 +245,7 @@ window.Joomla = window.Joomla || {};
            */
         }
 
-        handleLoginChallenge(jsonData, callbackUrl);
+        handleLoginChallenge(jsonData);
       },
       onError: (xhr) => {
         handleLoginError(`${xhr.status} ${xhr.statusText}`);
@@ -258,7 +260,7 @@ window.Joomla = window.Joomla || {};
   if (loginButtons.length) {
     loginButtons.forEach((button) => {
       button.addEventListener('click', ({ currentTarget }) => {
-        Joomla.plgSystemWebauthnLogin(currentTarget.getAttribute('data-webauthn-form'), currentTarget.getAttribute('data-webauthn-url'));
+        Joomla.plgSystemWebauthnLogin(currentTarget.getAttribute('data-webauthn-form'));
       });
     });
   }
diff --git a/build/media_source/plg_system_webauthn/js/management.es6.js b/build/media_source/plg_system_webauthn/js/management.es6.js
index ea07097d71c29..546130ae73bac 100644
--- a/build/media_source/plg_system_webauthn/js/management.es6.js
+++ b/build/media_source/plg_system_webauthn/js/management.es6.js
@@ -84,7 +84,8 @@ window.Joomla = window.Joomla || {};
     }
 
     const publicKey = JSON.parse(atob(elStore.dataset.public_key));
-    const postURL = atob(elStore.dataset.postback_url);
+    const paths = Joomla.getOptions('system.paths');
+    const postURL = `${paths ? `${paths.base}/index.php` : window.location.pathname}`;
 
     const arrayToBase64String = (a) => btoa(String.fromCharCode(...a));
 
@@ -137,6 +138,7 @@ window.Joomla = window.Joomla || {};
           encoding: 'raw',
           data: btoa(JSON.stringify(publicKeyCredential)),
         };
+        postBackData[Joomla.getOptions('csrf.token')] = 1;
 
         Joomla.request({
           url: postURL,
@@ -183,12 +185,13 @@ window.Joomla = window.Joomla || {};
       return false;
     }
 
-    const postURL = atob(elStore.dataset.postback_url);
+    const paths = Joomla.getOptions('system.paths');
+    const postURL = `${paths ? `${paths.base}/index.php` : window.location.pathname}`;
 
     // Find the UI elements
     const elTR = that.parentElement.parentElement;
     const credentialId = elTR.dataset.credential_id;
-    const elTDs = elTR.querySelectorAll('td');
+    const elTDs = elTR.querySelectorAll('.webauthnManagementCell');
     const elLabelTD = elTDs[0];
     const elButtonsTD = elTDs[1];
     const elButtons = elButtonsTD.querySelectorAll('button');
@@ -220,6 +223,7 @@ window.Joomla = window.Joomla || {};
           credential_id: credentialId,
           new_label: elNewLabel,
         };
+        postBackData[Joomla.getOptions('csrf.token')] = 1;
 
         Joomla.request({
           url: postURL,
@@ -293,7 +297,8 @@ window.Joomla = window.Joomla || {};
       return false;
     }
 
-    const postURL = atob(elStore.dataset.postback_url);
+    const paths = Joomla.getOptions('system.paths');
+    const postURL = `${paths ? `${paths.base}/index.php` : window.location.pathname}`;
 
     // Find the UI elements
     const elTR = that.parentElement.parentElement;
@@ -317,6 +322,7 @@ window.Joomla = window.Joomla || {};
       akaction: 'delete',
       credential_id: credentialId,
     };
+    postBackData[Joomla.getOptions('csrf.token')] = 1;
 
     Joomla.request({
       url: postURL,
diff --git a/layouts/plugins/system/webauthn/manage.php b/layouts/plugins/system/webauthn/manage.php
index 63b6e99bbc944..f08ecb9f116f5 100644
--- a/layouts/plugins/system/webauthn/manage.php
+++ b/layouts/plugins/system/webauthn/manage.php
@@ -12,10 +12,9 @@
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Layout\FileLayout;
-use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\User;
 use Joomla\CMS\User\UserHelper;
-use Joomla\Plugin\System\Webauthn\Helper\CredentialsCreation;
+use Joomla\Plugin\System\Webauthn\Authentication;
 use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 
 /**
@@ -79,15 +78,14 @@
  * that problem.
  */
 $randomId    = 'plg_system_webauthn_' . UserHelper::genRandomPassword(32);
+/** @noinspection PhpInternalEntityUsedInspection */
 // phpcs:ignore
-$publicKey   = $allow_add ? base64_encode(CredentialsCreation::createPublicKey($user)) : '{}';
-$postbackURL = base64_encode(rtrim(Uri::base(), '/') . '/index.php?' . Joomla::getToken() . '=1');
+$publicKey = $allow_add ? base64_encode(json_encode(Authentication::getPubKeyCreationOptions($user))) : '{}';
 
 ?>
 <div class="plg_system_webauthn" id="plg_system_webauthn-management-interface">
 	<span id="<?php echo $randomId ?>"
 		  data-public_key="<?php echo $publicKey ?>"
-		  data-postback_url="<?php echo $postbackURL ?>"
 	></span>
 
 	<?php // phpcs:ignore
@@ -111,8 +109,8 @@
 		<?php // phpcs:ignore
 		foreach ($credentials as $method): ?>
 			<tr data-credential_id="<?php echo $method['id'] ?>">
-				<th scope="row"><?php echo htmlentities($method['label']) ?></th>
-				<td>
+				<th scope="row" class="webauthnManagementCell"><?php echo htmlentities($method['label']) ?></th>
+				<td class="webauthnManagementCell">
 					<button data-random-id="<?php echo $randomId; ?>" class="plg_system_webauthn-manage-edit btn btn-secondary">
 						<span class="icon-edit" aria-hidden="true"></span>
 						<?php echo Text::_('PLG_SYSTEM_WEBAUTHN_MANAGE_BTN_EDIT_LABEL') ?>
diff --git a/plugins/system/webauthn/services/provider.php b/plugins/system/webauthn/services/provider.php
new file mode 100644
index 0000000000000..ab9c291b151b2
--- /dev/null
+++ b/plugins/system/webauthn/services/provider.php
@@ -0,0 +1,41 @@
+<?php
+/**
+ * @package     Joomla.Plugin
+ * @subpackage  System.Webauthn
+ *
+ * @copyright   (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+defined('_JEXEC') || die;
+
+use Joomla\CMS\Extension\PluginInterface;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\DI\Container;
+use Joomla\DI\ServiceProviderInterface;
+use Joomla\Event\DispatcherInterface;
+use Joomla\Plugin\System\Webauthn\Extension\Webauthn;
+
+return new class implements ServiceProviderInterface {
+	/**
+	 * Registers the service provider with a DI container.
+	 *
+	 * @param   Container  $container  The DI container.
+	 *
+	 * @return  void
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function register(Container $container)
+	{
+		$container->set(
+			PluginInterface::class,
+			function (Container $container) {
+				$config  = (array) PluginHelper::getPlugin('system', 'webauthn');
+				$subject = $container->get(DispatcherInterface::class);
+
+				return new Webauthn($subject, $config);
+			}
+		);
+	}
+};
diff --git a/plugins/system/webauthn/src/Authentication.php b/plugins/system/webauthn/src/Authentication.php
new file mode 100644
index 0000000000000..2808b21d09c35
--- /dev/null
+++ b/plugins/system/webauthn/src/Authentication.php
@@ -0,0 +1,474 @@
+<?php
+/**
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
+ *
+ * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn;
+
+// Protect from unauthorized access
+\defined('_JEXEC') or die();
+
+use Exception;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Language\Text;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Session\Session;
+use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\User;
+use Joomla\Session\SessionInterface;
+use Laminas\Diactoros\ServerRequestFactory;
+use RuntimeException;
+use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
+use Webauthn\AuthenticatorSelectionCriteria;
+use Webauthn\PublicKeyCredentialCreationOptions;
+use Webauthn\PublicKeyCredentialDescriptor;
+use Webauthn\PublicKeyCredentialRequestOptions;
+use Webauthn\PublicKeyCredentialRpEntity;
+use Webauthn\PublicKeyCredentialSource;
+use Webauthn\PublicKeyCredentialUserEntity;
+use Webauthn\Server;
+
+/**
+ * Helper class to aid in credentials creation (link an authenticator to a user account)
+ *
+ * @since   __DEPLOY_VERSION__
+ * @internal
+ */
+abstract class Authentication
+{
+	/**
+	 * The credentials repository
+	 *
+	 * @var   CredentialRepository
+	 * @since __DEPLOY_VERSION__
+	 */
+	protected static $credentialsRepository;
+
+	/**
+	 * Generate the public key creation options.
+	 *
+	 * This is used for the first step of attestation (key registration).
+	 *
+	 * The PK creation options and the user ID are stored in the session.
+	 *
+	 * @param   User  $user  The Joomla user to create the public key for
+	 *
+	 * @return  PublicKeyCredentialCreationOptions
+	 *
+	 * @throws  Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function getPubKeyCreationOptions(User $user): PublicKeyCredentialCreationOptions
+	{
+		$publicKeyCredentialCreationOptions = self::getWebauthnServer()->generatePublicKeyCredentialCreationOptions(
+			self::getUserEntity($user),
+			PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE,
+			self::getPubKeyDescriptorsForUser($user),
+			new AuthenticatorSelectionCriteria(
+				AuthenticatorSelectionCriteria::AUTHENTICATOR_ATTACHMENT_NO_PREFERENCE,
+				false,
+				AuthenticatorSelectionCriteria::USER_VERIFICATION_REQUIREMENT_PREFERRED
+			),
+			new AuthenticationExtensionsClientInputs
+		);
+
+		// Save data in the session
+		$app = Factory::getApplication();
+		/** @var Session $session */
+		$session = $app->getSession();
+		$session->set('plg_system_webauthn.publicKeyCredentialCreationOptions', base64_encode(serialize($publicKeyCredentialCreationOptions)));
+		$session->set('plg_system_webauthn.registration_user_id', $user->id);
+
+		return $publicKeyCredentialCreationOptions;
+	}
+
+	/**
+	 * Get the public key request options.
+	 *
+	 * This is used in the first step of the assertion (login) flow.
+	 *
+	 * @param   User  $user  The Joomla user to get the PK request options for
+	 *
+	 * @return  PublicKeyCredentialRequestOptions
+	 *
+	 * @throws  Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function getPubkeyRequestOptions(User $user): ?PublicKeyCredentialRequestOptions
+	{
+		Log::add('Creating PK request options', Log::DEBUG, 'webauthn.system');
+		$publicKeyCredentialRequestOptions = self::getWebauthnServer()->generatePublicKeyCredentialRequestOptions(
+			PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,
+			self::getPubKeyDescriptorsForUser($user)
+		);
+
+		// Save in session. This is used during the verification stage to prevent replay attacks.
+		Factory::getApplication()->getSession()
+			->set('plg_system_webauthn.publicKeyCredentialRequestOptions', base64_encode(serialize($publicKeyCredentialRequestOptions)));
+
+		return $publicKeyCredentialRequestOptions;
+	}
+
+	/**
+	 * Validate the authenticator assertion.
+	 *
+	 * This is used in the second step of the assertion (login) flow. The server verifies that the
+	 * assertion generated by the authenticator has not been tampered with.
+	 *
+	 * @param   string  $data  The data
+	 * @param   User    $user  The user we are trying to log in
+	 *
+	 * @return  PublicKeyCredentialSource
+	 *
+	 * @throws Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function validateAssertionResponse(string $data, User $user): PublicKeyCredentialSource
+	{
+		/** @var SessionInterface $session */
+		$session = Factory::getApplication()->getSession();
+
+		// Make sure the public key credential request options in the session are valid
+		$encodedPkOptions                  = $session->get('plg_system_webauthn.publicKeyCredentialRequestOptions', null);
+		$serializedOptions                 = base64_decode($encodedPkOptions);
+		$publicKeyCredentialRequestOptions = unserialize($serializedOptions);
+
+		if (!is_object($publicKeyCredentialRequestOptions)
+			|| empty($publicKeyCredentialRequestOptions)
+			|| !($publicKeyCredentialRequestOptions instanceof PublicKeyCredentialRequestOptions))
+		{
+			Log::add('Cannot retrieve valid plg_system_webauthn.publicKeyCredentialRequestOptions from the session', Log::NOTICE, 'webauthn.system');
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		$data = base64_decode($data);
+
+		if (empty($data))
+		{
+			Log::add('No or invalid assertion data received from the browser', Log::NOTICE, 'webauthn.system');
+
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		return self::getWebauthnServer()->loadAndCheckAssertionResponse(
+			$data,
+			self::getPKCredentialRequestOptions(),
+			self::getUserEntity($user),
+			ServerRequestFactory::fromGlobals()
+		);
+	}
+
+	/**
+	 * Validate the authenticator attestation.
+	 *
+	 * This is used for the second step of attestation (key registration), when the user has
+	 * interacted with the authenticator and we need to validate the legitimacy of its response.
+	 *
+	 * An exception will be returned on error. Also, under very rare conditions, you may receive
+	 * NULL instead of a PublicKeyCredentialSource object which means that something was off in the
+	 * returned data from the browser.
+	 *
+	 * @param   string  $data  The data
+	 *
+	 * @return  PublicKeyCredentialSource|null
+	 *
+	 * @throws  Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function validateAttestationResponse(string $data): PublicKeyCredentialSource
+	{
+		/** @var CMSApplication $app */
+		$app     = Factory::getApplication();
+		$session = $app->getSession();
+
+		// Retrieve the PublicKeyCredentialCreationOptions object created earlier and perform sanity checks
+		$encodedOptions = $session->get('plg_system_webauthn.publicKeyCredentialCreationOptions', null);
+
+		if (empty($encodedOptions))
+		{
+			Log::add('Cannot retrieve plg_system_webauthn.publicKeyCredentialCreationOptions from the session', Log::NOTICE, 'webauthn.system');
+
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
+		}
+
+		/** @var PublicKeyCredentialCreationOptions|null $publicKeyCredentialCreationOptions */
+		try
+		{
+			$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
+		}
+		catch (Exception $e)
+		{
+			Log::add('The plg_system_webauthn.publicKeyCredentialCreationOptions in the session is invalid', Log::NOTICE, 'webauthn.system');
+			$publicKeyCredentialCreationOptions = null;
+		}
+
+		if (!is_object($publicKeyCredentialCreationOptions) || !($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialCreationOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
+		}
+
+		// Retrieve the stored user ID and make sure it's the same one in the request.
+		$storedUserId = $session->get('plg_system_webauthn.registration_user_id', 0);
+		$myUser       = $app->getIdentity() ?? new User;
+		$myUserId     = $myUser->id;
+
+		if (($myUser->guest) || ($myUserId != $storedUserId))
+		{
+			$message = sprintf('Invalid user! We asked the authenticator to attest user ID %d, the current user ID is %d', $storedUserId, $myUserId);
+			Log::add($message, Log::NOTICE, 'webauthn.system');
+
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER'));
+		}
+
+		// We init the PSR-7 request object using Diactoros
+		return self::getWebauthnServer()->loadAndCheckAttestationResponse(
+			base64_decode($data),
+			$publicKeyCredentialCreationOptions,
+			ServerRequestFactory::fromGlobals()
+		);
+	}
+
+	/**
+	 * Try to find the site's favicon in the site's root, images, media, templates or current
+	 * template directory.
+	 *
+	 * @return  string|null
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getSiteIcon(): ?string
+	{
+		$filenames = [
+			'apple-touch-icon.png',
+			'apple_touch_icon.png',
+			'favicon.ico',
+			'favicon.png',
+			'favicon.gif',
+			'favicon.bmp',
+			'favicon.jpg',
+			'favicon.svg',
+		];
+
+		try
+		{
+			$paths = [
+				'/',
+				'/images/',
+				'/media/',
+				'/templates/',
+				'/templates/' . Factory::getApplication()->getTemplate(),
+			];
+		}
+		catch (Exception $e)
+		{
+			return null;
+		}
+
+		foreach ($paths as $path)
+		{
+			foreach ($filenames as $filename)
+			{
+				$relFile  = $path . $filename;
+				$filePath = JPATH_BASE . $relFile;
+
+				if (is_file($filePath))
+				{
+					break 2;
+				}
+
+				$relFile = null;
+			}
+		}
+
+		if (!isset($relFile) || \is_null($relFile))
+		{
+			return null;
+		}
+
+		return rtrim(Uri::base(), '/') . '/' . ltrim($relFile, '/');
+	}
+
+	/**
+	 * Returns a User Entity object given a Joomla user
+	 *
+	 * @param   User  $user  The Joomla user to get the user entity for
+	 *
+	 * @return  PublicKeyCredentialUserEntity
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getUserEntity(User $user): PublicKeyCredentialUserEntity
+	{
+		$repository = self::getCredentialsRepository();
+
+		return new PublicKeyCredentialUserEntity(
+			$user->username,
+			$repository->getHandleFromUserId($user->id),
+			$user->name,
+			self::getAvatar($user, 64)
+		);
+	}
+
+	/**
+	 * Get the user's avatar (through Gravatar)
+	 *
+	 * @param   User  $user  The Joomla user object
+	 * @param   int   $size  The dimensions of the image to fetch (default: 64 pixels)
+	 *
+	 * @return  string  The URL to the user's avatar
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getAvatar(User $user, int $size = 64)
+	{
+		$scheme    = Uri::getInstance()->getScheme();
+		$subdomain = ($scheme == 'https') ? 'secure' : 'www';
+
+		return sprintf('%s://%s.gravatar.com/avatar/%s.jpg?s=%u&d=mm', $scheme, $subdomain, md5($user->email), $size);
+	}
+
+	/**
+	 * Returns an array of the PK credential descriptors (registered authenticators) for the given
+	 * user.
+	 *
+	 * @param   User  $user  The Joomla user to get the PK descriptors for
+	 *
+	 * @return  PublicKeyCredentialDescriptor[]
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getPubKeyDescriptorsForUser(User $user): array
+	{
+		$userEntity  = self::getUserEntity($user);
+		$repository  = self::getCredentialsRepository();
+		$descriptors = [];
+		$records     = $repository->findAllForUserEntity($userEntity);
+
+		foreach ($records as $record)
+		{
+			$descriptors[] = $record->getPublicKeyCredentialDescriptor();
+		}
+
+		return $descriptors;
+	}
+
+	/**
+	 * Retrieve the public key credential request options saved in the session.
+	 *
+	 * If they do not exist or are corrupt it is a hacking attempt and we politely tell the
+	 * attacker to go away.
+	 *
+	 * @return  PublicKeyCredentialRequestOptions
+	 *
+	 * @throws  Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getPKCredentialRequestOptions(): PublicKeyCredentialRequestOptions
+	{
+		/** @var SessionInterface $session */
+		$session = Factory::getApplication()->getSession();
+		$encodedOptions = $session->get('plg_system_webauthn.publicKeyCredentialRequestOptions', null);
+
+		if (empty($encodedOptions))
+		{
+			Log::add('Cannot retrieve plg_system_webauthn.publicKeyCredentialRequestOptions from the session', Log::NOTICE, 'webauthn.system');
+
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		try
+		{
+			$publicKeyCredentialRequestOptions = unserialize(base64_decode($encodedOptions));
+		}
+		catch (Exception $e)
+		{
+			Log::add('Invalid plg_system_webauthn.publicKeyCredentialRequestOptions in the session', Log::NOTICE, 'webauthn.system');
+
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		if (!is_object($publicKeyCredentialRequestOptions) || !($publicKeyCredentialRequestOptions instanceof PublicKeyCredentialRequestOptions))
+		{
+			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+		}
+
+		return $publicKeyCredentialRequestOptions;
+	}
+
+	/**
+	 * Get the WebAuthn library's Server object which facilitates WebAuthn operations
+	 *
+	 * @return  Server
+	 * @throws  Exception
+	 * @since    __DEPLOY_VERSION__
+	 */
+	private static function getWebauthnServer(): Server
+	{
+		$app      = Factory::getApplication();
+		$siteName = $app->get('sitename');
+
+		// Credentials repository
+		$repository = self::getCredentialsRepository();
+
+		// Relaying Party -- Our site
+		$rpEntity = new PublicKeyCredentialRpEntity(
+			$siteName,
+			Uri::getInstance()->toString(['host']),
+			self::getSiteIcon()
+		);
+
+		$server = new Server($rpEntity, $repository, null);
+
+		/**
+		 * =============================================================================================================
+		 * Note about the metadata repository.
+		 * =============================================================================================================
+		 *
+		 * We do not need to implement an MDS repo since we are not asking for the attestation metadata in this plugin.
+		 * If you need to use this plugin in a high security environment you need to fork this plugin and do two things:
+		 *
+		 * 1. Change ATTESTATION_CONVEYANCE_PREFERENCE_NONE to ATTESTATION_CONVEYANCE_PREFERENCE_DIRECT or
+		 *    ATTESTATION_CONVEYANCE_PREFERENCE_INDIRECT in the getPubKeyCreationOptions() method.
+		 * 2. Implement your own Metadata Statement (MDS) repository and set it here, e.g.
+		 *    ```php
+		 *    $server->setMetadataStatementRepository(new MyMDSRepository());
+		 *    ```
+		 * The implementation of the MDS repository is considered out-of-scope since you'd need the MDS from the
+		 * manufacturer(s) of your authenticator.
+		 *
+		 * @see https://webauthn-doc.spomky-labs.com/deep-into-the-framework/attestation-and-metadata-statement
+		 */
+
+		// Ed25519 is only available with libsodium
+		if (!function_exists('sodium_crypto_sign_seed_keypair'))
+		{
+			$server->setSelectedAlgorithms(['RS256', 'RS512', 'PS256', 'PS512', 'ES256', 'ES512']);
+		}
+
+		return $server;
+	}
+
+	/**
+	 * Get the credentials repository
+	 *
+	 * @return  CredentialRepository
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function getCredentialsRepository(): CredentialRepository
+	{
+		if (self::$credentialsRepository !== null)
+		{
+			return self::$credentialsRepository;
+		}
+
+		self::$credentialsRepository = new CredentialRepository;
+
+		return self::$credentialsRepository;
+	}
+}
diff --git a/plugins/system/webauthn/src/CredentialRepository.php b/plugins/system/webauthn/src/CredentialRepository.php
index 87394ca3d30d2..a2ab2b242b261 100644
--- a/plugins/system/webauthn/src/CredentialRepository.php
+++ b/plugins/system/webauthn/src/CredentialRepository.php
@@ -14,11 +14,11 @@
 
 use Exception;
 use InvalidArgumentException;
+use Joomla\CMS\Date\Date;
 use Joomla\CMS\Encrypt\Aes;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\Database\DatabaseDriver;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 use Joomla\Registry\Registry;
 use JsonException;
 use RuntimeException;
@@ -182,7 +182,7 @@ public function saveCredentialSource(PublicKeyCredentialSource $publicKeyCredent
 		$o            = (object) [
 			'id'         => $credentialId,
 			'user_id'    => $this->getHandleFromUserId($user->id),
-			'label'      => Text::sprintf('PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR_LABEL', Joomla::formatDate('now')),
+			'label'      => Text::sprintf('PLG_SYSTEM_WEBAUTHN_LBL_DEFAULT_AUTHENTICATOR_LABEL', self::formatDate('now')),
 			'credential' => json_encode($publicKeyCredentialSource),
 		];
 		$update = false;
@@ -410,6 +410,105 @@ public function getHandleFromUserId(int $id): string
 		return hash_hmac('sha256', $data, $key, false);
 	}
 
+	/**
+	 * Get the user ID from the user handle
+	 *
+	 * This is a VERY inefficient method. Since the user handle is an HMAC-SHA-256 of the user ID we can't just go
+	 * directly from a handle back to an ID. We have to iterate all user IDs, calculate their handles and compare them
+	 * to the given handle.
+	 *
+	 * To prevent a lengthy infinite loop in case of an invalid user handle we don't iterate the entire 2+ billion valid
+	 * 32-bit integer range. We load the user IDs of active users (not blocked, not pending activation) and iterate
+	 * through them.
+	 *
+	 * To avoid memory outage on large sites with thousands of active user records we load up to 10000 users at a time.
+	 * Each block of 10,000 user IDs takes about 60-80 msec to iterate. On a site with 200,000 active users this method
+	 * will take less than 1.5 seconds. This is slow but not impractical, even on crowded shared hosts with a quarter of
+	 * the performance of my test subject (a mid-range, shared hosting server).
+	 *
+	 * @param   string|null  $userHandle  The user handle which will be converted to a user ID.
+	 *
+	 * @return  integer|null
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public function getUserIdFromHandle(?string $userHandle): ?int
+	{
+		if (empty($userHandle))
+		{
+			return null;
+		}
+
+		/** @var DatabaseDriver $db */
+		$db = Factory::getContainer()->get('DatabaseDriver');
+
+		// Check that the userHandle does exist in the database
+		$query = $db->getQuery(true)
+			->select('COUNT(*)')
+			->from($db->qn('#__webauthn_credentials'))
+			->where($db->qn('user_id') . ' = ' . $db->q($userHandle));
+
+		try
+		{
+			$numRecords = $db->setQuery($query)->loadResult();
+		}
+		catch (Exception $e)
+		{
+			return null;
+		}
+
+		if (is_null($numRecords) || ($numRecords < 1))
+		{
+			return null;
+		}
+
+		// Prepare the query
+		$query = $db->getQuery(true)
+			->select([$db->qn('id')])
+			->from($db->qn('#__users'))
+			->where($db->qn('block') . ' = 0')
+			->where(
+				'(' .
+				$db->qn('activation') . ' IS NULL OR ' .
+				$db->qn('activation') . ' = 0 OR ' .
+				$db->qn('activation') . ' = ' . $db->q('') .
+				')'
+			);
+
+		$key   = $this->getEncryptionKey();
+		$start = 0;
+		$limit = 10000;
+
+		while (true)
+		{
+			try
+			{
+				$ids = $db->setQuery($query, $start, $limit)->loadColumn();
+			}
+			catch (Exception $e)
+			{
+				return null;
+			}
+
+			if (empty($ids))
+			{
+				return null;
+			}
+
+			foreach ($ids as $userId)
+			{
+				$data       = sprintf('%010u', $userId);
+				$thisHandle = hash_hmac('sha256', $data, $key, false);
+
+				if ($thisHandle == $userHandle)
+				{
+					return $userId;
+				}
+			}
+
+			$start += $limit;
+		}
+	}
+
 	/**
 	 * Encrypt the credential source before saving it to the database
 	 *
@@ -485,4 +584,67 @@ private function getEncryptionKey(): string
 
 		return $secret;
 	}
+
+	/**
+	 * Format a date for display.
+	 *
+	 * The $tzAware parameter defines whether the formatted date will be timezone-aware. If set to false the formatted
+	 * date will be rendered in the UTC timezone. If set to true the code will automatically try to use the logged in
+	 * user's timezone or, if none is set, the site's default timezone (Server Timezone). If set to a positive integer
+	 * the same thing will happen but for the specified user ID instead of the currently logged in user.
+	 *
+	 * @param   string|\DateTime  $date     The date to format
+	 * @param   string|null       $format   The format string, default is Joomla's DATE_FORMAT_LC6 (usually "Y-m-d
+	 *                                      H:i:s")
+	 * @param   bool              $tzAware  Should the format be timezone aware? See notes above.
+	 *
+	 * @return  string
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private static function formatDate($date, ?string $format = null, bool $tzAware = true): string
+	{
+		$utcTimeZone = new \DateTimeZone('UTC');
+		$jDate       = new Date($date, $utcTimeZone);
+
+		// Which timezone should I use?
+		$tz = null;
+
+		if ($tzAware !== false)
+		{
+			$userId = is_bool($tzAware) ? null : (int) $tzAware;
+
+			try
+			{
+				$tzDefault = Factory::getApplication()->get('offset');
+			}
+			catch (\Exception $e)
+			{
+				$tzDefault = 'GMT';
+			}
+
+			$user = Factory::getUser($userId);
+			$tz   = $user->getParam('timezone', $tzDefault);
+		}
+
+		if (!empty($tz))
+		{
+			try
+			{
+				$userTimeZone = new \DateTimeZone($tz);
+
+				$jDate->setTimezone($userTimeZone);
+			}
+			catch (\Exception $e)
+			{
+				// Nothing. Fall back to UTC.
+			}
+		}
+
+		if (empty($format))
+		{
+			$format = Text::_('DATE_FORMAT_LC6');
+		}
+
+		return $jDate->format($format, true);
+	}
 }
diff --git a/plugins/system/webauthn/src/Extension/Webauthn.php b/plugins/system/webauthn/src/Extension/Webauthn.php
new file mode 100644
index 0000000000000..da3be5ca55abb
--- /dev/null
+++ b/plugins/system/webauthn/src/Extension/Webauthn.php
@@ -0,0 +1,171 @@
+<?php
+/**
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
+ *
+ * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\Extension;
+
+// Protect from unauthorized access
+defined('_JEXEC') or die();
+
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\Database\DatabaseDriver;
+use Joomla\Event\DispatcherInterface;
+use Joomla\Event\SubscriberInterface;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AdditionalLoginButtons;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandler;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerChallenge;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerCreate;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerDelete;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerLogin;
+use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerSaveLabel;
+use Joomla\Plugin\System\Webauthn\PluginTraits\EventReturnAware;
+use Joomla\Plugin\System\Webauthn\PluginTraits\UserDeletion;
+use Joomla\Plugin\System\Webauthn\PluginTraits\UserProfileFields;
+
+/**
+ * WebAuthn Passwordless Login plugin
+ *
+ * The plugin features are broken down into Traits for the sole purpose of making an otherwise
+ * supermassive class somewhat manageable. You can find the Traits inside the Webauthn/PluginTraits
+ * folder.
+ *
+ * @since  4.0.0
+ */
+class Webauthn extends CMSPlugin implements SubscriberInterface
+{
+	/**
+	 * The CMS application we are running in
+	 *
+	 * @var   CMSApplication
+	 * @since __DEPLOY_VERSION__
+	 */
+	protected $app;
+
+	/**
+	 * The application's database driver object
+	 *
+	 * @var   DatabaseDriver
+	 * @since __DEPLOY_VERSION__
+	 */
+	protected $db;
+
+	/**
+	 * Autoload the language files
+	 *
+	 * @var    boolean
+	 * @since  __DEPLOY_VERSION__
+	 */
+	protected $autoloadLanguage = true;
+
+	/**
+	 * Should I try to detect and register legacy event listeners?
+	 *
+	 * @var    boolean
+	 * @since  __DEPLOY_VERSION__
+	 *
+	 * @deprecated
+	 */
+	protected $allowLegacyListeners = false;
+
+	// AJAX request handlers
+	use AjaxHandler;
+	use AjaxHandlerCreate;
+	use AjaxHandlerSaveLabel;
+	use AjaxHandlerDelete;
+	use AjaxHandlerChallenge;
+	use AjaxHandlerLogin;
+
+	// Custom user profile fields
+	use UserProfileFields;
+
+	// Handle user profile deletion
+	use UserDeletion;
+
+	// Add WebAuthn buttons
+	use AdditionalLoginButtons;
+
+	// Utility methods for setting the events' return values
+	use EventReturnAware;
+
+	/**
+	 * Constructor. Loads the language files as well.
+	 *
+	 * @param   DispatcherInterface  $subject  The object to observe
+	 * @param   array                $config   An optional associative array of configuration
+	 *                                         settings. Recognized key values include 'name',
+	 *                                         'group', 'params', 'language (this list is not meant
+	 *                                         to be comprehensive).
+	 *
+	 * @since  4.0.0
+	 */
+	public function __construct(&$subject, array $config = [])
+	{
+		parent::__construct($subject, $config);
+
+		/**
+		 * Note: Do NOT try to load the language in the constructor. This is called before Joomla initializes the
+		 * application language. Therefore the temporary Joomla language object and all loaded strings in it will be
+		 * destroyed on application initialization. As a result we need to call loadLanguage() in each method
+		 * individually, even though all methods make use of language strings.
+		 */
+
+		// Register a debug log file writer
+		$logLevels = Log::ERROR | Log::CRITICAL | Log::ALERT | Log::EMERGENCY;
+
+		if (\defined('JDEBUG') && JDEBUG)
+		{
+			$logLevels = Log::ALL;
+		}
+
+		Log::addLogger([
+				'text_file'         => "webauthn_system.php",
+				'text_entry_format' => '{DATETIME}	{PRIORITY} {CLIENTIP}	{MESSAGE}',
+			], $logLevels, ["webauthn.system"]
+		);
+	}
+
+	/**
+	 * Returns an array of events this subscriber will listen to.
+	 *
+	 * @return  array
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	public static function getSubscribedEvents(): array
+	{
+		try
+		{
+			$app = Factory::getApplication();
+		}
+		catch (\Exception $e)
+		{
+			return [];
+		}
+
+		if (!$app->isClient('site') && !$app->isClient('administrator'))
+		{
+			return [];
+		}
+
+		return [
+			'onAjaxWebauthn'          => 'onAjaxWebauthn',
+			'onAjaxWebauthnChallenge' => 'onAjaxWebauthnChallenge',
+			'onAjaxWebauthnCreate'    => 'onAjaxWebauthnCreate',
+			'onAjaxWebauthnDelete'    => 'onAjaxWebauthnDelete',
+			'onAjaxWebauthnLogin'     => 'onAjaxWebauthnLogin',
+			'onAjaxWebauthnSavelabel' => 'onAjaxWebauthnSavelabel',
+			'onUserAfterDelete'       => 'onUserAfterDelete',
+			'onUserLoginButtons'      => 'onUserLoginButtons',
+			'onContentPrepareForm'    => 'onContentPrepareForm',
+			'onContentPrepareData'    => 'onContentPrepareData',
+		];
+	}
+}
diff --git a/plugins/system/webauthn/src/Field/WebauthnField.php b/plugins/system/webauthn/src/Field/WebauthnField.php
index 973c576c5c01a..e8b88b4181961 100644
--- a/plugins/system/webauthn/src/Field/WebauthnField.php
+++ b/plugins/system/webauthn/src/Field/WebauthnField.php
@@ -16,9 +16,9 @@
 use Joomla\CMS\Factory;
 use Joomla\CMS\Form\FormField;
 use Joomla\CMS\Language\Text;
+use Joomla\CMS\Layout\FileLayout;
 use Joomla\CMS\User\UserFactoryInterface;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 
 /**
  * Custom Joomla Form Field to display the WebAuthn interface
@@ -65,7 +65,9 @@ public function getInput()
 		$app->getDocument()->getWebAssetManager()
 			->registerAndUseScript('plg_system_webauthn.management', 'plg_system_webauthn/management.js', [], ['defer' => true], ['core']);
 
-		return Joomla::renderLayout('plugins.system.webauthn.manage', [
+		$layoutFile  = new FileLayout('plugins.system.webauthn.manage');
+
+		return $layoutFile->render([
 			'user'        => Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId),
 			'allow_add'   => $userId == $app->getIdentity()->id,
 			'credentials' => $credentialRepository->getAll($userId),
diff --git a/plugins/system/webauthn/src/Helper/CredentialsCreation.php b/plugins/system/webauthn/src/Helper/CredentialsCreation.php
deleted file mode 100644
index ed8dc34f24afa..0000000000000
--- a/plugins/system/webauthn/src/Helper/CredentialsCreation.php
+++ /dev/null
@@ -1,358 +0,0 @@
-<?php
-/**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
- *
- * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
- */
-
-namespace Joomla\Plugin\System\Webauthn\Helper;
-
-// Protect from unauthorized access
-\defined('_JEXEC') or die();
-
-use CBOR\Decoder;
-use CBOR\OtherObject\OtherObjectManager;
-use CBOR\Tag\TagObjectManager;
-use Cose\Algorithm\Manager;
-use Cose\Algorithm\Signature\ECDSA;
-use Cose\Algorithm\Signature\EdDSA;
-use Cose\Algorithm\Signature\RSA;
-use Cose\Algorithms;
-use Exception;
-use Joomla\CMS\Application\CMSApplication;
-use Joomla\CMS\Crypt\Crypt;
-use Joomla\CMS\Factory;
-use Joomla\CMS\Language\Text;
-use Joomla\CMS\Uri\Uri;
-use Joomla\CMS\User\User;
-use Joomla\CMS\User\UserFactoryInterface;
-use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Laminas\Diactoros\ServerRequestFactory;
-use RuntimeException;
-use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport;
-use Webauthn\AttestationStatement\AttestationObjectLoader;
-use Webauthn\AttestationStatement\AttestationStatementSupportManager;
-use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport;
-use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
-use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
-use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
-use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
-use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
-use Webauthn\AuthenticatorAttestationResponse;
-use Webauthn\AuthenticatorAttestationResponseValidator;
-use Webauthn\AuthenticatorSelectionCriteria;
-use Webauthn\PublicKeyCredentialCreationOptions;
-use Webauthn\PublicKeyCredentialDescriptor;
-use Webauthn\PublicKeyCredentialLoader;
-use Webauthn\PublicKeyCredentialParameters;
-use Webauthn\PublicKeyCredentialRpEntity;
-use Webauthn\PublicKeyCredentialSource;
-use Webauthn\PublicKeyCredentialUserEntity;
-use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
-
-/**
- * Helper class to aid in credentials creation (link an authenticator to a user account)
- *
- * @since   4.0.0
- */
-abstract class CredentialsCreation
-{
-	/**
-	 * Create a public key for credentials creation. The result is a JSON string which can be used in Javascript code
-	 * with navigator.credentials.create().
-	 *
-	 * @param   User  $user The Joomla user to create the public key for
-	 *
-	 * @return  string
-	 *
-	 * @since   4.0.0
-	 */
-	public static function createPublicKey(User $user): string
-	{
-		/** @var CMSApplication $app */
-		try
-		{
-			$app      = Factory::getApplication();
-			$siteName = $app->getConfig()->get('sitename', 'Joomla! Site');
-		}
-		catch (Exception $e)
-		{
-			$siteName = 'Joomla! Site';
-		}
-
-		// Credentials repository
-		$repository = new CredentialRepository;
-
-		// Relaying Party -- Our site
-		$rpEntity = new PublicKeyCredentialRpEntity(
-			$siteName,
-			Uri::getInstance()->toString(['host']),
-			self::getSiteIcon()
-		);
-
-		// User Entity
-		$userEntity = new PublicKeyCredentialUserEntity(
-			$user->username,
-			$repository->getHandleFromUserId($user->id),
-			$user->name
-		);
-
-		// Challenge
-		try
-		{
-			$challenge = random_bytes(32);
-		}
-		catch (Exception $e)
-		{
-			$challenge = Crypt::genRandomBytes(32);
-		}
-
-		// Public Key Credential Parameters
-		$publicKeyCredentialParametersList = [
-			new PublicKeyCredentialParameters('public-key', Algorithms::COSE_ALGORITHM_ES256),
-		];
-
-		// Timeout: 60 seconds (given in milliseconds)
-		$timeout = 60000;
-
-		// Devices to exclude (already set up authenticators)
-		$excludedPublicKeyDescriptors = [];
-		$records                      = $repository->findAllForUserEntity($userEntity);
-
-		/** @var PublicKeyCredentialSource $record */
-		foreach ($records as $record)
-		{
-			$excludedPublicKeyDescriptors[] = new PublicKeyCredentialDescriptor($record->getType(), $record->getCredentialPublicKey());
-		}
-
-		// Authenticator Selection Criteria (we used default values)
-		$authenticatorSelectionCriteria = new AuthenticatorSelectionCriteria;
-
-		// Extensions (not yet supported by the library)
-		$extensions = new AuthenticationExtensionsClientInputs;
-
-		// Attestation preference
-		$attestationPreference = PublicKeyCredentialCreationOptions::ATTESTATION_CONVEYANCE_PREFERENCE_NONE;
-
-		// Public key credential creation options
-		$publicKeyCredentialCreationOptions = new PublicKeyCredentialCreationOptions(
-			$rpEntity,
-			$userEntity,
-			$challenge,
-			$publicKeyCredentialParametersList,
-			$timeout,
-			$excludedPublicKeyDescriptors,
-			$authenticatorSelectionCriteria,
-			$attestationPreference,
-			$extensions
-		);
-
-		// Save data in the session
-		Joomla::setSessionVar('publicKeyCredentialCreationOptions',
-			base64_encode(serialize($publicKeyCredentialCreationOptions)),
-			'plg_system_webauthn'
-		);
-		Joomla::setSessionVar('registration_user_id', $user->id, 'plg_system_webauthn');
-
-		return json_encode($publicKeyCredentialCreationOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
-	}
-
-	/**
-	 * Validate the authentication data returned by the device and return the public key credential source on success.
-	 *
-	 * An exception will be returned on error. Also, under very rare conditions, you may receive NULL instead of
-	 * a PublicKeyCredentialSource object which means that something was off in the returned data from the browser.
-	 *
-	 * @param   string  $data  The JSON-encoded data returned by the browser during the authentication flow
-	 *
-	 * @return  PublicKeyCredentialSource|null
-	 *
-	 * @since   4.0.0
-	 */
-	public static function validateAuthenticationData(string $data): ?PublicKeyCredentialSource
-	{
-		// Retrieve the PublicKeyCredentialCreationOptions object created earlier and perform sanity checks
-		$encodedOptions = Joomla::getSessionVar('publicKeyCredentialCreationOptions', null, 'plg_system_webauthn');
-
-		if (empty($encodedOptions))
-		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
-		}
-
-		try
-		{
-			$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
-		}
-		catch (Exception $e)
-		{
-			$publicKeyCredentialCreationOptions = null;
-		}
-
-		if (!\is_object($publicKeyCredentialCreationOptions) || !($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialCreationOptions))
-		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_NO_PK'));
-		}
-
-		// Retrieve the stored user ID and make sure it's the same one in the request.
-		$storedUserId = Joomla::getSessionVar('registration_user_id', 0, 'plg_system_webauthn');
-
-		try
-		{
-			$myUser = Factory::getApplication()->getIdentity();
-		}
-		catch (Exception $e)
-		{
-			$dummyUserId = 0;
-			$myUser      = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($dummyUserId);
-		}
-
-		$myUserId = $myUser->id;
-
-		if (($myUser->guest) || ($myUserId != $storedUserId))
-		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER'));
-		}
-
-		// Cose Algorithm Manager
-		$coseAlgorithmManager               = new Manager;
-		$coseAlgorithmManager->add(new ECDSA\ES256);
-		$coseAlgorithmManager->add(new ECDSA\ES512);
-		$coseAlgorithmManager->add(new EdDSA\EdDSA);
-		$coseAlgorithmManager->add(new RSA\RS1);
-		$coseAlgorithmManager->add(new RSA\RS256);
-		$coseAlgorithmManager->add(new RSA\RS512);
-
-		// Create a CBOR Decoder object
-		$otherObjectManager = new OtherObjectManager;
-		$tagObjectManager   = new TagObjectManager;
-		$decoder            = new Decoder($tagObjectManager, $otherObjectManager);
-
-		// The token binding handler
-		$tokenBindingHandler = new TokenBindingNotSupportedHandler;
-
-		// Attestation Statement Support Manager
-		$attestationStatementSupportManager = new AttestationStatementSupportManager;
-		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport);
-		$attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport($decoder));
-
-		/**
-		$attestationStatementSupportManager->add(
-			new AndroidSafetyNetAttestationStatementSupport(HttpFactory::getHttp(),
-				'GOOGLE_SAFETYNET_API_KEY',
-				new RequestFactory
-			)
-		);
-		*/
-		$attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport($decoder));
-		$attestationStatementSupportManager->add(new TPMAttestationStatementSupport);
-		$attestationStatementSupportManager->add(new PackedAttestationStatementSupport($decoder, $coseAlgorithmManager));
-
-		// Attestation Object Loader
-		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager, $decoder);
-
-		// Public Key Credential Loader
-		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader, $decoder);
-
-		// Credential Repository
-		$credentialRepository = new CredentialRepository;
-
-		// Extension output checker handler
-		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler;
-
-		// Authenticator Attestation Response Validator
-		$authenticatorAttestationResponseValidator = new AuthenticatorAttestationResponseValidator(
-			$attestationStatementSupportManager,
-			$credentialRepository,
-			$tokenBindingHandler,
-			$extensionOutputCheckerHandler
-		);
-
-		// Any Throwable from this point will bubble up to the GUI
-
-		// We init the PSR-7 request object using Diactoros
-		$request = ServerRequestFactory::fromGlobals();
-
-		// Load the data
-		$publicKeyCredential = $publicKeyCredentialLoader->load(base64_decode($data));
-		$response            = $publicKeyCredential->getResponse();
-
-		// Check if the response is an Authenticator Attestation Response
-		if (!$response instanceof AuthenticatorAttestationResponse)
-		{
-			throw new RuntimeException('Not an authenticator attestation response');
-		}
-
-		// Check the response against the request
-		$authenticatorAttestationResponseValidator->check($response, $publicKeyCredentialCreationOptions, $request);
-
-		/**
-		 * Everything is OK here. You can get the Public Key Credential Source. This object should be persisted using
-		 * the Public Key Credential Source repository.
-		 */
-		return PublicKeyCredentialSource::createFromPublicKeyCredential(
-			$publicKeyCredential,
-			$publicKeyCredentialCreationOptions->getUser()->getId()
-		);
-	}
-
-	/**
-	 * Try to find the site's favicon in the site's root, images, media, templates or current template directory.
-	 *
-	 * @return  string|null
-	 *
-	 * @since   4.0.0
-	 */
-	protected static function getSiteIcon(): ?string
-	{
-		$filenames = [
-			'apple-touch-icon.png',
-			'apple_touch_icon.png',
-			'favicon.ico',
-			'favicon.png',
-			'favicon.gif',
-			'favicon.bmp',
-			'favicon.jpg',
-			'favicon.svg',
-		];
-
-		try
-		{
-			$paths = [
-				'/',
-				'/images/',
-				'/media/',
-				'/templates/',
-				'/templates/' . Factory::getApplication()->getTemplate(),
-			];
-		}
-		catch (Exception $e)
-		{
-			return null;
-		}
-
-		foreach ($paths as $path)
-		{
-			foreach ($filenames as $filename)
-			{
-				$relFile  = $path . $filename;
-				$filePath = JPATH_BASE . $relFile;
-
-				if (is_file($filePath))
-				{
-					break 2;
-				}
-
-				$relFile = null;
-			}
-		}
-
-		if (!isset($relFile) || \is_null($relFile))
-		{
-			return null;
-		}
-
-		return rtrim(Uri::base(), '/') . '/' . ltrim($relFile, '/');
-	}
-}
diff --git a/plugins/system/webauthn/src/Helper/Joomla.php b/plugins/system/webauthn/src/Helper/Joomla.php
deleted file mode 100644
index 4d6deae9bf44d..0000000000000
--- a/plugins/system/webauthn/src/Helper/Joomla.php
+++ /dev/null
@@ -1,744 +0,0 @@
-<?php
-/**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
- *
- * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
- */
-
-namespace Joomla\Plugin\System\Webauthn\Helper;
-
-// Protect from unauthorized access
-\defined('_JEXEC') or die();
-
-use DateTime;
-use DateTimeZone;
-use Exception;
-use JLoader;
-use Joomla\Application\AbstractApplication;
-use Joomla\CMS\Application\CliApplication;
-use Joomla\CMS\Application\CMSApplication;
-use Joomla\CMS\Application\ConsoleApplication;
-use Joomla\CMS\Authentication\Authentication;
-use Joomla\CMS\Authentication\AuthenticationResponse;
-use Joomla\CMS\Date\Date;
-use Joomla\CMS\Factory;
-use Joomla\CMS\Language\Text;
-use Joomla\CMS\Layout\FileLayout;
-use Joomla\CMS\Log\Log;
-use Joomla\CMS\Plugin\PluginHelper;
-use Joomla\CMS\User\User;
-use Joomla\CMS\User\UserFactoryInterface;
-use Joomla\CMS\User\UserHelper;
-use Joomla\Registry\Registry;
-use RuntimeException;
-
-/**
- * A helper class for abstracting core features in Joomla! 3.4 and later, including 4.x
- *
- * @since  4.0.0
- */
-abstract class Joomla
-{
-	/**
-	 * A fake session storage for CLI apps. Since CLI applications cannot have a session we are
-	 * using a Registry object we manage internally.
-	 *
-	 * @var     Registry
-	 * @since   4.0.0
-	 */
-	protected static $fakeSession = null;
-
-	/**
-	 * Are we inside the administrator application
-	 *
-	 * @var     boolean
-	 * @since   4.0.0
-	 */
-	protected static $isAdmin = null;
-
-	/**
-	 * Are we inside a CLI application
-	 *
-	 * @var     boolean
-	 * @since   4.0.0
-	 */
-	protected static $isCli = null;
-
-	/**
-	 * Which plugins have already registered a text file logger. Prevents double registration of a
-	 * log file.
-	 *
-	 * @var     array
-	 * @since   4.0.0
-	 */
-	protected static $registeredLoggers = [];
-
-	/**
-	 * The current Joomla Document type
-	 *
-	 * @var     string|null
-	 * @since   4.0.0
-	 */
-	protected static $joomlaDocumentType = null;
-
-	/**
-	 * Is the current user allowed to edit the social login configuration of $user? To do so I must
-	 * either be editing my own account OR I have to be a Super User.
-	 *
-	 * @param   User  $user  The user you want to know if we're allowed to edit
-	 *
-	 * @return  boolean
-	 *
-	 * @since   4.0.0
-	 */
-	public static function canEditUser(User $user = null): bool
-	{
-		// I can edit myself
-		if (empty($user))
-		{
-			return true;
-		}
-
-		// Guests can't have social logins associated
-		if ($user->guest)
-		{
-			return false;
-		}
-
-		// Get the currently logged in used
-		try
-		{
-			$myUser = Factory::getApplication()->getIdentity();
-		}
-		catch (Exception $e)
-		{
-			// Cannot get the application; no user, therefore no edit privileges.
-			return false;
-		}
-
-		// Same user? I can edit myself
-		if ($myUser->id == $user->id)
-		{
-			return true;
-		}
-
-		// To edit a different user I must be a Super User myself. If I'm not, I can't edit another user!
-		if (!$myUser->authorise('core.admin'))
-		{
-			return false;
-		}
-
-		// I am a Super User editing another user. That's allowed.
-		return true;
-	}
-
-	/**
-	 * Helper method to render a JLayout.
-	 *
-	 * @param   string  $layoutFile   Dot separated path to the layout file, relative to base path
-	 *                                (plugins/system/webauthn/layout)
-	 * @param   object  $displayData  Object which properties are used inside the layout file to
-	 *                                build displayed output
-	 * @param   string  $includePath  Additional path holding layout files
-	 * @param   mixed   $options      Optional custom options to load. Registry or array format.
-	 *                                Set 'debug'=>true to output debug information.
-	 *
-	 * @return  string
-	 *
-	 * @since   4.0.0
-	 */
-	public static function renderLayout(string $layoutFile, $displayData = null,
-		string $includePath = '', array $options = []
-	): string
-	{
-		$basePath = JPATH_SITE . '/plugins/system/webauthn/layout';
-		$layout   = new FileLayout($layoutFile, $basePath, $options);
-
-		if (!empty($includePath))
-		{
-			$layout->addIncludePath($includePath);
-		}
-
-		return $layout->render($displayData);
-	}
-
-	/**
-	 * Unset a variable from the user session
-	 *
-	 * This method cannot be replaced with a call to Factory::getSession->set(). This method takes
-	 * into account running under CLI, using a fake session storage. In the end of the day this
-	 * plugin doesn't work under CLI but being able to fake session storage under CLI means that we
-	 * don't have to add gnarly if-blocks everywhere in the code to make sure it doesn't break CLI
-	 * either!
-	 *
-	 * @param   string  $name       The name of the variable to unset
-	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name.
-	 *                              Default: 'default'
-	 *
-	 * @return  void
-	 *
-	 * @since   4.0.0
-	 */
-	public static function unsetSessionVar(string $name, string $namespace = 'default'): void
-	{
-		self::setSessionVar($name, null, $namespace);
-	}
-
-	/**
-	 * Set a variable in the user session.
-	 *
-	 * This method cannot be replaced with a call to Factory::getSession->set(). This method takes
-	 * into account running under CLI, using a fake session storage. In the end of the day this
-	 * plugin doesn't work under CLI but being able to fake session storage under CLI means that we
-	 * don't have to add gnarly if-blocks everywhere in the code to make sure it doesn't break CLI
-	 * either!
-	 *
-	 * @param   string  $name       The name of the variable to set
-	 * @param   string  $value      (optional) The value to set it to, default is null
-	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name.
-	 *                              Default: 'default'
-	 *
-	 * @return  void
-	 *
-	 * @since   4.0.0
-	 */
-	public static function setSessionVar(string $name, ?string $value = null,
-		string $namespace = 'default'
-	): void
-	{
-		$qualifiedKey = "$namespace.$name";
-
-		if (self::isCli())
-		{
-			self::getFakeSession()->set($qualifiedKey, $value);
-
-			return;
-		}
-
-		try
-		{
-			Factory::getApplication()->getSession()->set($qualifiedKey, $value);
-		}
-		catch (Exception $e)
-		{
-			return;
-		}
-	}
-
-	/**
-	 * Are we inside a CLI application
-	 *
-	 * @param   CMSApplication  $app  The current CMS application which tells us if we are inside
-	 *                                an admin page
-	 *
-	 * @return  boolean
-	 *
-	 * @since   4.0.0
-	 */
-	public static function isCli(CMSApplication $app = null): bool
-	{
-		if (\is_null(self::$isCli))
-		{
-			if (\is_null($app))
-			{
-				try
-				{
-					$app = Factory::getApplication();
-				}
-				catch (Exception $e)
-				{
-					$app = null;
-				}
-			}
-
-			if (\is_null($app))
-			{
-				self::$isCli = true;
-			}
-
-			if (\is_object($app))
-			{
-				self::$isCli = $app instanceof Exception;
-
-				if (class_exists('Joomla\\CMS\\Application\\CliApplication'))
-				{
-					self::$isCli = self::$isCli || $app instanceof CliApplication || $app instanceof ConsoleApplication;
-				}
-			}
-		}
-
-		return self::$isCli;
-	}
-
-	/**
-	 * Get a fake session registry for CLI applications
-	 *
-	 * @return  Registry
-	 *
-	 * @since   4.0.0
-	 */
-	protected static function getFakeSession(): Registry
-	{
-		if (!\is_object(self::$fakeSession))
-		{
-			self::$fakeSession = new Registry;
-		}
-
-		return self::$fakeSession;
-	}
-
-	/**
-	 * Return the session token. This method goes through our session abstraction to prevent a
-	 * fatal exception if it's accidentally called under CLI.
-	 *
-	 * @return  mixed
-	 *
-	 * @since   4.0.0
-	 */
-	public static function getToken(): string
-	{
-		// For CLI apps we implement our own fake token system
-		if (self::isCli())
-		{
-			$token = self::getSessionVar('session.token');
-
-			// Create a token
-			if (\is_null($token))
-			{
-				$token = UserHelper::genRandomPassword(32);
-
-				self::setSessionVar('session.token', $token);
-			}
-
-			return (string) $token;
-		}
-
-		// Web application, go through the regular Joomla! API.
-		try
-		{
-			return Factory::getApplication()->getSession()->getToken();
-		}
-		catch (Exception $e)
-		{
-			return '';
-		}
-	}
-
-	/**
-	 * Get a variable from the user session
-	 *
-	 * This method cannot be replaced with a call to Factory::getSession->get(). This method takes
-	 * into account running under CLI, using a fake session storage. In the end of the day this
-	 * plugin doesn't work under CLI but being able to fake session storage under CLI means that we
-	 * don't have to add gnarly if-blocks everywhere in the code to make sure it doesn't break CLI
-	 * either!
-	 *
-	 * @param   string  $name       The name of the variable to set
-	 * @param   string  $default    (optional) The default value to return if the variable does not
-	 *                              exit, default: null
-	 * @param   string  $namespace  (optional) The variable's namespace e.g. the component name.
-	 *                              Default: 'default'
-	 *
-	 * @return  mixed
-	 *
-	 * @since   4.0.0
-	 */
-	public static function getSessionVar(string $name, ?string $default = null,
-		string $namespace = 'default'
-	)
-	{
-		$qualifiedKey = "$namespace.$name";
-
-		if (self::isCli())
-		{
-			return self::getFakeSession()->get("$namespace.$name", $default);
-		}
-
-		try
-		{
-			return Factory::getApplication()->getSession()->get($qualifiedKey, $default);
-		}
-		catch (Exception $e)
-		{
-			return $default;
-		}
-	}
-
-	/**
-	 * Register a debug log file writer for a Social Login plugin.
-	 *
-	 * @param   string  $plugin  The Social Login plugin for which to register a debug log file
-	 *                           writer
-	 *
-	 * @return  void
-	 *
-	 * @since   4.0.0
-	 */
-	public static function addLogger(string $plugin): void
-	{
-		// Make sure this logger is not already registered
-		if (\in_array($plugin, self::$registeredLoggers))
-		{
-			return;
-		}
-
-		self::$registeredLoggers[] = $plugin;
-
-		// We only log errors unless Site Debug is enabled
-		$logLevels = Log::ERROR | Log::CRITICAL | Log::ALERT | Log::EMERGENCY;
-
-		if (\defined('JDEBUG') && JDEBUG)
-		{
-			$logLevels = Log::ALL;
-		}
-
-		// Add a formatted text logger
-		Log::addLogger([
-			'text_file'         => "webauthn_{$plugin}.php",
-			'text_entry_format' => '{DATETIME}	{PRIORITY} {CLIENTIP}	{MESSAGE}',
-			], $logLevels, [
-				"webauthn.{$plugin}",
-			]
-		);
-	}
-
-	/**
-	 * Logs in a user to the site, bypassing the authentication plugins.
-	 *
-	 * @param   int                  $userId  The user ID to log in
-	 * @param   AbstractApplication  $app     The application we are running in. Skip to
-	 *                                        auto-detect (recommended).
-	 *
-	 * @return  void
-	 *
-	 * @throws  Exception
-	 *
-	 * @since   4.0.0
-	 */
-	public static function loginUser(int $userId, AbstractApplication $app = null): void
-	{
-		// Trick the class auto-loader into loading the necessary classes
-		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
-
-		// Fake a successful login message
-		if (!\is_object($app))
-		{
-			$app = Factory::getApplication();
-		}
-
-		$isAdmin = $app->isClient('administrator');
-		/** @var User $user */
-		$user    = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
-
-		// Does the user account have a pending activation?
-		if (!empty($user->activation))
-		{
-			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
-		}
-
-		// Is the user account blocked?
-		if ($user->block)
-		{
-			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
-		}
-
-		$statusSuccess = Authentication::STATUS_SUCCESS;
-
-		$response           = self::getAuthenticationResponseObject();
-		$response->status   = $statusSuccess;
-		$response->username = $user->username;
-		$response->fullname = $user->name;
-		// phpcs:ignore
-		$response->error_message = '';
-		$response->language      = $user->getParam('language');
-		$response->type          = 'Passwordless';
-
-		if ($isAdmin)
-		{
-			$response->language = $user->getParam('admin_language');
-		}
-
-		/**
-		 * Set up the login options.
-		 *
-		 * The 'remember' element forces the use of the Remember Me feature when logging in with Webauthn, as the
-		 * users would expect.
-		 *
-		 * The 'action' element is actually required by plg_user_joomla. It is the core ACL action the logged in user
-		 * must be allowed for the login to succeed. Please note that front-end and back-end logins use a different
-		 * action. This allows us to provide the social login button on both front- and back-end and be sure that if a
-		 * used with no backend access tries to use it to log in Joomla! will just slap him with an error message about
-		 * insufficient privileges - the same thing that'd happen if you tried to use your front-end only username and
-		 * password in a back-end login form.
-		 */
-		$options = [
-			'remember' => true,
-			'action'   => 'core.login.site',
-		];
-
-		if (self::isAdminPage())
-		{
-			$options['action'] = 'core.login.admin';
-		}
-
-		// Run the user plugins. They CAN block login by returning boolean false and setting $response->error_message.
-		PluginHelper::importPlugin('user');
-
-		/** @var CMSApplication $app */
-		$results = $app->triggerEvent('onUserLogin', [(array) $response, $options]);
-
-		// If there is no boolean FALSE result from any plugin the login is successful.
-		if (\in_array(false, $results, true) == false)
-		{
-			// Set the user in the session, letting Joomla! know that we are logged in.
-			$app->getSession()->set('user', $user);
-
-			// Trigger the onUserAfterLogin event
-			$options['user']         = $user;
-			$options['responseType'] = $response->type;
-
-			// The user is successfully logged in. Run the after login events
-			$app->triggerEvent('onUserAfterLogin', [$options]);
-
-			return;
-		}
-
-		// If we are here the plugins marked a login failure. Trigger the onUserLoginFailure Event.
-		$app->triggerEvent('onUserLoginFailure', [(array) $response]);
-
-		// Log the failure
-		// phpcs:ignore
-		Log::add($response->error_message, Log::WARNING, 'jerror');
-
-		// Throw an exception to let the caller know that the login failed
-		// phpcs:ignore
-		throw new RuntimeException($response->error_message);
-	}
-
-	/**
-	 * Returns a (blank) Joomla! authentication response
-	 *
-	 * @return  AuthenticationResponse
-	 *
-	 * @since   4.0.0
-	 */
-	public static function getAuthenticationResponseObject(): AuthenticationResponse
-	{
-		// Force the class auto-loader to load the JAuthentication class
-		JLoader::import('joomla.user.authentication');
-		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
-
-		return new AuthenticationResponse;
-	}
-
-	/**
-	 * Are we inside an administrator page?
-	 *
-	 * @param   CMSApplication  $app  The current CMS application which tells us if we are inside
-	 *                                an admin page
-	 *
-	 * @return  boolean
-	 *
-	 * @throws  Exception
-	 *
-	 * @since   4.0.0
-	 */
-	public static function isAdminPage(CMSApplication $app = null): bool
-	{
-		if (\is_null(self::$isAdmin))
-		{
-			if (\is_null($app))
-			{
-				$app = Factory::getApplication();
-			}
-
-			self::$isAdmin = $app->isClient('administrator');
-		}
-
-		return self::$isAdmin;
-	}
-
-	/**
-	 * Have Joomla! process a login failure
-	 *
-	 * @param   AuthenticationResponse  $response    The Joomla! auth response object
-	 * @param   AbstractApplication     $app         The application we are running in. Skip to
-	 *                                               auto-detect (recommended).
-	 * @param   string                  $logContext  Logging context (plugin name). Default:
-	 *                                               system.
-	 *
-	 * @return  boolean
-	 *
-	 * @throws  Exception
-	 *
-	 * @since   4.0.0
-	 */
-	public static function processLoginFailure(AuthenticationResponse $response,
-		AbstractApplication $app = null,
-		string $logContext = 'system'
-	)
-	{
-		// Import the user plugin group.
-		PluginHelper::importPlugin('user');
-
-		if (!\is_object($app))
-		{
-			$app = Factory::getApplication();
-		}
-
-		// Trigger onUserLoginFailure Event.
-		self::log($logContext, "Calling onUserLoginFailure plugin event");
-		/** @var CMSApplication $app */
-		$app->triggerEvent('onUserLoginFailure', [(array) $response]);
-
-		// If status is success, any error will have been raised by the user plugin
-		$expectedStatus = Authentication::STATUS_SUCCESS;
-
-		if ($response->status !== $expectedStatus)
-		{
-			self::log($logContext, "The login failure has been logged in Joomla's error log");
-
-			// Everything logged in the 'jerror' category ends up being enqueued in the application message queue.
-			// phpcs:ignore
-			Log::add($response->error_message, Log::WARNING, 'jerror');
-		}
-		else
-		{
-			$message = "The login failure was caused by a third party user plugin but it did not " .
-				"return any further information. Good luck figuring this one out...";
-			self::log($logContext, $message, Log::WARNING);
-		}
-
-		return false;
-	}
-
-	/**
-	 * Writes a log message to the debug log
-	 *
-	 * @param   string  $plugin    The Social Login plugin which generated this log message
-	 * @param   string  $message   The message to write to the log
-	 * @param   int     $priority  Log message priority, default is Log::DEBUG
-	 *
-	 * @return  void
-	 *
-	 * @since   4.0.0
-	 */
-	public static function log(string $plugin, string $message, $priority = Log::DEBUG): void
-	{
-		Log::add($message, $priority, 'webauthn.' . $plugin);
-	}
-
-	/**
-	 * Format a date for display.
-	 *
-	 * The $tzAware parameter defines whether the formatted date will be timezone-aware. If set to
-	 * false the formatted date will be rendered in the UTC timezone. If set to true the code will
-	 * automatically try to use the logged in user's timezone or, if none is set, the site's
-	 * default timezone (Server Timezone). If set to a positive integer the same thing will happen
-	 * but for the specified user ID instead of the currently logged in user.
-	 *
-	 * @param   string|DateTime  $date      The date to format
-	 * @param   string           $format    The format string, default is Joomla's DATE_FORMAT_LC6
-	 *                                      (usually "Y-m-d H:i:s")
-	 * @param   bool|int         $tzAware   Should the format be timezone aware? See notes above.
-	 *
-	 * @return  string
-	 *
-	 * @since   4.0.0
-	 */
-	public static function formatDate($date, ?string $format = null, bool $tzAware = true): string
-	{
-		$utcTimeZone = new DateTimeZone('UTC');
-		$jDate       = new Date($date, $utcTimeZone);
-
-		// Which timezone should I use?
-		$tz = null;
-
-		if ($tzAware !== false)
-		{
-			$userId = \is_bool($tzAware) ? null : (int) $tzAware;
-
-			try
-			{
-				/** @var CMSApplication $app */
-				$app       = Factory::getApplication();
-				$tzDefault = $app->get('offset');
-			}
-			catch (Exception $e)
-			{
-				$tzDefault = 'GMT';
-			}
-
-			/** @var User $user */
-			if (empty($userId))
-			{
-				$user = $app->getIdentity();
-			}
-			else
-			{
-				$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
-			}
-
-			$tz   = $user->getParam('timezone', $tzDefault);
-		}
-
-		if (!empty($tz))
-		{
-			try
-			{
-				$userTimeZone = new DateTimeZone($tz);
-
-				$jDate->setTimezone($userTimeZone);
-			}
-			catch (Exception $e)
-			{
-				// Nothing. Fall back to UTC.
-			}
-		}
-
-		if (empty($format))
-		{
-			$format = Text::_('DATE_FORMAT_LC6');
-		}
-
-		return $jDate->format($format, true);
-	}
-
-	/**
-	 * Returns the current Joomla document type.
-	 *
-	 * The error catching is necessary because the application document object or even the
-	 * application object itself may have not yet been initialized. For example, a system plugin
-	 * running inside a custom application object which does not create a document object or which
-	 * does not go through Joomla's Factory to create the application object. In practice these are
-	 * CLI and custom web applications used for maintenance and third party service callbacks. They
-	 * end up loading the system plugins but either don't go through Factory or at least don't
-	 * create a document object.
-	 *
-	 * @return  string
-	 *
-	 * @since   4.0.0
-	 */
-	public static function getDocumentType(): string
-	{
-		if (\is_null(self::$joomlaDocumentType))
-		{
-			try
-			{
-				/** @var CMSApplication $app */
-				$app      = Factory::getApplication();
-				$document = $app->getDocument();
-			}
-			catch (Exception $e)
-			{
-				$document = null;
-			}
-
-			self::$joomlaDocumentType = (\is_null($document)) ? 'error' : $document->getType();
-		}
-
-		return self::$joomlaDocumentType;
-	}
-}
diff --git a/plugins/system/webauthn/src/PluginTraits/AdditionalLoginButtons.php b/plugins/system/webauthn/src/PluginTraits/AdditionalLoginButtons.php
index 42efc2565fd21..33cf643724553 100644
--- a/plugins/system/webauthn/src/PluginTraits/AdditionalLoginButtons.php
+++ b/plugins/system/webauthn/src/PluginTraits/AdditionalLoginButtons.php
@@ -1,10 +1,10 @@
 <?php
 /**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
  *
  * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
  */
 
 namespace Joomla\Plugin\System\Webauthn\PluginTraits;
@@ -13,13 +13,14 @@
 \defined('_JEXEC') or die();
 
 use Exception;
-use Joomla\CMS\Factory;
+use Joomla\CMS\Application\CMSApplication;
+use Joomla\CMS\Document\HtmlDocument;
 use Joomla\CMS\Helper\AuthenticationHelper;
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\UserHelper;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Joomla\Event\Event;
 
 /**
  * Inserts Webauthn buttons into login modules
@@ -29,7 +30,8 @@
 trait AdditionalLoginButtons
 {
 	/**
-	 * Do I need to I inject buttons? Automatically detected (i.e. disabled if I'm already logged in).
+	 * Do I need to inject buttons? Automatically detected (i.e. disabled if I'm already logged
+	 * in).
 	 *
 	 * @var     boolean|null
 	 * @since   4.0.0
@@ -44,6 +46,57 @@ trait AdditionalLoginButtons
 	 */
 	private $injectedCSSandJS = false;
 
+	/**
+	 * Creates additional login buttons
+	 *
+	 * @param   Event  $event  The event we are handling
+	 *
+	 * @return  void
+	 *
+	 * @see     AuthenticationHelper::getLoginButtons()
+	 *
+	 * @since   4.0.0
+	 */
+	public function onUserLoginButtons(Event $event): void
+	{
+		/** @var string $form The HTML ID of the form we are enclosed in */
+		[$form] = $event->getArguments();
+
+		// If we determined we should not inject a button return early
+		if (!$this->mustDisplayButton())
+		{
+			return;
+		}
+
+		// Load necessary CSS and Javascript files
+		$this->addLoginCSSAndJavascript();
+
+		// Unique ID for this button (allows display of multiple modules on the page)
+		$randomId = 'plg_system_webauthn-' .
+			UserHelper::genRandomPassword(12) . '-' . UserHelper::genRandomPassword(8);
+
+		// Get local path to image
+		$image = HTMLHelper::_('image', 'plg_system_webauthn/webauthn.svg', '', '', true, true);
+
+		// If you can't find the image then skip it
+		$image = $image ? JPATH_ROOT . substr($image, \strlen(Uri::root(true))) : '';
+
+		// Extract image if it exists
+		$image = file_exists($image) ? file_get_contents($image) : '';
+
+		$this->returnFromEvent($event, [
+			[
+				'label'              => 'PLG_SYSTEM_WEBAUTHN_LOGIN_LABEL',
+				'tooltip'            => 'PLG_SYSTEM_WEBAUTHN_LOGIN_DESC',
+				'id'                 => $randomId,
+				'data-webauthn-form' => $form,
+				'svg'                => $image,
+				'class'              => 'plg_system_webauthn_login_button',
+			],
+			]
+		);
+	}
+
 	/**
 	 * Should I allow this plugin to add a WebAuthn login button?
 	 *
@@ -53,6 +106,24 @@ trait AdditionalLoginButtons
 	 */
 	private function mustDisplayButton(): bool
 	{
+		// We must have a valid application
+		if (!($this->app instanceof CMSApplication))
+		{
+			return false;
+		}
+
+		// This plugin only applies to the frontend and administrator applications
+		if (!$this->app->isClient('site') && !$this->app->isClient('administrator'))
+		{
+			return false;
+		}
+
+		// We must have a valid user
+		if (empty($this->app->getIdentity()))
+		{
+			return false;
+		}
+
 		if (\is_null($this->allowButtonDisplay))
 		{
 			$this->allowButtonDisplay = false;
@@ -60,35 +131,24 @@ private function mustDisplayButton(): bool
 			/**
 			 * Do not add a WebAuthn login button if we are already logged in
 			 */
-			try
-			{
-				if (!Factory::getApplication()->getIdentity()->guest)
-				{
-					return false;
-				}
-			}
-			catch (Exception $e)
+			if (!$this->app->getIdentity()->guest)
 			{
 				return false;
 			}
 
 			/**
-			 * Don't try to show a button if we can't figure out if this is a front- or backend page (it's probably a
-			 * CLI or custom application).
+			 * Only display a button on HTML output
 			 */
 			try
 			{
-				Joomla::isAdminPage();
+				$document = $this->app->getDocument();
 			}
 			catch (Exception $e)
 			{
-				return false;
+				$document = null;
 			}
 
-			/**
-			 * Only display a button on HTML output
-			 */
-			if (Joomla::getDocumentType() != 'html')
+			if (!($document instanceof HtmlDocument))
 			{
 				return false;
 			}
@@ -109,65 +169,6 @@ private function mustDisplayButton(): bool
 		return $this->allowButtonDisplay;
 	}
 
-	/**
-	 * Creates additional login buttons
-	 *
-	 * @param   string  $form             The HTML ID of the form we are enclosed in
-	 *
-	 * @return  array
-	 *
-	 * @throws  Exception
-	 *
-	 * @see AuthenticationHelper::getLoginButtons()
-	 *
-	 * @since   4.0.0
-	 */
-	public function onUserLoginButtons(string $form): array
-	{
-		// If we determined we should not inject a button return early
-		if (!$this->mustDisplayButton())
-		{
-			return [];
-		}
-
-		// Load the language files
-		$this->loadLanguage();
-
-		// Load necessary CSS and Javascript files
-		$this->addLoginCSSAndJavascript();
-
-		// Return URL
-		$uri = new Uri(Uri::base() . 'index.php');
-		$uri->setVar(Joomla::getToken(), '1');
-
-		// Unique ID for this button (allows display of multiple modules on the page)
-		$randomId = 'plg_system_webauthn-' . UserHelper::genRandomPassword(12) . '-' . UserHelper::genRandomPassword(8);
-
-		// Set up the JavaScript callback
-		$url = $uri->toString();
-
-		// Get local path to image
-		$image = HTMLHelper::_('image', 'plg_system_webauthn/webauthn.svg', '', '', true, true);
-
-		// If you can't find the image then skip it
-		$image = $image ? JPATH_ROOT . substr($image, \strlen(Uri::root(true))) : '';
-
-		// Extract image if it exists
-		$image = file_exists($image) ? file_get_contents($image) : '';
-
-		return [
-			[
-				'label'              => 'PLG_SYSTEM_WEBAUTHN_LOGIN_LABEL',
-				'tooltip'            => 'PLG_SYSTEM_WEBAUTHN_LOGIN_DESC',
-				'id'                 => $randomId,
-				'data-webauthn-form' => $form,
-				'data-webauthn-url'  => $url,
-				'svg'                => $image,
-				'class'              => 'plg_system_webauthn_login_button',
-			],
-		];
-	}
-
 	/**
 	 * Injects the WebAuthn CSS and Javascript for frontend logins, but only once per page load.
 	 *
@@ -186,7 +187,7 @@ private function addLoginCSSAndJavascript(): void
 		$this->injectedCSSandJS = true;
 
 		/** @var \Joomla\CMS\WebAsset\WebAssetManager $wa */
-		$wa = Factory::getApplication()->getDocument()->getWebAssetManager();
+		$wa = $this->app->getDocument()->getWebAssetManager();
 
 		if (!$wa->assetExists('style', 'plg_system_webauthn.button'))
 		{
@@ -207,7 +208,7 @@ private function addLoginCSSAndJavascript(): void
 		Text::script('PLG_SYSTEM_WEBAUTHN_ERR_INVALID_USERNAME');
 
 		// Store the current URL as the default return URL after login (or failure)
-		Joomla::setSessionVar('returnUrl', Uri::current(), 'plg_system_webauthn');
+		$this->app->getSession()->set('plg_system_webauthn.returnUrl', Uri::current());
 	}
 
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandler.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandler.php
index 5b81697b24aee..813caa834cd55 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandler.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandler.php
@@ -1,10 +1,10 @@
 <?php
 /**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
  *
  * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
  */
 
 namespace Joomla\Plugin\System\Webauthn\PluginTraits;
@@ -14,17 +14,17 @@
 
 use Exception;
 use Joomla\CMS\Application\CMSApplication;
-use Joomla\CMS\Factory;
+use Joomla\CMS\Event\GenericEvent;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Log\Log;
 use Joomla\CMS\Uri\Uri;
+use Joomla\Event\Event;
 use Joomla\Plugin\System\Webauthn\Exception\AjaxNonCmsAppException;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 use RuntimeException;
 
 /**
- * Allows the plugin to handle AJAX requests in the backend of the site, where com_ajax is not available when we are not
- * logged in.
+ * Allows the plugin to handle AJAX requests in the backend of the site, where com_ajax is not
+ * available when we are not logged in.
  *
  * @since   4.0.0
  */
@@ -33,41 +33,37 @@ trait AjaxHandler
 	/**
 	 * Processes the callbacks from the passwordless login views.
 	 *
-	 * Note: this method is called from Joomla's com_ajax or, in the case of backend logins, through the special
-	 * onAfterInitialize handler we have created to work around com_ajax usage limitations in the backend.
+	 * Note: this method is called from Joomla's com_ajax or, in the case of backend logins,
+	 * through the special onAfterInitialize handler we have created to work around com_ajax usage
+	 * limitations in the backend.
+	 *
+	 * @param   Event  $event  The event we are handling
 	 *
 	 * @return  void
 	 *
 	 * @throws  Exception
-	 *
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthn(): void
+	public function onAjaxWebauthn(Event $event): void
 	{
-		// Load the language files
-		$this->loadLanguage();
-
-		/** @var CMSApplication $app */
-		$app   = Factory::getApplication();
-		$input = $app->input;
+		$input = $this->app->input;
 
 		// Get the return URL from the session
-		$returnURL = Joomla::getSessionVar('returnUrl', Uri::base(), 'plg_system_webauthn');
-		$result = null;
+		$returnURL = $this->app->getSession()->get('plg_system_webauthn.returnUrl', Uri::base());
+		$result    = null;
 
 		try
 		{
-			Joomla::log('system', "Received AJAX callback.");
+			Log::add("Received AJAX callback.", Log::DEBUG, 'webauthn.system');
 
-			if (!($app instanceof CMSApplication))
+			if (!($this->app instanceof CMSApplication))
 			{
 				throw new AjaxNonCmsAppException;
 			}
 
 			$akaction = $input->getCmd('akaction');
-			$token    = Joomla::getToken();
 
-			if ($input->getInt($token, 0) != 1)
+			if (!$this->app->checkToken('request'))
 			{
 				throw new RuntimeException(Text::_('JERROR_ALERTNOAUTHOR'));
 			}
@@ -80,31 +76,26 @@ public function onAjaxWebauthn(): void
 
 			// Call the plugin event onAjaxWebauthnSomething where Something is the akaction param.
 			$eventName = 'onAjaxWebauthn' . ucfirst($akaction);
-
-			$results = $app->triggerEvent($eventName, []);
-
-			foreach ($results as $r)
+			$event     = new GenericEvent($eventName, []);
+			$result    = $this->app->getDispatcher()->dispatch($eventName, $event);
+			$results   = !isset($result['result']) || \is_null($result['result']) ? [] : $result['result'];
+			$result    = null;
+			$reducer   = function ($carry, $result)
 			{
-				if (\is_null($r))
-				{
-					continue;
-				}
-
-				$result = $r;
-
-				break;
-			}
+				return $carry ?? $result;
+			};
+			$result    = array_reduce($results, $reducer, null);
 		}
 		catch (AjaxNonCmsAppException $e)
 		{
-			Joomla::log('system', "This is not a CMS application", Log::NOTICE);
+			Log::add("This is not a CMS application", Log::NOTICE, 'webauthn.system');
 		}
 		catch (Exception $e)
 		{
-			Joomla::log('system', "Callback failure, redirecting to $returnURL.");
-			Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
-			$app->enqueueMessage($e->getMessage(), 'error');
-			$app->redirect($returnURL);
+			Log::add("Callback failure, redirecting to $returnURL.", Log::DEBUG, 'webauthn.system');
+			$this->app->getSession()->set('plg_system_webauthn.returnUrl', null);
+			$this->app->enqueueMessage($e->getMessage(), 'error');
+			$this->app->redirect($returnURL);
 
 			return;
 		}
@@ -114,13 +105,13 @@ public function onAjaxWebauthn(): void
 			switch ($input->getCmd('encoding', 'json'))
 			{
 				case 'jsonhash':
-					Joomla::log('system', "Callback complete, returning JSON inside ### markers.");
+					Log::add("Callback complete, returning JSON inside ### markers.", Log::DEBUG, 'webauthn.system');
 					echo '###' . json_encode($result) . '###';
 
 					break;
 
 				case 'raw':
-					Joomla::log('system', "Callback complete, returning raw response.");
+					Log::add("Callback complete, returning raw response.", Log::DEBUG, 'webauthn.system');
 					echo $result;
 
 					break;
@@ -131,35 +122,35 @@ public function onAjaxWebauthn(): void
 					if (isset($result['message']))
 					{
 						$type = $result['type'] ?? 'info';
-						$app->enqueueMessage($result['message'], $type);
+						$this->app->enqueueMessage($result['message'], $type);
 
 						$modifiers = " and setting a system message of type $type";
 					}
 
 					if (isset($result['url']))
 					{
-						Joomla::log('system', "Callback complete, performing redirection to {$result['url']}{$modifiers}.");
-						$app->redirect($result['url']);
+						Log::add("Callback complete, performing redirection to {$result['url']}{$modifiers}.", Log::DEBUG, 'webauthn.system');
+						$this->app->redirect($result['url']);
 					}
 
-					Joomla::log('system', "Callback complete, performing redirection to {$result}{$modifiers}.");
-					$app->redirect($result);
+					Log::add("Callback complete, performing redirection to {$result}{$modifiers}.", Log::DEBUG, 'webauthn.system');
+					$this->app->redirect($result);
 
 					return;
 
 				default:
-					Joomla::log('system', "Callback complete, returning JSON.");
+					Log::add("Callback complete, returning JSON.", Log::DEBUG, 'webauthn.system');
 					echo json_encode($result);
 
 					break;
 			}
 
-			$app->close(200);
+			$this->app->close(200);
 		}
 
-		Joomla::log('system', "Null response from AJAX callback, redirecting to $returnURL");
-		Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
+		Log::add("Null response from AJAX callback, redirecting to $returnURL", Log::DEBUG, 'webauthn.system');
+		$this->app->getSession()->set('plg_system_webauthn.returnUrl', null);
 
-		$app->redirect($returnURL);
+		$this->app->redirect($returnURL);
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerChallenge.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerChallenge.php
index 7123ee46a0d61..131bb9c165cc7 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerChallenge.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerChallenge.php
@@ -13,17 +13,13 @@
 \defined('_JEXEC') or die();
 
 use Exception;
-use Joomla\CMS\Application\CMSApplication;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\User;
+use Joomla\CMS\User\UserFactoryInterface;
 use Joomla\CMS\User\UserHelper;
-use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
-use Throwable;
-use Webauthn\AuthenticationExtensions\AuthenticationExtensionsClientInputs;
-use Webauthn\PublicKeyCredentialRequestOptions;
-use Webauthn\PublicKeyCredentialSource;
-use Webauthn\PublicKeyCredentialUserEntity;
+use Joomla\Event\Event;
+use Joomla\Plugin\System\Webauthn\Authentication;
 
 /**
  * Ajax handler for akaction=challenge
@@ -39,27 +35,23 @@ trait AjaxHandlerChallenge
 	 * Returns the public key set for the user and a unique challenge in a Public Key Credential Request encoded as
 	 * JSON.
 	 *
-	 * @return  string  A JSON-encoded object or JSON-encoded false if the username is invalid or no credentials stored
+	 * @param   Event  $event  The event we are handling
 	 *
-	 * @throws  Exception
+	 * @return void A JSON-encoded object or JSON-encoded false if the username is invalid or no credentials stored
 	 *
+	 * @throws Exception
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthnChallenge()
+	public function onAjaxWebauthnChallenge(Event $event): void
 	{
-		// Load the language files
-		$this->loadLanguage();
-
 		// Initialize objects
-		/** @var CMSApplication $app */
-		$app        = Factory::getApplication();
-		$input      = $app->input;
-		$repository = new CredentialRepository;
+		$session    = $this->app->getSession();
+		$input      = $this->app->input;
 
 		// Retrieve data from the request
 		$username  = $input->getUsername('username', '');
 		$returnUrl = base64_encode(
-			Joomla::getSessionVar('returnUrl', Uri::current(), 'plg_system_webauthn')
+			$session->get('plg_system_webauthn.returnUrl', Uri::current())
 		);
 		$returnUrl = $input->getBase64('returnUrl', $returnUrl);
 		$returnUrl = base64_decode($returnUrl);
@@ -71,12 +63,14 @@ public function onAjaxWebauthnChallenge()
 			$returnUrl = Uri::base();
 		}
 
-		Joomla::setSessionVar('returnUrl', $returnUrl, 'plg_system_webauthn');
+		$session->set('plg_system_webauthn.returnUrl', $returnUrl);
 
 		// Do I have a username?
 		if (empty($username))
 		{
-			return json_encode(false);
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Is the username valid?
@@ -91,73 +85,32 @@ public function onAjaxWebauthnChallenge()
 
 		if ($userId <= 0)
 		{
-			return json_encode(false);
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
-		// Load the saved credentials into an array of PublicKeyCredentialDescriptor objects
 		try
 		{
-			$userEntity  = new PublicKeyCredentialUserEntity(
-				'', $repository->getHandleFromUserId($userId), ''
-			);
-			$credentials = $repository->findAllForUserEntity($userEntity);
+			$myUser = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
 		}
 		catch (Exception $e)
 		{
-			return json_encode(false);
+			$myUser = new User;
 		}
 
-		// No stored credentials?
-		if (empty($credentials))
+		if ($myUser->id != $userId || $myUser->guest)
 		{
-			return json_encode(false);
-		}
-
-		$registeredPublicKeyCredentialDescriptors = [];
+			$this->returnFromEvent($event, false);
 
-		/** @var PublicKeyCredentialSource $record */
-		foreach ($credentials as $record)
-		{
-			try
-			{
-				$registeredPublicKeyCredentialDescriptors[] = $record->getPublicKeyCredentialDescriptor();
-			}
-			catch (Throwable $e)
-			{
-				continue;
-			}
+			return;
 		}
 
-		// Extensions
-		$extensions = new AuthenticationExtensionsClientInputs;
-
-		// Public Key Credential Request Options
-		$publicKeyCredentialRequestOptions = new PublicKeyCredentialRequestOptions(
-			random_bytes(32),
-			60000,
-			Uri::getInstance()->toString(['host']),
-			$registeredPublicKeyCredentialDescriptors,
-			PublicKeyCredentialRequestOptions::USER_VERIFICATION_REQUIREMENT_PREFERRED,
-			$extensions
-		);
+		$publicKeyCredentialRequestOptions = Authentication::getPubkeyRequestOptions($myUser);
 
-		// Save in session. This is used during the verification stage to prevent replay attacks.
-		Joomla::setSessionVar(
-			'publicKeyCredentialRequestOptions',
-			base64_encode(serialize($publicKeyCredentialRequestOptions)),
-			'plg_system_webauthn'
-		);
-		Joomla::setSessionVar(
-			'userHandle',
-			$repository->getHandleFromUserId($userId),
-			'plg_system_webauthn'
-		);
-		Joomla::setSessionVar('userId', $userId, 'plg_system_webauthn');
+		$session->set('plg_system_webauthn.userId', $userId);
 
 		// Return the JSON encoded data to the caller
-		return json_encode(
-			$publicKeyCredentialRequestOptions,
-			JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
-		);
+		$this->returnFromEvent($event, json_encode($publicKeyCredentialRequestOptions, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE));
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerCreate.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerCreate.php
index 06934e2561ba0..41cad346239ba 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerCreate.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerCreate.php
@@ -13,13 +13,13 @@
 \defined('_JEXEC') or die();
 
 use Exception;
-use Joomla\CMS\Application\CMSApplication;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
+use Joomla\CMS\Layout\FileLayout;
 use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Event\Event;
+use Joomla\Plugin\System\Webauthn\Authentication;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Joomla\Plugin\System\Webauthn\Helper\CredentialsCreation;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 use RuntimeException;
 use Webauthn\PublicKeyCredentialSource;
 
@@ -35,17 +35,15 @@ trait AjaxHandlerCreate
 	/**
 	 * Handle the callback to add a new WebAuthn authenticator
 	 *
-	 * @return  string
+	 * @param   Event  $event  The event we are handling
 	 *
-	 * @throws  Exception
+	 * @return  void
 	 *
+	 * @throws  Exception
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthnCreate(): string
+	public function onAjaxWebauthnCreate(Event $event): void
 	{
-		// Load the language files
-		$this->loadLanguage();
-
 		/**
 		 * Fundamental sanity check: this callback is only allowed after a Public Key has been created server-side and
 		 * the user it was created for matches the current user.
@@ -55,7 +53,8 @@ public function onAjaxWebauthnCreate(): string
 		 * someone else's Webauthn configuration thus mitigating a major privacy and security risk. So, please, DO NOT
 		 * remove this sanity check!
 		 */
-		$storedUserId = Joomla::getSessionVar('registration_user_id', 0, 'plg_system_webauthn');
+		$session = $this->app->getSession();
+		$storedUserId = $session->get('plg_system_webauthn.registration_user_id', 0);
 		$thatUser     = empty($storedUserId) ?
 			Factory::getApplication()->getIdentity() :
 			Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($storedUserId);
@@ -64,8 +63,8 @@ public function onAjaxWebauthnCreate(): string
 		if ($thatUser->guest || ($thatUser->id != $myUser->id))
 		{
 			// Unset the session variables used for registering authenticators (security precaution).
-			Joomla::unsetSessionVar('registration_user_id', 'plg_system_webauthn');
-			Joomla::unsetSessionVar('publicKeyCredentialCreationOptions', 'plg_system_webauthn');
+			$session->set('plg_system_webauthn.registration_user_id', null);
+			$session->set('plg_system_webauthn.publicKeyCredentialCreationOptions', null);
 
 			// Politely tell the presumed hacker trying to abuse this callback to go away.
 			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_USER'));
@@ -77,14 +76,12 @@ public function onAjaxWebauthnCreate(): string
 		// Try to validate the browser data. If there's an error I won't save anything and pass the message to the GUI.
 		try
 		{
-			/** @var CMSApplication $app */
-			$app   = Factory::getApplication();
-			$input = $app->input;
+			$input = $this->app->input;
 
 			// Retrieve the data sent by the device
 			$data = $input->get('data', '', 'raw');
 
-			$publicKeyCredentialSource = CredentialsCreation::validateAuthenticationData($data);
+			$publicKeyCredentialSource = Authentication::validateAttestationResponse($data);
 
 			if (!\is_object($publicKeyCredentialSource) || !($publicKeyCredentialSource instanceof PublicKeyCredentialSource))
 			{
@@ -100,8 +97,8 @@ public function onAjaxWebauthnCreate(): string
 		}
 
 		// Unset the session variables used for registering authenticators (security precaution).
-		Joomla::unsetSessionVar('registration_user_id', 'plg_system_webauthn');
-		Joomla::unsetSessionVar('publicKeyCredentialCreationOptions', 'plg_system_webauthn');
+		$session->set('plg_system_webauthn.registration_user_id', null);
+		$session->set('plg_system_webauthn.publicKeyCredentialCreationOptions', null);
 
 		// Render the GUI and return it
 		$layoutParameters = [
@@ -115,6 +112,8 @@ public function onAjaxWebauthnCreate(): string
 			$layoutParameters['error'] = $error;
 		}
 
-		return Joomla::renderLayout('plugins.system.webauthn.manage', $layoutParameters);
+		$layout = new FileLayout('plugins.system.webauthn.manage', JPATH_SITE . '/plugins/system/webauthn/layout');
+
+		$this->returnFromEvent($event, $layout->render($layoutParameters));
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerDelete.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerDelete.php
index 6bf7264be4d9f..d24eb4185f801 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerDelete.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerDelete.php
@@ -13,8 +13,8 @@
 \defined('_JEXEC') or die();
 
 use Exception;
-use Joomla\CMS\Application\CMSApplication;
-use Joomla\CMS\Factory;
+use Joomla\CMS\User\User;
+use Joomla\Event\Event;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
 
 /**
@@ -29,20 +29,15 @@ trait AjaxHandlerDelete
 	/**
 	 * Handle the callback to remove an authenticator
 	 *
-	 * @return  boolean
-	 * @throws  Exception
+	 * @param   Event  $event  The event we are handling
 	 *
+	 * @return  void
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthnDelete(): bool
+	public function onAjaxWebauthnDelete(Event $event): void
 	{
-		// Load the language files
-		$this->loadLanguage();
-
 		// Initialize objects
-		/** @var CMSApplication $app */
-		$app        = Factory::getApplication();
-		$input      = $app->input;
+		$input      = $this->app->input;
 		$repository = new CredentialRepository;
 
 		// Retrieve data from the request
@@ -51,30 +46,39 @@ public function onAjaxWebauthnDelete(): bool
 		// Is this a valid credential?
 		if (empty($credentialId))
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		$credentialId = base64_decode($credentialId);
 
 		if (empty($credentialId) || !$repository->has($credentialId))
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Make sure I am editing my own key
 		try
 		{
+			$user             = $this->app->getIdentity() ?? new User;
 			$credentialHandle = $repository->getUserHandleFor($credentialId);
-			$myHandle         = $repository->getHandleFromUserId($app->getIdentity()->id);
+			$myHandle         = $repository->getHandleFromUserId($user->id);
 		}
 		catch (Exception $e)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		if ($credentialHandle !== $myHandle)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Delete the record
@@ -84,9 +88,11 @@ public function onAjaxWebauthnDelete(): bool
 		}
 		catch (Exception $e)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
-		return true;
+		$this->returnFromEvent($event, true);
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerLogin.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerLogin.php
index ec6093af09c85..d88d7f4ff88c9 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerLogin.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerLogin.php
@@ -12,39 +12,22 @@
 // Protect from unauthorized access
 \defined('_JEXEC') or die();
 
-use CBOR\Decoder;
-use CBOR\OtherObject\OtherObjectManager;
-use CBOR\Tag\TagObjectManager;
-use Cose\Algorithm\Manager;
-use Cose\Algorithm\Signature\ECDSA;
-use Cose\Algorithm\Signature\EdDSA;
-use Cose\Algorithm\Signature\RSA;
 use Exception;
-use Joomla\CMS\Application\CMSApplication;
 use Joomla\CMS\Authentication\Authentication;
+use Joomla\CMS\Authentication\AuthenticationResponse;
+use Joomla\CMS\Event\GenericEvent;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Language\Text;
 use Joomla\CMS\Log\Log;
+use Joomla\CMS\Plugin\PluginHelper;
 use Joomla\CMS\Uri\Uri;
+use Joomla\CMS\User\User;
 use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Event\Event;
+use Joomla\Plugin\System\Webauthn\Authentication as CredentialsAuthentication;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
-use Laminas\Diactoros\ServerRequestFactory;
 use RuntimeException;
 use Throwable;
-use Webauthn\AttestationStatement\AndroidKeyAttestationStatementSupport;
-use Webauthn\AttestationStatement\AttestationObjectLoader;
-use Webauthn\AttestationStatement\AttestationStatementSupportManager;
-use Webauthn\AttestationStatement\FidoU2FAttestationStatementSupport;
-use Webauthn\AttestationStatement\NoneAttestationStatementSupport;
-use Webauthn\AttestationStatement\PackedAttestationStatementSupport;
-use Webauthn\AttestationStatement\TPMAttestationStatementSupport;
-use Webauthn\AuthenticationExtensions\ExtensionOutputCheckerHandler;
-use Webauthn\AuthenticatorAssertionResponse;
-use Webauthn\AuthenticatorAssertionResponseValidator;
-use Webauthn\PublicKeyCredentialLoader;
-use Webauthn\PublicKeyCredentialRequestOptions;
-use Webauthn\TokenBinding\TokenBindingNotSupportedHandler;
 
 /**
  * Ajax handler for akaction=login
@@ -59,56 +42,91 @@ trait AjaxHandlerLogin
 	 * Returns the public key set for the user and a unique challenge in a Public Key Credential Request encoded as
 	 * JSON.
 	 *
+	 * @param   Event  $event  The event we are handling
+	 *
 	 * @return  void
 	 *
 	 * @throws  Exception
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthnLogin(): void
+	public function onAjaxWebauthnLogin(Event $event): void
 	{
-		// Load the language files
-		$this->loadLanguage();
-
-		$returnUrl = Joomla::getSessionVar('returnUrl', Uri::base(), 'plg_system_webauthn');
-		$userId    = Joomla::getSessionVar('userId', 0, 'plg_system_webauthn');
+		$session   = $this->app->getSession();
+		$returnUrl = $session->get('plg_system_webauthn.returnUrl', Uri::base());
+		$userId    = $session->get('plg_system_webauthn.userId', 0);
 
 		try
 		{
-			// Sanity check
+			$credentialRepository = new CredentialRepository;
+
+			// No user ID: no username was provided and the resident credential refers to an unknown user handle. DIE!
 			if (empty($userId))
 			{
+				Log::add('Cannot determine the user ID', Log::NOTICE, 'webauthn.system');
+
 				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
 			}
 
-			// Make sure the user exists
+			// Do I have a valid user?
 			$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
 
 			if ($user->id != $userId)
 			{
+				$message = sprintf('User #%d does not exist', $userId);
+				Log::add($message, Log::NOTICE, 'webauthn.system');
+
 				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
 			}
 
-			// Validate the authenticator response
-			$this->validateResponse();
+			// Validate the authenticator response and get the user handle
+			$userHandle           = $this->getUserHandleFromResponse($user);
+
+			if (is_null($userHandle))
+			{
+				Log::add('Cannot retrieve the user handle from the request; the browser did not assert our request.', Log::NOTICE, 'webauthn.system');
+
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			}
+
+			// Does the user handle match the user ID? This should never trigger by definition of the login check.
+			$validUserHandle = $credentialRepository->getHandleFromUserId($userId);
+
+			if ($userHandle != $validUserHandle)
+			{
+				$message = sprintf('Invalid user handle; expected %s, got %s', $validUserHandle, $userHandle);
+				Log::add($message, Log::NOTICE, 'webauthn.system');
+
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			}
+
+			// Make sure the user exists
+			$user = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
+
+			if ($user->id != $userId)
+			{
+				$message = sprintf('Invalid user ID; expected %d, got %d', $userId, $user->id);
+				Log::add($message, Log::NOTICE, 'webauthn.system');
+
+				throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			}
 
 			// Login the user
-			Joomla::log('system', "Logging in the user", Log::INFO);
-			Joomla::loginUser((int) $userId);
+			Log::add("Logging in the user", Log::INFO, 'webauthn.system');
+			$this->loginUser((int) $userId);
 		}
 		catch (Throwable $e)
 		{
-			Joomla::setSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
-			Joomla::setSessionVar('userHandle', null, 'plg_system_webauthn');
+			$session->set('plg_system_webauthn.publicKeyCredentialRequestOptions', null);
 
-			$response                = Joomla::getAuthenticationResponseObject();
+			$response                = $this->getAuthenticationResponseObject();
 			$response->status        = Authentication::STATUS_UNKNOWN;
 			// phpcs:ignore
 			$response->error_message = $e->getMessage();
 
-			Joomla::log('system', sprintf("Received login failure. Message: %s", $e->getMessage()), Log::ERROR);
+			Log::add(sprintf("Received login failure. Message: %s", $e->getMessage()), Log::ERROR, 'webauthn.system');
 
 			// This also enqueues the login failure message for display after redirection. Look for JLog in that method.
-			Joomla::processLoginFailure($response, null, 'system');
+			$this->processLoginFailure($response, null, 'system');
 		}
 		finally
 		{
@@ -118,153 +136,195 @@ public function onAjaxWebauthnLogin(): void
 			 */
 
 			// Remove temporary information for security reasons
-			Joomla::setSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
-			Joomla::setSessionVar('userHandle', null, 'plg_system_webauthn');
-			Joomla::setSessionVar('returnUrl', null, 'plg_system_webauthn');
-			Joomla::setSessionVar('userId', null, 'plg_system_webauthn');
+			$session->set('plg_system_webauthn.publicKeyCredentialRequestOptions', null);
+			$session->set('plg_system_webauthn.returnUrl', null);
+			$session->set('plg_system_webauthn.userId', null);
 
 			// Redirect back to the page we were before.
-			Factory::getApplication()->redirect($returnUrl);
+			$this->app->redirect($returnUrl);
 		}
 	}
 
 	/**
-	 * Validate the authenticator response sent to us by the browser.
+	 * Logs in a user to the site, bypassing the authentication plugins.
 	 *
-	 * @return  void
+	 * @param   int   $userId   The user ID to log in
 	 *
+	 * @return  void
 	 * @throws  Exception
-	 *
-	 * @since   4.0.0
+	 * @since   __DEPLOY_VERSION__
 	 */
-	private function validateResponse(): void
+	private function loginUser(int $userId): void
 	{
-		// Initialize objects
-		/** @var CMSApplication $app */
-		$app                  = Factory::getApplication();
-		$input                = $app->input;
-		$credentialRepository = new CredentialRepository;
+		// Trick the class auto-loader into loading the necessary classes
+		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
 
-		// Retrieve data from the request and session
-		$data = $input->getBase64('data', '');
-		$data = base64_decode($data);
+		// Fake a successful login message
+		$isAdmin = $this->app->isClient('administrator');
+		$user    = Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($userId);
 
-		if (empty($data))
+		// Does the user account have a pending activation?
+		if (!empty($user->activation))
 		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
 		}
 
-		$publicKeyCredentialRequestOptions = $this->getPKCredentialRequestOptions();
-
-		// Cose Algorithm Manager
-		$coseAlgorithmManager = new Manager;
-		$coseAlgorithmManager->add(new ECDSA\ES256);
-		$coseAlgorithmManager->add(new ECDSA\ES512);
-		$coseAlgorithmManager->add(new EdDSA\EdDSA);
-		$coseAlgorithmManager->add(new RSA\RS1);
-		$coseAlgorithmManager->add(new RSA\RS256);
-		$coseAlgorithmManager->add(new RSA\RS512);
-
-		// Create a CBOR Decoder object
-		$otherObjectManager = new OtherObjectManager;
-		$tagObjectManager   = new TagObjectManager;
-		$decoder            = new Decoder($tagObjectManager, $otherObjectManager);
-
-		// Attestation Statement Support Manager
-		$attestationStatementSupportManager = new AttestationStatementSupportManager;
-		$attestationStatementSupportManager->add(new NoneAttestationStatementSupport);
-		$attestationStatementSupportManager->add(new FidoU2FAttestationStatementSupport($decoder));
-
-		/*
-		$attestationStatementSupportManager->add(
-			new AndroidSafetyNetAttestationStatementSupport(
-				HttpFactory::getHttp(), 'GOOGLE_SAFETYNET_API_KEY', new RequestFactory
-			)
-		);
-		*/
-		$attestationStatementSupportManager->add(new AndroidKeyAttestationStatementSupport($decoder));
-		$attestationStatementSupportManager->add(new TPMAttestationStatementSupport);
-		$attestationStatementSupportManager->add(new PackedAttestationStatementSupport($decoder, $coseAlgorithmManager));
-
-		// Attestation Object Loader
-		$attestationObjectLoader = new AttestationObjectLoader($attestationStatementSupportManager, $decoder);
-
-		// Public Key Credential Loader
-		$publicKeyCredentialLoader = new PublicKeyCredentialLoader($attestationObjectLoader, $decoder);
-
-		// The token binding handler
-		$tokenBindingHandler = new TokenBindingNotSupportedHandler;
-
-		// Extension Output Checker Handler
-		$extensionOutputCheckerHandler = new ExtensionOutputCheckerHandler;
-
-		// Authenticator Assertion Response Validator
-		$authenticatorAssertionResponseValidator = new AuthenticatorAssertionResponseValidator(
-			$credentialRepository,
-			$decoder,
-			$tokenBindingHandler,
-			$extensionOutputCheckerHandler,
-			$coseAlgorithmManager
-		);
+		// Is the user account blocked?
+		if ($user->block)
+		{
+			throw new RuntimeException(Text::_('JGLOBAL_AUTH_ACCESS_DENIED'));
+		}
 
-		// We init the Symfony Request object
-		$request = ServerRequestFactory::fromGlobals();
+		$statusSuccess = Authentication::STATUS_SUCCESS;
 
-		// Load the data
-		$publicKeyCredential = $publicKeyCredentialLoader->load($data);
-		$response            = $publicKeyCredential->getResponse();
+		$response                = $this->getAuthenticationResponseObject();
+		$response->status        = $statusSuccess;
+		$response->username      = $user->username;
+		$response->fullname      = $user->name;
+		// phpcs:ignore
+		$response->error_message = '';
+		$response->language      = $user->getParam('language');
+		$response->type          = 'Passwordless';
 
-		// Check if the response is an Authenticator Assertion Response
-		if (!$response instanceof AuthenticatorAssertionResponse)
+		if ($isAdmin)
 		{
-			throw new RuntimeException('Not an authenticator assertion response');
+			$response->language = $user->getParam('admin_language');
 		}
 
-		// Check the response against the attestation request
-		$userHandle = Joomla::getSessionVar('userHandle', null, 'plg_system_webauthn');
-		/** @var AuthenticatorAssertionResponse $authenticatorAssertionResponse */
-		$authenticatorAssertionResponse = $publicKeyCredential->getResponse();
-		$authenticatorAssertionResponseValidator->check(
-			$publicKeyCredential->getRawId(),
-			$authenticatorAssertionResponse,
-			$publicKeyCredentialRequestOptions,
-			$request,
-			$userHandle
-		);
+		/**
+		 * Set up the login options.
+		 *
+		 * The 'remember' element forces the use of the Remember Me feature when logging in with Webauthn, as the
+		 * users would expect.
+		 *
+		 * The 'action' element is actually required by plg_user_joomla. It is the core ACL action the logged in user
+		 * must be allowed for the login to succeed. Please note that front-end and back-end logins use a different
+		 * action. This allows us to provide the WebAuthn button on both front- and back-end and be sure that if a
+		 * used with no backend access tries to use it to log in Joomla! will just slap him with an error message about
+		 * insufficient privileges - the same thing that'd happen if you tried to use your front-end only username and
+		 * password in a back-end login form.
+		 */
+		$options = [
+			'remember' => true,
+			'action'   => 'core.login.site',
+		];
+
+		if ($isAdmin)
+		{
+			$options['action'] = 'core.login.admin';
+		}
+
+		// Run the user plugins. They CAN block login by returning boolean false and setting $response->error_message.
+		PluginHelper::importPlugin('user');
+		$event   = new GenericEvent('onUserLogin', [(array) $response, $options]);
+		$result  = $this->app->getDispatcher()->dispatch($event->getName(), $event);
+		$results = !isset($result['result']) || \is_null($result['result']) ? [] : $result['result'];
+
+		// If there is no boolean FALSE result from any plugin the login is successful.
+		if (in_array(false, $results, true) === false)
+		{
+			// Set the user in the session, letting Joomla! know that we are logged in.
+			$this->app->getSession()->set('user', $user);
+
+			// Trigger the onUserAfterLogin event
+			$options['user']         = $user;
+			$options['responseType'] = $response->type;
+
+			// The user is successfully logged in. Run the after login events
+			$event = new GenericEvent('onUserAfterLogin', [$options]);
+			$this->app->getDispatcher()->dispatch($event->getName(), $event);
+
+			return;
+		}
+
+		// If we are here the plugins marked a login failure. Trigger the onUserLoginFailure Event.
+		$event = new GenericEvent('onUserLoginFailure', [(array) $response]);
+		$this->app->getDispatcher()->dispatch($event->getName(), $event);
+
+		// Log the failure
+		// phpcs:ignore
+		Log::add($response->error_message, Log::WARNING, 'jerror');
+
+		// Throw an exception to let the caller know that the login failed
+		// phpcs:ignore
+		throw new RuntimeException($response->error_message);
 	}
 
 	/**
-	 * Retrieve the public key credential request options saved in the session. If they do not exist or are corrupt it
-	 * is a hacking attempt and we politely tell the hacker to go away.
+	 * Returns a (blank) Joomla! authentication response
 	 *
-	 * @return  PublicKeyCredentialRequestOptions
+	 * @return  AuthenticationResponse
 	 *
-	 * @since   4.0.0
+	 * @since   __DEPLOY_VERSION__
 	 */
-	private function getPKCredentialRequestOptions(): PublicKeyCredentialRequestOptions
+	private function getAuthenticationResponseObject(): AuthenticationResponse
 	{
-		$encodedOptions = Joomla::getSessionVar('publicKeyCredentialRequestOptions', null, 'plg_system_webauthn');
+		// Force the class auto-loader to load the JAuthentication class
+		class_exists('Joomla\\CMS\\Authentication\\Authentication', true);
 
-		if (empty($encodedOptions))
-		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
-		}
+		return new AuthenticationResponse;
+	}
 
-		try
+	/**
+	 * Have Joomla! process a login failure
+	 *
+	 * @param   AuthenticationResponse   $response   The Joomla! auth response object
+	 *
+	 * @return  boolean
+	 *
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private function processLoginFailure(AuthenticationResponse $response): bool
+	{
+		// Import the user plugin group.
+		PluginHelper::importPlugin('user');
+
+		// Trigger onUserLoginFailure Event.
+		Log::add('Calling onUserLoginFailure plugin event', Log::INFO, 'plg_system_webauthn');
+
+		$event = new GenericEvent('onUserLoginFailure', [(array) $response]);
+		$this->app->getDispatcher()->dispatch($event->getName(), $event);
+
+		// If status is success, any error will have been raised by the user plugin
+		$expectedStatus = Authentication::STATUS_SUCCESS;
+
+		if ($response->status !== $expectedStatus)
 		{
-			$publicKeyCredentialCreationOptions = unserialize(base64_decode($encodedOptions));
+			Log::add('The login failure has been logged in Joomla\'s error log', Log::INFO, 'webauthn.system');
+
+			// Everything logged in the 'jerror' category ends up being enqueued in the application message queue.
+			// phpcs:ignore
+			Log::add($response->error_message, Log::WARNING, 'jerror');
 		}
-		catch (Exception $e)
+		else
 		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
+			$message = 'A login failure was caused by a third party user plugin but it did not return any' .
+				'further information.';
+			Log::add($message, Log::WARNING, 'webauthn.system');
 		}
 
-		if (!\is_object($publicKeyCredentialCreationOptions)
-			|| !($publicKeyCredentialCreationOptions instanceof PublicKeyCredentialRequestOptions))
-		{
-			throw new RuntimeException(Text::_('PLG_SYSTEM_WEBAUTHN_ERR_CREATE_INVALID_LOGIN_REQUEST'));
-		}
+		return false;
+	}
+
+	/**
+	 * Validate the authenticator response sent to us by the browser.
+	 *
+	 * @param   User  $user  The user we are trying to log in.
+	 *
+	 * @return  string|null  The user handle or null
+	 *
+	 * @throws  Exception
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private function getUserHandleFromResponse(User $user): ?string
+	{
+		// Retrieve data from the request and session
+		$pubKeyCredentialSource = CredentialsAuthentication::validateAssertionResponse(
+			$this->app->input->getBase64('data', ''),
+			$user
+		);
 
-		return $publicKeyCredentialCreationOptions;
+		return $pubKeyCredentialSource ? $pubKeyCredentialSource->getUserHandle() : null;
 	}
+
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerSaveLabel.php b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerSaveLabel.php
index b2fae9ac359f4..8b3725a7a92cd 100644
--- a/plugins/system/webauthn/src/PluginTraits/AjaxHandlerSaveLabel.php
+++ b/plugins/system/webauthn/src/PluginTraits/AjaxHandlerSaveLabel.php
@@ -13,8 +13,8 @@
 \defined('_JEXEC') or die();
 
 use Exception;
-use Joomla\CMS\Application\CMSApplication;
-use Joomla\CMS\Factory;
+use Joomla\CMS\User\User;
+use Joomla\Event\Event;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
 
 /**
@@ -29,18 +29,17 @@ trait AjaxHandlerSaveLabel
 	/**
 	 * Handle the callback to rename an authenticator
 	 *
-	 * @return  boolean
+	 * @param   Event  $event  The event we are handling
 	 *
-	 * @throws  Exception
+	 * @return  void
 	 *
+	 * @throws  Exception
 	 * @since   4.0.0
 	 */
-	public function onAjaxWebauthnSavelabel(): bool
+	public function onAjaxWebauthnSavelabel(Event $event): void
 	{
 		// Initialize objects
-		/** @var CMSApplication $app */
-		$app        = Factory::getApplication();
-		$input      = $app->input;
+		$input      = $this->app->input;
 		$repository = new CredentialRepository;
 
 		// Retrieve data from the request
@@ -50,36 +49,47 @@ public function onAjaxWebauthnSavelabel(): bool
 		// Is this a valid credential?
 		if (empty($credentialId))
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		$credentialId = base64_decode($credentialId);
 
 		if (empty($credentialId) || !$repository->has($credentialId))
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Make sure I am editing my own key
 		try
 		{
 			$credentialHandle = $repository->getUserHandleFor($credentialId);
-			$myHandle         = $repository->getHandleFromUserId($app->getIdentity()->id);
+			$user             = $this->app->getIdentity() ?? new User;
+			$myHandle         = $repository->getHandleFromUserId($user->id);
 		}
 		catch (Exception $e)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		if ($credentialHandle !== $myHandle)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Make sure the new label is not empty
 		if (empty($newLabel))
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
 		// Save the new label
@@ -89,9 +99,11 @@ public function onAjaxWebauthnSavelabel(): bool
 		}
 		catch (Exception $e)
 		{
-			return false;
+			$this->returnFromEvent($event, false);
+
+			return;
 		}
 
-		return true;
+		$this->returnFromEvent($event, true);
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/EventReturnAware.php b/plugins/system/webauthn/src/PluginTraits/EventReturnAware.php
new file mode 100644
index 0000000000000..c9e193d959ca4
--- /dev/null
+++ b/plugins/system/webauthn/src/PluginTraits/EventReturnAware.php
@@ -0,0 +1,40 @@
+<?php
+/**
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
+ *
+ * @copyright   (C) 2022 Open Source Matters, Inc. <https://www.joomla.org>
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
+ */
+
+namespace Joomla\Plugin\System\Webauthn\PluginTraits;
+
+defined('_JEXEC') or die();
+
+use Joomla\Event\Event;
+
+trait EventReturnAware
+{
+	/**
+	 * Adds a result value to an event
+	 *
+	 * @param   Event   $event  The event we were processing
+	 * @param   mixed   $value  The value to append to the event's results
+	 *
+	 * @return  void
+	 * @since   __DEPLOY_VERSION__
+	 */
+	private function returnFromEvent(Event $event, $value = null): void
+	{
+		$result = $event->getArgument('result') ?: [];
+
+		if (!is_array($result))
+		{
+			$result = [$result];
+		}
+
+		$result[] = $value;
+
+		$event->setArgument('result', $result);
+	}
+}
diff --git a/plugins/system/webauthn/src/PluginTraits/UserDeletion.php b/plugins/system/webauthn/src/PluginTraits/UserDeletion.php
index 24708deafa3c8..ae36c7dd38388 100644
--- a/plugins/system/webauthn/src/PluginTraits/UserDeletion.php
+++ b/plugins/system/webauthn/src/PluginTraits/UserDeletion.php
@@ -14,8 +14,9 @@
 
 use Exception;
 use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
 use Joomla\Database\DatabaseDriver;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
+use Joomla\Event\Event;
 use Joomla\Utilities\ArrayHelper;
 
 /**
@@ -30,28 +31,31 @@ trait UserDeletion
 	 *
 	 * This method is called after user data is deleted from the database.
 	 *
-	 * @param   array   $user     Holds the user data
-	 * @param   bool    $success  True if user was successfully stored in the database
-	 * @param   string  $msg      Message
+	 * @param   Event  $event  The event we are handling
 	 *
 	 * @return  void
 	 *
-	 * @throws  Exception
-	 *
 	 * @since   4.0.0
 	 */
-	public function onUserAfterDelete(array $user, bool $success, ?string $msg): void
+	public function onUserAfterDelete(Event $event): void
 	{
+		/**
+		 * @var   array       $user    Holds the user data
+		 * @var   bool        $success True if user was successfully stored in the database
+		 * @var   string|null $msg     Message
+		 */
+		[$user, $success, $msg] = $event->getArguments();
+
 		if (!$success)
 		{
-			return;
+			$this->returnFromEvent($event, true);
 		}
 
 		$userId = ArrayHelper::getValue($user, 'id', 0, 'int');
 
 		if ($userId)
 		{
-			Joomla::log('system', "Removing WebAuthn Passwordless Login information for deleted user #{$userId}");
+			Log::add("Removing WebAuthn Passwordless Login information for deleted user #{$userId}", Log::DEBUG, 'webauthn.system');
 
 			/** @var DatabaseDriver $db */
 			$db = Factory::getContainer()->get('DatabaseDriver');
@@ -61,7 +65,16 @@ public function onUserAfterDelete(array $user, bool $success, ?string $msg): voi
 				->where($db->qn('user_id') . ' = :userId')
 				->bind(':userId', $userId);
 
-			$db->setQuery($query)->execute();
+			try
+			{
+				$db->setQuery($query)->execute();
+			}
+			catch (Exception $e)
+			{
+				// Don't worry if this fails
+			}
+
+			$this->returnFromEvent($event, true);
 		}
 	}
 }
diff --git a/plugins/system/webauthn/src/PluginTraits/UserProfileFields.php b/plugins/system/webauthn/src/PluginTraits/UserProfileFields.php
index 3b7d192751db3..b073c2bf8a8f5 100644
--- a/plugins/system/webauthn/src/PluginTraits/UserProfileFields.php
+++ b/plugins/system/webauthn/src/PluginTraits/UserProfileFields.php
@@ -1,10 +1,10 @@
 <?php
 /**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
+ * @package         Joomla.Plugin
+ * @subpackage      System.Webauthn
  *
  * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
+ * @license         GNU General Public License version 2 or later; see LICENSE.txt
  */
 
 namespace Joomla\Plugin\System\Webauthn\PluginTraits;
@@ -17,11 +17,12 @@
 use Joomla\CMS\Form\Form;
 use Joomla\CMS\HTML\HTMLHelper;
 use Joomla\CMS\Language\Text;
+use Joomla\CMS\Log\Log;
 use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\User;
 use Joomla\CMS\User\UserFactoryInterface;
+use Joomla\Event\Event;
 use Joomla\Plugin\System\Webauthn\CredentialRepository;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
 use Joomla\Registry\Registry;
 
 /**
@@ -59,6 +60,7 @@ trait UserProfileFields
 	 *                         stored value. We only use it as a proxy to render a sub-form.
 	 *
 	 * @return  string
+	 * @since   4.0.0
 	 */
 	public static function renderWebauthnProfileField($value): string
 	{
@@ -70,7 +72,8 @@ public static function renderWebauthnProfileField($value): string
 		$credentialRepository = new CredentialRepository;
 		$credentials          = $credentialRepository->getAll(self::$userFromFormData->id);
 		$authenticators       = array_map(
-			function (array $credential) {
+			function (array $credential)
+			{
 				return $credential['label'];
 			},
 			$credentials
@@ -82,32 +85,36 @@ function (array $credential) {
 	/**
 	 * Adds additional fields to the user editing form
 	 *
-	 * @param   Form   $form  The form to be altered.
-	 * @param   mixed  $data  The associated data for the form.
+	 * @param   Event  $event  The event we are handling
 	 *
-	 * @return  boolean
+	 * @return  void
 	 *
 	 * @throws  Exception
-	 *
 	 * @since   4.0.0
 	 */
-	public function onContentPrepareForm(Form $form, $data)
+	public function onContentPrepareForm(Event $event)
 	{
+		/**
+		 * @var   Form  $form The form to be altered.
+		 * @var   mixed $data The associated data for the form.
+		 */
+		[$form, $data] = $event->getArguments();
+
 		// This feature only applies to HTTPS sites.
 		if (!Uri::getInstance()->isSsl())
 		{
-			return true;
+			return;
 		}
 
 		$name = $form->getName();
 
 		$allowedForms = [
-			'com_users.user', 'com_users.profile', 'com_users.registration',
+			'com_admin.profile', 'com_users.user', 'com_users.profile', 'com_users.registration',
 		];
 
 		if (!\in_array($name, $allowedForms))
 		{
-			return true;
+			return;
 		}
 
 		// Get the user object
@@ -116,25 +123,49 @@ public function onContentPrepareForm(Form $form, $data)
 		// Make sure the loaded user is the correct one
 		if (\is_null($user))
 		{
-			return true;
+			return;
 		}
 
 		// Make sure I am either editing myself OR I am a Super User
-		if (!Joomla::canEditUser($user))
+		if (!$this->canEditUser($user))
 		{
-			return true;
+			return;
 		}
 
 		// Add the fields to the form.
-		Joomla::log(
-			'system',
-			'Injecting WebAuthn Passwordless Login fields in user profile edit page'
-		);
+		Log::add('Injecting WebAuthn Passwordless Login fields in user profile edit page', Log::DEBUG, 'webauthn.system');
+
 		Form::addFormPath(JPATH_PLUGINS . '/' . $this->_type . '/' . $this->_name . '/forms');
-		$this->loadLanguage();
 		$form->loadFile('webauthn', false);
+	}
+
+	/**
+	 * @param   Event  $event  The event we are handling
+	 *
+	 * @return  void
+	 *
+	 * @throws  Exception
+	 * @since   4.0.0
+	 */
+	public function onContentPrepareData(Event $event): void
+	{
+		/**
+		 * @var   string|null        $context  The context for the data
+		 * @var   array|object|null  $data     An object or array containing the data for the form.
+		 */
+		[$context, $data] = $event->getArguments();
+
+		if (!\in_array($context, ['com_users.profile', 'com_users.user']))
+		{
+			return;
+		}
+
+		self::$userFromFormData = $this->getUserFromData($data);
 
-		return true;
+		if (!HTMLHelper::isRegistered('users.webauthnWebauthn'))
+		{
+			HTMLHelper::register('users.webauthn', [__CLASS__, 'renderWebauthnProfileField']);
+		}
 	}
 
 	/**
@@ -178,27 +209,28 @@ private function getUserFromData($data): ?User
 	}
 
 	/**
-	 * @param   string|null        $context  The context for the data
-	 * @param   array|object|null  $data     An object or array containing the data for the form.
+	 * Is the current user allowed to edit the WebAuthn configuration of $user?
 	 *
-	 * @return  bool
+	 * To do so I must either be editing my own account OR I have to be a Super User.
 	 *
-	 * @since   4.0.0
+	 * @param   ?User   $user   The user you want to know if we're allowed to edit
+	 *
+	 * @return  boolean
+	 *
+	 * @since   __DEPLOY_VERSION__
 	 */
-	public function onContentPrepareData(?string $context, $data): bool
+	private function canEditUser(?User $user = null): bool
 	{
-		if (!\in_array($context, ['com_users.profile', 'com_users.user']))
+		// I can edit myself, but Guests can't have passwordless logins associated
+		if (empty($user) || $user->guest)
 		{
 			return true;
 		}
 
-		self::$userFromFormData = $this->getUserFromData($data);
-
-		if (!HTMLHelper::isRegistered('users.webauthnWebauthn'))
-		{
-			HTMLHelper::register('users.webauthn', [__CLASS__, 'renderWebauthnProfileField']);
-		}
+		// Get the currently logged in used
+		$myUser = $this->app->getIdentity() ?? new User;
 
-		return true;
+		// I can edit myself. If I'm a Super user I can edit other users too.
+		return ($myUser->id == $user->id) || $myUser->authorise('core.admin');
 	}
 }
diff --git a/plugins/system/webauthn/webauthn.php b/plugins/system/webauthn/webauthn.php
deleted file mode 100644
index 758c923ab5924..0000000000000
--- a/plugins/system/webauthn/webauthn.php
+++ /dev/null
@@ -1,78 +0,0 @@
-<?php
-/**
- * @package     Joomla.Plugin
- * @subpackage  System.Webauthn
- *
- * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
- * @license     GNU General Public License version 2 or later; see LICENSE.txt
- */
-
-// Protect from unauthorized access
-defined('_JEXEC') or die();
-
-use Joomla\CMS\Plugin\CMSPlugin;
-use Joomla\Event\DispatcherInterface;
-use Joomla\Plugin\System\Webauthn\Helper\Joomla;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AdditionalLoginButtons;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandler;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerChallenge;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerCreate;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerDelete;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerLogin;
-use Joomla\Plugin\System\Webauthn\PluginTraits\AjaxHandlerSaveLabel;
-use Joomla\Plugin\System\Webauthn\PluginTraits\UserDeletion;
-use Joomla\Plugin\System\Webauthn\PluginTraits\UserProfileFields;
-
-/**
- * WebAuthn Passwordless Login plugin
- *
- * The plugin features are broken down into Traits for the sole purpose of making an otherwise supermassive class
- * somewhat manageable. You can find the Traits inside the Webauthn/PluginTraits folder.
- *
- * @since  4.0.0
- */
-class PlgSystemWebauthn extends CMSPlugin
-{
-	// AJAX request handlers
-	use AjaxHandler;
-	use AjaxHandlerCreate;
-	use AjaxHandlerSaveLabel;
-	use AjaxHandlerDelete;
-	use AjaxHandlerChallenge;
-	use AjaxHandlerLogin;
-
-	// Custom user profile fields
-	use UserProfileFields;
-
-	// Handle user profile deletion
-	use UserDeletion;
-
-	// Add WebAuthn buttons
-	use AdditionalLoginButtons;
-
-	/**
-	 * Constructor. Loads the language files as well.
-	 *
-	 * @param   DispatcherInterface  $subject  The object to observe
-	 * @param   array                $config   An optional associative array of configuration
-	 *                                         settings. Recognized key values include 'name',
-	 *                                         'group', 'params', 'language (this list is not meant
-	 *                                         to be comprehensive).
-	 *
-	 * @since  4.0.0
-	 */
-	public function __construct(&$subject, array $config = [])
-	{
-		parent::__construct($subject, $config);
-
-		/**
-		 * Note: Do NOT try to load the language in the constructor. This is called before Joomla initializes the
-		 * application language. Therefore the temporary Joomla language object and all loaded strings in it will be
-		 * destroyed on application initialization. As a result we need to call loadLanguage() in each method
-		 * individually, even though all methods make use of language strings.
-		 */
-
-		// Register a debug log file writer
-		Joomla::addLogger('system');
-	}
-}
diff --git a/plugins/system/webauthn/webauthn.xml b/plugins/system/webauthn/webauthn.xml
index 36aac9222ffdc..17256f54d4155 100644
--- a/plugins/system/webauthn/webauthn.xml
+++ b/plugins/system/webauthn/webauthn.xml
@@ -11,8 +11,8 @@
 	<description>PLG_SYSTEM_WEBAUTHN_DESCRIPTION</description>
 	<namespace path="src">Joomla\Plugin\System\Webauthn</namespace>
 	<files>
-		<filename plugin="webauthn">webauthn.php</filename>
 		<folder>forms</folder>
+		<folder plugin="webauthn">services</folder>
 		<folder>src</folder>
 	</files>
 	<languages>
diff --git a/tests/Unit/Libraries/Cms/Uri/UriTest.php b/tests/Unit/Libraries/Cms/Uri/UriTest.php
index 50c360d332fed..f6eb0bbd03585 100644
--- a/tests/Unit/Libraries/Cms/Uri/UriTest.php
+++ b/tests/Unit/Libraries/Cms/Uri/UriTest.php
@@ -19,7 +19,7 @@
  * @subpackage  Uri
  * @since       1.7.0
  */
-class JUriTest extends UnitTestCase
+class UriTest extends UnitTestCase
 {
 	/**
 	 * @var    Uri
@@ -440,4 +440,4 @@ public function testIsInternalWithBackslashInUser(): void
 			'http://someuser\@www.example.com:80 should NOT be internal'
 		);
 	}
-}
\ No newline at end of file
+}