diff --git a/.github/whitelist-capital-letters.txt b/.github/whitelist-capital-letters.txt
index 17047f4333..a2ed46ce99 100644
--- a/.github/whitelist-capital-letters.txt
+++ b/.github/whitelist-capital-letters.txt
@@ -2,10 +2,7 @@
 ./apps/browser/src/safari/desktop/Assets.xcassets/AccentColor.colorset
 ./apps/browser/src/safari/desktop/Assets.xcassets/AppIcon.appiconset
 ./apps/browser/src/safari/desktop/Base.lproj
-./apps/browser/src/services/vaultTimeout
 ./apps/browser/store/windows/Assets
-./libs/common/src/abstractions/vaultTimeout
-./libs/common/src/services/vaultTimeout
 ./bitwarden_license/README.md
 ./libs/angular/src/directives/cipherListVirtualScroll.directive.ts
 ./libs/angular/src/scss/webfonts/Open_Sans-italic-700.woff
@@ -25,11 +22,7 @@
 ./libs/common/src/misc/linkedFieldOption.decorator.ts
 ./libs/common/src/misc/serviceUtils.ts
 ./libs/common/src/misc/serviceUtils.spec.ts
-./libs/common/src/abstractions/vaultTimeout/vaultTimeoutSettings.service.ts
-./libs/common/src/abstractions/vaultTimeout/vaultTimeout.service.ts
 ./libs/common/src/abstractions/anonymousHub.service.ts
-./libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts
-./libs/common/src/services/vaultTimeout/vaultTimeout.service.ts
 ./libs/common/src/services/anonymousHub.service.ts
 ./libs/auth/README.md
 ./README.md
@@ -78,5 +71,4 @@
 ./apps/browser/src/safari/safari/SafariWebExtensionHandler.swift
 ./apps/browser/src/safari/safari/Info.plist
 ./apps/browser/src/safari/desktop.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist
-./apps/browser/src/services/vaultTimeout/vaultTimeout.service.ts
 ./SECURITY.md
diff --git a/apps/browser/src/_locales/en/messages.json b/apps/browser/src/_locales/en/messages.json
index 400e75dd1b..6de09d355a 100644
--- a/apps/browser/src/_locales/en/messages.json
+++ b/apps/browser/src/_locales/en/messages.json
@@ -338,6 +338,9 @@
   "other": {
     "message": "Other"
   },
+  "unlockMethodNeededToChangeTimeoutActionDesc": {
+    "message": "Set up an unlock method to change your vault timeout action."
+  },
   "rateExtension": {
     "message": "Rate the extension"
   },
@@ -1602,6 +1605,12 @@
   "biometricsNotSupportedDesc": {
     "message": "Browser biometrics is not supported on this device."
   },
+  "biometricsFailedTitle": {
+    "message": "Biometrics failed"
+  },
+  "biometricsFailedDesc": {
+    "message": "Biometrics cannot be completed, consider using a master password or logging out. If this persists, please contact Bitwarden support."
+  },
   "nativeMessaginPermissionErrorTitle": {
     "message": "Permission not provided"
   },
@@ -2143,8 +2152,8 @@
   "notificationSentDevice": {
     "message": "A notification has been sent to your device."
   },
-  "logInInitiated": {
-    "message": "Log in initiated"
+  "loginInitiated": {
+    "message": "Login initiated"
   },
   "exposedMasterPassword": {
     "message": "Exposed Master Password"
@@ -2230,6 +2239,31 @@
   "opensInANewWindow": {
     "message": "Opens in a new window"
   },
+  "deviceApprovalRequired": {
+    "message": "Device approval required. Select an approval option below:"
+  },
+  "rememberThisDevice": {
+    "message": "Remember this device"
+  },
+  "uncheckIfPublicDevice": {
+    "message": "Uncheck if using a public device"
+  },
+  "approveFromYourOtherDevice": {
+    "message": "Approve from your other device"
+  },
+  "requestAdminApproval": {
+    "message": "Request admin approval"
+  },
+  "approveWithMasterPassword": {
+    "message": "Approve with master password"
+  },
+  "ssoIdentifierRequired": {
+    "message": "Organization SSO identifier is required."
+  },
+  "eu": {
+    "message": "EU",
+    "description": "European Union"
+  },
   "usDomain": {
     "message": "bitwarden.com"
   },
@@ -2244,5 +2278,29 @@
   },
   "display": {
     "message": "Display"
+  },
+  "accountSuccessfullyCreated": {
+    "message": "Account successfully created!"
+  },
+  "adminApprovalRequested": {
+    "message": "Admin approval requested"
+  },
+  "adminApprovalRequestSentToAdmins": {
+    "message": "Your request has been sent to your admin."
+  },
+  "youWillBeNotifiedOnceApproved": {
+    "message": "You will be notified once approved."
+  },
+  "troubleLoggingIn": {
+    "message": "Trouble logging in?"
+  },
+  "loginApproved": {
+    "message": "Login approved"
+  },
+  "userEmailMissing": {
+    "message": "User email missing"
+  },
+  "deviceTrusted": {
+    "message": "Device trusted"
   }
 }
diff --git a/apps/browser/src/auth/background/service-factories/auth-request-crypto-service.factory.ts b/apps/browser/src/auth/background/service-factories/auth-request-crypto-service.factory.ts
new file mode 100644
index 0000000000..e1757f9812
--- /dev/null
+++ b/apps/browser/src/auth/background/service-factories/auth-request-crypto-service.factory.ts
@@ -0,0 +1,29 @@
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
+import { AuthRequestCryptoServiceImplementation } from "@bitwarden/common/auth/services/auth-request-crypto.service.implementation";
+
+import {
+  CryptoServiceInitOptions,
+  cryptoServiceFactory,
+} from "../../../platform/background/service-factories/crypto-service.factory";
+import {
+  CachedServices,
+  FactoryOptions,
+  factory,
+} from "../../../platform/background/service-factories/factory-options";
+
+type AuthRequestCryptoServiceFactoryOptions = FactoryOptions;
+
+export type AuthRequestCryptoServiceInitOptions = AuthRequestCryptoServiceFactoryOptions &
+  CryptoServiceInitOptions;
+
+export function authRequestCryptoServiceFactory(
+  cache: { authRequestCryptoService?: AuthRequestCryptoServiceAbstraction } & CachedServices,
+  opts: AuthRequestCryptoServiceInitOptions
+): Promise<AuthRequestCryptoServiceAbstraction> {
+  return factory(
+    cache,
+    "authRequestCryptoService",
+    opts,
+    async () => new AuthRequestCryptoServiceImplementation(await cryptoServiceFactory(cache, opts))
+  );
+}
diff --git a/apps/browser/src/auth/background/service-factories/auth-service.factory.ts b/apps/browser/src/auth/background/service-factories/auth-service.factory.ts
index 5612cedb91..6aaeb47636 100644
--- a/apps/browser/src/auth/background/service-factories/auth-service.factory.ts
+++ b/apps/browser/src/auth/background/service-factories/auth-service.factory.ts
@@ -52,6 +52,14 @@ import {
   PasswordStrengthServiceInitOptions,
 } from "../../../tools/background/service_factories/password-strength-service.factory";
 
+import {
+  authRequestCryptoServiceFactory,
+  AuthRequestCryptoServiceInitOptions,
+} from "./auth-request-crypto-service.factory";
+import {
+  deviceTrustCryptoServiceFactory,
+  DeviceTrustCryptoServiceInitOptions,
+} from "./device-trust-crypto-service.factory";
 import {
   keyConnectorServiceFactory,
   KeyConnectorServiceInitOptions,
@@ -75,7 +83,9 @@ export type AuthServiceInitOptions = AuthServiceFactoyOptions &
   I18nServiceInitOptions &
   EncryptServiceInitOptions &
   PolicyServiceInitOptions &
-  PasswordStrengthServiceInitOptions;
+  PasswordStrengthServiceInitOptions &
+  DeviceTrustCryptoServiceInitOptions &
+  AuthRequestCryptoServiceInitOptions;
 
 export function authServiceFactory(
   cache: { authService?: AbstractAuthService } & CachedServices,
@@ -101,7 +111,9 @@ export function authServiceFactory(
         await i18nServiceFactory(cache, opts),
         await encryptServiceFactory(cache, opts),
         await passwordStrengthServiceFactory(cache, opts),
-        await policyServiceFactory(cache, opts)
+        await policyServiceFactory(cache, opts),
+        await deviceTrustCryptoServiceFactory(cache, opts),
+        await authRequestCryptoServiceFactory(cache, opts)
       )
   );
 }
diff --git a/apps/browser/src/auth/background/service-factories/device-trust-crypto-service.factory.ts b/apps/browser/src/auth/background/service-factories/device-trust-crypto-service.factory.ts
new file mode 100644
index 0000000000..430d50fea7
--- /dev/null
+++ b/apps/browser/src/auth/background/service-factories/device-trust-crypto-service.factory.ts
@@ -0,0 +1,74 @@
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { DeviceTrustCryptoService } from "@bitwarden/common/auth/services/device-trust-crypto.service.implementation";
+
+import {
+  DevicesApiServiceInitOptions,
+  devicesApiServiceFactory,
+} from "../../../background/service-factories/devices-api-service.factory";
+import {
+  AppIdServiceInitOptions,
+  appIdServiceFactory,
+} from "../../../platform/background/service-factories/app-id-service.factory";
+import {
+  CryptoFunctionServiceInitOptions,
+  cryptoFunctionServiceFactory,
+} from "../../../platform/background/service-factories/crypto-function-service.factory";
+import {
+  CryptoServiceInitOptions,
+  cryptoServiceFactory,
+} from "../../../platform/background/service-factories/crypto-service.factory";
+import {
+  EncryptServiceInitOptions,
+  encryptServiceFactory,
+} from "../../../platform/background/service-factories/encrypt-service.factory";
+import {
+  CachedServices,
+  FactoryOptions,
+  factory,
+} from "../../../platform/background/service-factories/factory-options";
+import {
+  I18nServiceInitOptions,
+  i18nServiceFactory,
+} from "../../../platform/background/service-factories/i18n-service.factory";
+import {
+  PlatformUtilsServiceInitOptions,
+  platformUtilsServiceFactory,
+} from "../../../platform/background/service-factories/platform-utils-service.factory";
+import {
+  StateServiceInitOptions,
+  stateServiceFactory,
+} from "../../../platform/background/service-factories/state-service.factory";
+
+type DeviceTrustCryptoServiceFactoryOptions = FactoryOptions;
+
+export type DeviceTrustCryptoServiceInitOptions = DeviceTrustCryptoServiceFactoryOptions &
+  CryptoFunctionServiceInitOptions &
+  CryptoServiceInitOptions &
+  EncryptServiceInitOptions &
+  StateServiceInitOptions &
+  AppIdServiceInitOptions &
+  DevicesApiServiceInitOptions &
+  I18nServiceInitOptions &
+  PlatformUtilsServiceInitOptions;
+
+export function deviceTrustCryptoServiceFactory(
+  cache: { deviceTrustCryptoService?: DeviceTrustCryptoServiceAbstraction } & CachedServices,
+  opts: DeviceTrustCryptoServiceInitOptions
+): Promise<DeviceTrustCryptoServiceAbstraction> {
+  return factory(
+    cache,
+    "deviceTrustCryptoService",
+    opts,
+    async () =>
+      new DeviceTrustCryptoService(
+        await cryptoFunctionServiceFactory(cache, opts),
+        await cryptoServiceFactory(cache, opts),
+        await encryptServiceFactory(cache, opts),
+        await stateServiceFactory(cache, opts),
+        await appIdServiceFactory(cache, opts),
+        await devicesApiServiceFactory(cache, opts),
+        await i18nServiceFactory(cache, opts),
+        await platformUtilsServiceFactory(cache, opts)
+      )
+  );
+}
diff --git a/apps/browser/src/auth/background/service-factories/user-verification-api-service.factory.ts b/apps/browser/src/auth/background/service-factories/user-verification-api-service.factory.ts
new file mode 100644
index 0000000000..01bfb0f13c
--- /dev/null
+++ b/apps/browser/src/auth/background/service-factories/user-verification-api-service.factory.ts
@@ -0,0 +1,29 @@
+import { UserVerificationApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification-api.service.abstraction";
+import { UserVerificationApiService } from "@bitwarden/common/auth/services/user-verification/user-verification-api.service";
+
+import {
+  ApiServiceInitOptions,
+  apiServiceFactory,
+} from "../../../platform/background/service-factories/api-service.factory";
+import {
+  FactoryOptions,
+  CachedServices,
+  factory,
+} from "../../../platform/background/service-factories/factory-options";
+
+type UserVerificationApiServiceFactoryOptions = FactoryOptions;
+
+export type UserVerificationApiServiceInitOptions = UserVerificationApiServiceFactoryOptions &
+  ApiServiceInitOptions;
+
+export function userVerificationApiServiceFactory(
+  cache: { userVerificationApiService?: UserVerificationApiServiceAbstraction } & CachedServices,
+  opts: UserVerificationApiServiceInitOptions
+): Promise<UserVerificationApiServiceAbstraction> {
+  return factory(
+    cache,
+    "userVerificationApiService",
+    opts,
+    async () => new UserVerificationApiService(await apiServiceFactory(cache, opts))
+  );
+}
diff --git a/apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts b/apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts
new file mode 100644
index 0000000000..79d327c948
--- /dev/null
+++ b/apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts
@@ -0,0 +1,51 @@
+import { UserVerificationService as AbstractUserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/services/user-verification/user-verification.service";
+
+import {
+  CryptoServiceInitOptions,
+  cryptoServiceFactory,
+} from "../../../platform/background/service-factories/crypto-service.factory";
+import {
+  FactoryOptions,
+  CachedServices,
+  factory,
+} from "../../../platform/background/service-factories/factory-options";
+import {
+  I18nServiceInitOptions,
+  i18nServiceFactory,
+} from "../../../platform/background/service-factories/i18n-service.factory";
+import {
+  StateServiceInitOptions,
+  stateServiceFactory,
+} from "../../../platform/background/service-factories/state-service.factory";
+
+import {
+  UserVerificationApiServiceInitOptions,
+  userVerificationApiServiceFactory,
+} from "./user-verification-api-service.factory";
+
+type UserVerificationServiceFactoryOptions = FactoryOptions;
+
+export type UserVerificationServiceInitOptions = UserVerificationServiceFactoryOptions &
+  StateServiceInitOptions &
+  CryptoServiceInitOptions &
+  I18nServiceInitOptions &
+  UserVerificationApiServiceInitOptions;
+
+export function userVerificationServiceFactory(
+  cache: { userVerificationService?: AbstractUserVerificationService } & CachedServices,
+  opts: UserVerificationServiceInitOptions
+): Promise<AbstractUserVerificationService> {
+  return factory(
+    cache,
+    "userVerificationService",
+    opts,
+    async () =>
+      new UserVerificationService(
+        await stateServiceFactory(cache, opts),
+        await cryptoServiceFactory(cache, opts),
+        await i18nServiceFactory(cache, opts),
+        await userVerificationApiServiceFactory(cache, opts)
+      )
+  );
+}
diff --git a/apps/browser/src/auth/popup/lock.component.html b/apps/browser/src/auth/popup/lock.component.html
index cf964c1564..e787e0106d 100644
--- a/apps/browser/src/auth/popup/lock.component.html
+++ b/apps/browser/src/auth/popup/lock.component.html
@@ -5,14 +5,20 @@
       <span class="title">{{ "verifyIdentity" | i18n }}</span>
     </h1>
     <div class="right">
-      <button type="submit" *ngIf="!hideInput">{{ "unlock" | i18n }}</button>
+      <button type="submit" *ngIf="pinEnabled || masterPasswordEnabled">
+        {{ "unlock" | i18n }}
+      </button>
     </div>
   </header>
   <main tabindex="-1">
     <div class="box">
       <div class="box-content">
-        <div class="box-content-row box-content-row-flex" appBoxRow *ngIf="!hideInput">
-          <div class="row-main" *ngIf="pinLock">
+        <div
+          class="box-content-row box-content-row-flex"
+          appBoxRow
+          *ngIf="pinEnabled || masterPasswordEnabled"
+        >
+          <div class="row-main" *ngIf="pinEnabled">
             <label for="pin">{{ "pin" | i18n }}</label>
             <input
               id="pin"
@@ -24,7 +30,7 @@
               appInputVerbatim
             />
           </div>
-          <div class="row-main" *ngIf="!pinLock">
+          <div class="row-main" *ngIf="masterPasswordEnabled && !pinEnabled">
             <label for="masterPassword">{{ "masterPass" | i18n }}</label>
             <input
               id="masterPassword"
diff --git a/apps/browser/src/auth/popup/lock.component.ts b/apps/browser/src/auth/popup/lock.component.ts
index 8a86526458..f5f8a29eb6 100644
--- a/apps/browser/src/auth/popup/lock.component.ts
+++ b/apps/browser/src/auth/popup/lock.component.ts
@@ -3,12 +3,13 @@ import { Router } from "@angular/router";
 
 import { LockComponent as BaseLockComponent } from "@bitwarden/angular/auth/components/lock.component";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
@@ -44,13 +45,14 @@ export class LockComponent extends BaseLockComponent {
     stateService: StateService,
     apiService: ApiService,
     logService: LogService,
-    keyConnectorService: KeyConnectorService,
     ngZone: NgZone,
     policyApiService: PolicyApiServiceAbstraction,
     policyService: InternalPolicyService,
     passwordStrengthService: PasswordStrengthServiceAbstraction,
     private authService: AuthService,
-    dialogService: DialogService
+    dialogService: DialogService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    userVerificationService: UserVerificationService
   ) {
     super(
       router,
@@ -64,12 +66,13 @@ export class LockComponent extends BaseLockComponent {
       stateService,
       apiService,
       logService,
-      keyConnectorService,
       ngZone,
       policyApiService,
       policyService,
       passwordStrengthService,
-      dialogService
+      dialogService,
+      deviceTrustCryptoService,
+      userVerificationService
     );
     this.successRoute = "/tabs/current";
     this.isInitialLockScreen = (window as any).previousPopupUrl == null;
@@ -81,7 +84,7 @@ export class LockComponent extends BaseLockComponent {
       (await this.stateService.getDisableAutoBiometricsPrompt()) ?? true;
 
     window.setTimeout(async () => {
-      document.getElementById(this.pinLock ? "pin" : "masterPassword").focus();
+      document.getElementById(this.pinEnabled ? "pin" : "masterPassword")?.focus();
       if (
         this.biometricLock &&
         !disableAutoBiometricsPrompt &&
@@ -93,7 +96,7 @@ export class LockComponent extends BaseLockComponent {
     }, 100);
   }
 
-  async unlockBiometric(): Promise<boolean> {
+  override async unlockBiometric(): Promise<boolean> {
     if (!this.biometricLock) {
       return;
     }
diff --git a/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.html b/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.html
new file mode 100644
index 0000000000..32e3ea0c59
--- /dev/null
+++ b/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.html
@@ -0,0 +1,108 @@
+<div id="login-initiated">
+  <header>
+    <h1 class="margin-auto">
+      <span class="title">{{ "loginInitiated" | i18n }}</span>
+    </h1>
+  </header>
+
+  <div class="content login-page">
+    <div class="full-loading-spinner" *ngIf="loading">
+      <i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
+    </div>
+
+    <ng-container *ngIf="!loading">
+      <ng-container *ngIf="data.state == State.ExistingUserUntrustedDevice">
+        <div class="standard-x-margin">
+          <p class="lead">{{ "loginInitiated" | i18n }}</p>
+          <h6 class="mb-20px">{{ "deviceApprovalRequired" | i18n }}</h6>
+        </div>
+
+        <form
+          id="rememberDeviceForm"
+          class="mb-20px standard-x-margin"
+          [formGroup]="rememberDeviceForm"
+        >
+          <div>
+            <input
+              type="checkbox"
+              id="rememberDevice"
+              name="rememberDevice"
+              formControlName="rememberDevice"
+            />
+            <label for="rememberDevice">
+              {{ "rememberThisDevice" | i18n }}
+            </label>
+            <p id="rememberThisDeviceHintText">{{ "uncheckIfPublicDevice" | i18n }}</p>
+          </div>
+        </form>
+
+        <div class="box mb-20px">
+          <button
+            *ngIf="data.showApproveFromOtherDeviceBtn"
+            (click)="approveFromOtherDevice()"
+            type="button"
+            class="btn primary block"
+          >
+            <b>{{ "approveFromYourOtherDevice" | i18n }}</b>
+          </button>
+          <button
+            *ngIf="data.showReqAdminApprovalBtn"
+            (click)="requestAdminApproval()"
+            type="button"
+            class="btn block btn-top-margin"
+          >
+            {{ "requestAdminApproval" | i18n }}
+          </button>
+          <button
+            *ngIf="data.showApproveWithMasterPasswordBtn"
+            type="button"
+            class="btn block btn-top-margin"
+            (click)="approveWithMasterPassword()"
+          >
+            {{ "approveWithMasterPassword" | i18n }}
+          </button>
+        </div>
+      </ng-container>
+
+      <ng-container *ngIf="data.state == State.NewUser">
+        <div class="standard-x-margin">
+          <p class="lead">{{ "loginInitiated" | i18n }}</p>
+        </div>
+
+        <form
+          id="rememberDeviceForm"
+          class="mb-20px standard-x-margin"
+          [formGroup]="rememberDeviceForm"
+        >
+          <div>
+            <input
+              type="checkbox"
+              id="rememberDevice"
+              name="rememberDevice"
+              formControlName="rememberDevice"
+            />
+            <label for="rememberDevice">
+              {{ "rememberThisDevice" | i18n }}
+            </label>
+            <p id="rememberThisDeviceHintText">{{ "uncheckIfPublicDevice" | i18n }}</p>
+          </div>
+        </form>
+
+        <div class="box mb-20px">
+          <button (click)="createUser()" type="button" class="btn primary block">
+            <b>{{ "continue" | i18n }}</b>
+          </button>
+        </div>
+      </ng-container>
+
+      <hr class="muted-hr mx-5px mb-20px" />
+
+      <div class="small mx-5px">
+        <p class="no-margin">{{ "loggingInAs" | i18n }} {{ data.userEmail }}</p>
+        <a tabindex="0" role="button" style="cursor: pointer" (click)="logOut()">{{
+          "notYou" | i18n
+        }}</a>
+      </div>
+    </ng-container>
+  </div>
+</div>
diff --git a/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.ts b/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.ts
new file mode 100644
index 0000000000..7fac9a42b0
--- /dev/null
+++ b/apps/browser/src/auth/popup/login-decryption-options/login-decryption-options.component.ts
@@ -0,0 +1,18 @@
+import { Component } from "@angular/core";
+
+import { BaseLoginDecryptionOptionsComponent } from "@bitwarden/angular/auth/components/base-login-decryption-options.component";
+
+@Component({
+  selector: "browser-login-decryption-options",
+  templateUrl: "login-decryption-options.component.html",
+})
+export class LoginDecryptionOptionsComponent extends BaseLoginDecryptionOptionsComponent {
+  override async createUser(): Promise<void> {
+    try {
+      await super.createUser();
+      await this.router.navigate(["/tabs/vault"]);
+    } catch (error) {
+      this.validationService.showError(error);
+    }
+  }
+}
diff --git a/apps/browser/src/auth/popup/login-with-device.component.html b/apps/browser/src/auth/popup/login-with-device.component.html
index d794b7d212..127f7ec96f 100644
--- a/apps/browser/src/auth/popup/login-with-device.component.html
+++ b/apps/browser/src/auth/popup/login-with-device.component.html
@@ -5,32 +5,57 @@
     </h1>
   </header>
   <div class="content login-page">
-    <div>
-      <p class="lead">{{ "logInInitiated" | i18n }}</p>
-
+    <ng-container *ngIf="state == StateEnum.StandardAuthRequest">
       <div>
-        <p>{{ "notificationSentDevice" | i18n }}</p>
+        <p class="lead">{{ "loginInitiated" | i18n }}</p>
 
-        <p>
-          {{ "fingerprintMatchInfo" | i18n }}
-        </p>
+        <div>
+          <p>{{ "notificationSentDevice" | i18n }}</p>
+
+          <p>
+            {{ "fingerprintMatchInfo" | i18n }}
+          </p>
+        </div>
+
+        <div>
+          <b class="fingerprint-phrase-header">{{ "fingerprintPhraseHeader" | i18n }}</b>
+          <p class="fingerprint-text">
+            <code>{{ fingerprintPhrase }}</code>
+          </p>
+        </div>
+
+        <div class="resend-notification" *ngIf="showResendNotification">
+          <a (click)="startPasswordlessLogin()">{{ "resendNotification" | i18n }}</a>
+        </div>
+
+        <div class="footer">
+          {{ "loginWithDeviceEnabledInfo" | i18n }}
+          <a href="#" (click)="back()">{{ "viewAllLoginOptions" | i18n }}</a>
+        </div>
       </div>
+    </ng-container>
 
+    <ng-container *ngIf="state == StateEnum.AdminAuthRequest">
       <div>
-        <b class="fingerprint-phrase-header">{{ "fingerprintPhraseHeader" | i18n }}</b>
-        <p class="fingerprint-text">
-          <code>{{ fingerprintPhrase }}</code>
-        </p>
-      </div>
+        <p class="lead">{{ "adminApprovalRequested" | i18n }}</p>
 
-      <div class="resend-notification" *ngIf="showResendNotification">
-        <a (click)="startPasswordlessLogin()">{{ "resendNotification" | i18n }}</a>
-      </div>
+        <div>
+          <p>{{ "adminApprovalRequestSentToAdmins" | i18n }}</p>
+          <p>{{ "youWillBeNotifiedOnceApproved" | i18n }}</p>
+        </div>
 
-      <div class="footer">
-        {{ "loginWithDeviceEnabledInfo" | i18n }}
-        <a routerLink="/login">{{ "viewAllLoginOptions" | i18n }}</a>
+        <div>
+          <b class="fingerprint-phrase-header">{{ "fingerprintPhraseHeader" | i18n }}</b>
+          <p class="fingerprint-text">
+            <code>{{ fingerprintPhrase }}</code>
+          </p>
+        </div>
+
+        <div class="footer">
+          {{ "troubleLoggingIn" | i18n }}
+          <a routerLink="/login-initiated">{{ "viewAllLoginOptions" | i18n }}</a>
+        </div>
       </div>
-    </div>
+    </ng-container>
   </div>
 </div>
diff --git a/apps/browser/src/auth/popup/login-with-device.component.ts b/apps/browser/src/auth/popup/login-with-device.component.ts
index cf0e57b5ee..f3a1dfffaa 100644
--- a/apps/browser/src/auth/popup/login-with-device.component.ts
+++ b/apps/browser/src/auth/popup/login-with-device.component.ts
@@ -1,10 +1,13 @@
+import { Location } from "@angular/common";
 import { Component, OnDestroy, OnInit } from "@angular/core";
 import { Router } from "@angular/router";
 
 import { LoginWithDeviceComponent as BaseLoginWithDeviceComponent } from "@bitwarden/angular/auth/components/login-with-device.component";
 import { AnonymousHubService } from "@bitwarden/common/abstractions/anonymousHub.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -42,7 +45,10 @@ export class LoginWithDeviceComponent
     validationService: ValidationService,
     stateService: StateService,
     loginService: LoginService,
-    syncService: SyncService
+    syncService: SyncService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    authReqCryptoService: AuthRequestCryptoServiceAbstraction,
+    private location: Location
   ) {
     super(
       router,
@@ -59,10 +65,16 @@ export class LoginWithDeviceComponent
       anonymousHubService,
       validationService,
       stateService,
-      loginService
+      loginService,
+      deviceTrustCryptoService,
+      authReqCryptoService
     );
     super.onSuccessfulLogin = async () => {
       await syncService.fullSync(true);
     };
   }
+
+  protected back() {
+    this.location.back();
+  }
 }
diff --git a/apps/browser/src/auth/popup/login.component.ts b/apps/browser/src/auth/popup/login.component.ts
index 776b792fa1..d9b789e4d8 100644
--- a/apps/browser/src/auth/popup/login.component.ts
+++ b/apps/browser/src/auth/popup/login.component.ts
@@ -4,8 +4,8 @@ import { ActivatedRoute, Router } from "@angular/router";
 
 import { LoginComponent as BaseLoginComponent } from "@bitwarden/angular/auth/components/login.component";
 import { FormValidationErrorsService } from "@bitwarden/angular/platform/abstractions/form-validation-errors.service";
-import { DevicesApiServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices-api.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
diff --git a/apps/browser/src/auth/popup/services/index.ts b/apps/browser/src/auth/popup/services/index.ts
index 06bfe0009b..63563f61fd 100644
--- a/apps/browser/src/auth/popup/services/index.ts
+++ b/apps/browser/src/auth/popup/services/index.ts
@@ -1,2 +1 @@
-export { LockGuardService } from "./lock-guard.service";
 export { UnauthGuardService } from "./unauth-guard.service";
diff --git a/apps/browser/src/auth/popup/services/lock-guard.service.ts b/apps/browser/src/auth/popup/services/lock-guard.service.ts
deleted file mode 100644
index ef6ebc73ac..0000000000
--- a/apps/browser/src/auth/popup/services/lock-guard.service.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import { Injectable } from "@angular/core";
-
-import { LockGuard as BaseLockGuardService } from "@bitwarden/angular/auth/guards/lock.guard";
-
-@Injectable()
-export class LockGuardService extends BaseLockGuardService {
-  protected homepage = "tabs/current";
-}
diff --git a/apps/browser/src/auth/popup/services/unauth-guard.service.ts b/apps/browser/src/auth/popup/services/unauth-guard.service.ts
index 4aa700b556..062239a7d3 100644
--- a/apps/browser/src/auth/popup/services/unauth-guard.service.ts
+++ b/apps/browser/src/auth/popup/services/unauth-guard.service.ts
@@ -1,6 +1,6 @@
 import { Injectable } from "@angular/core";
 
-import { UnauthGuard as BaseUnauthGuardService } from "@bitwarden/angular/auth/guards/unauth.guard";
+import { UnauthGuard as BaseUnauthGuardService } from "@bitwarden/angular/auth/guards";
 
 @Injectable()
 export class UnauthGuardService extends BaseUnauthGuardService {
diff --git a/apps/browser/src/auth/popup/sso.component.ts b/apps/browser/src/auth/popup/sso.component.ts
index 2214e91687..9d04701680 100644
--- a/apps/browser/src/auth/popup/sso.component.ts
+++ b/apps/browser/src/auth/popup/sso.component.ts
@@ -1,11 +1,12 @@
-import { Component } from "@angular/core";
+import { Component, Inject } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
 
 import { SsoComponent as BaseSsoComponent } from "@bitwarden/angular/auth/components/sso.component";
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -35,7 +36,8 @@ export class SsoComponent extends BaseSsoComponent {
     syncService: SyncService,
     environmentService: EnvironmentService,
     logService: LogService,
-    private vaultTimeoutService: VaultTimeoutService
+    configService: ConfigServiceAbstraction,
+    @Inject(WINDOW) private win: Window
   ) {
     super(
       authService,
@@ -48,7 +50,8 @@ export class SsoComponent extends BaseSsoComponent {
       cryptoFunctionService,
       environmentService,
       passwordGenerationService,
-      logService
+      logService,
+      configService
     );
 
     const url = this.environmentService.getWebVaultUrl();
@@ -57,15 +60,22 @@ export class SsoComponent extends BaseSsoComponent {
     this.clientId = "browser";
 
     super.onSuccessfulLogin = async () => {
-      await syncService.fullSync(true);
+      syncService.fullSync(true);
 
       // If the vault is unlocked then this will clear keys from memory, which we don't want to do
       if ((await this.authService.getAuthStatus()) !== AuthenticationStatus.Unlocked) {
         BrowserApi.reloadOpenWindows();
       }
 
-      const thisWindow = window.open("", "_self");
-      thisWindow.close();
+      this.win.close();
+    };
+
+    super.onSuccessfulLoginTde = async () => {
+      syncService.fullSync(true);
+    };
+
+    super.onSuccessfulLoginTdeNavigate = async () => {
+      this.win.close();
     };
   }
 }
diff --git a/apps/browser/src/auth/popup/two-factor.component.ts b/apps/browser/src/auth/popup/two-factor.component.ts
index 03821bb22f..c0af31d25e 100644
--- a/apps/browser/src/auth/popup/two-factor.component.ts
+++ b/apps/browser/src/auth/popup/two-factor.component.ts
@@ -1,8 +1,9 @@
-import { Component } from "@angular/core";
+import { Component, Inject } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
 import { first } from "rxjs/operators";
 
 import { TwoFactorComponent as BaseTwoFactorComponent } from "@bitwarden/angular/auth/components/two-factor.component";
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
@@ -10,6 +11,7 @@ import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -48,7 +50,9 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     twoFactorService: TwoFactorService,
     appIdService: AppIdService,
     loginService: LoginService,
-    private dialogService: DialogService
+    configService: ConfigServiceAbstraction,
+    private dialogService: DialogService,
+    @Inject(WINDOW) protected win: Window
   ) {
     super(
       authService,
@@ -56,19 +60,28 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
       i18nService,
       apiService,
       platformUtilsService,
-      window,
+      win,
       environmentService,
       stateService,
       route,
       logService,
       twoFactorService,
       appIdService,
-      loginService
+      loginService,
+      configService
     );
-    super.onSuccessfulLogin = () => {
-      this.loginService.clearValues();
-      return syncService.fullSync(true);
+    super.onSuccessfulLogin = async () => {
+      syncService.fullSync(true);
     };
+
+    super.onSuccessfulLoginTde = async () => {
+      syncService.fullSync(true);
+    };
+
+    super.onSuccessfulLoginTdeNavigate = async () => {
+      this.win.close();
+    };
+
     super.successRoute = "/tabs/vault";
     // FIXME: Chromium 110 has broken WebAuthn support in extensions via an iframe
     this.webAuthnNewTab = true;
@@ -117,11 +130,11 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     // eslint-disable-next-line rxjs-angular/prefer-takeuntil, rxjs/no-async-subscribe
     this.route.queryParams.pipe(first()).subscribe(async (qParams) => {
       if (qParams.sso === "true") {
-        super.onSuccessfulLogin = () => {
+        super.onSuccessfulLogin = async () => {
           // This is not awaited so we don't pause the application while the sync is happening.
           // This call is executed by the service that lives in the background script so it will continue
           // the sync even if this tab closes.
-          const syncPromise = this.syncService.fullSync(true);
+          this.syncService.fullSync(true);
 
           // Force sidebars (FF && Opera) to reload while exempting current window
           // because we are just going to close the current window.
@@ -130,8 +143,6 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
           // We don't need this window anymore because the intent is for the user to be left
           // on the web vault screen which tells them to continue in the browser extension (sidebar or popup)
           BrowserApi.closeBitwardenExtensionTab();
-
-          return syncPromise;
         };
       }
     });
diff --git a/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts b/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts
index a802fd8cf1..efa5bdcffb 100644
--- a/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts
+++ b/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts
@@ -2,6 +2,10 @@ import {
   TotpServiceInitOptions,
   totpServiceFactory,
 } from "../../../auth/background/service-factories/totp-service.factory";
+import {
+  UserVerificationServiceInitOptions,
+  userVerificationServiceFactory,
+} from "../../../auth/background/service-factories/user-verification-service.factory";
 import {
   EventCollectionServiceInitOptions,
   eventCollectionServiceFactory,
@@ -38,7 +42,8 @@ export type AutoFillServiceInitOptions = AutoFillServiceOptions &
   TotpServiceInitOptions &
   EventCollectionServiceInitOptions &
   LogServiceInitOptions &
-  SettingsServiceInitOptions;
+  SettingsServiceInitOptions &
+  UserVerificationServiceInitOptions;
 
 export function autofillServiceFactory(
   cache: { autofillService?: AbstractAutoFillService } & CachedServices,
@@ -55,7 +60,8 @@ export function autofillServiceFactory(
         await totpServiceFactory(cache, opts),
         await eventCollectionServiceFactory(cache, opts),
         await logServiceFactory(cache, opts),
-        await settingsServiceFactory(cache, opts)
+        await settingsServiceFactory(cache, opts),
+        await userVerificationServiceFactory(cache, opts)
       )
   );
 }
diff --git a/apps/browser/src/autofill/browser/cipher-context-menu-handler.spec.ts b/apps/browser/src/autofill/browser/cipher-context-menu-handler.spec.ts
index 9db6574aad..dbe391ce4a 100644
--- a/apps/browser/src/autofill/browser/cipher-context-menu-handler.spec.ts
+++ b/apps/browser/src/autofill/browser/cipher-context-menu-handler.spec.ts
@@ -1,6 +1,7 @@
 import { mock, MockProxy } from "jest-mock-extended";
 
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherRepromptType } from "@bitwarden/common/vault/enums/cipher-reprompt-type";
@@ -13,6 +14,7 @@ describe("CipherContextMenuHandler", () => {
   let mainContextMenuHandler: MockProxy<MainContextMenuHandler>;
   let authService: MockProxy<AuthService>;
   let cipherService: MockProxy<CipherService>;
+  let userVerificationService: MockProxy<UserVerificationService>;
 
   let sut: CipherContextMenuHandler;
 
@@ -20,10 +22,17 @@ describe("CipherContextMenuHandler", () => {
     mainContextMenuHandler = mock();
     authService = mock();
     cipherService = mock();
+    userVerificationService = mock();
+    userVerificationService.hasMasterPassword.mockResolvedValue(true);
 
     jest.spyOn(MainContextMenuHandler, "removeAll").mockResolvedValue();
 
-    sut = new CipherContextMenuHandler(mainContextMenuHandler, authService, cipherService);
+    sut = new CipherContextMenuHandler(
+      mainContextMenuHandler,
+      authService,
+      cipherService,
+      userVerificationService
+    );
   });
 
   afterEach(() => jest.resetAllMocks());
@@ -83,11 +92,11 @@ describe("CipherContextMenuHandler", () => {
       };
 
       cipherService.getAllDecryptedForUrl.mockResolvedValue([
-        null,
-        undefined,
-        { type: CipherType.Card },
-        { type: CipherType.Login, reprompt: CipherRepromptType.Password },
-        realCipher,
+        null, // invalid cipher
+        undefined, // invalid cipher
+        { type: CipherType.Card }, // invalid cipher
+        { type: CipherType.Login, reprompt: CipherRepromptType.Password }, // invalid cipher
+        realCipher, // valid cipher
       ] as any[]);
 
       await sut.update("https://test.com");
@@ -105,5 +114,61 @@ describe("CipherContextMenuHandler", () => {
         realCipher
       );
     });
+
+    it("adds ciphers with master password reprompt if the user does not have a master password", async () => {
+      authService.getAuthStatus.mockResolvedValue(AuthenticationStatus.Unlocked);
+
+      // User does not have a master password, or has one but hasn't logged in with it (key connector user or TDE user)
+      userVerificationService.hasMasterPasswordAndMasterKeyHash.mockResolvedValue(false);
+
+      mainContextMenuHandler.init.mockResolvedValue(true);
+
+      const realCipher = {
+        id: "5",
+        type: CipherType.Login,
+        reprompt: CipherRepromptType.None,
+        name: "Test Cipher",
+        login: { username: "Test Username" },
+      };
+
+      const repromptCipher = {
+        id: "6",
+        type: CipherType.Login,
+        reprompt: CipherRepromptType.Password,
+        name: "Test Reprompt Cipher",
+        login: { username: "Test Username" },
+      };
+
+      cipherService.getAllDecryptedForUrl.mockResolvedValue([
+        null, // invalid cipher
+        undefined, // invalid cipher
+        { type: CipherType.Card }, // invalid cipher
+        repromptCipher, // valid cipher
+        realCipher, // valid cipher
+      ] as any[]);
+
+      await sut.update("https://test.com");
+
+      expect(cipherService.getAllDecryptedForUrl).toHaveBeenCalledTimes(1);
+
+      expect(cipherService.getAllDecryptedForUrl).toHaveBeenCalledWith("https://test.com");
+
+      // Should call this twice, once for each valid cipher
+      expect(mainContextMenuHandler.loadOptions).toHaveBeenCalledTimes(2);
+
+      expect(mainContextMenuHandler.loadOptions).toHaveBeenCalledWith(
+        "Test Cipher (Test Username)",
+        "5",
+        "https://test.com",
+        realCipher
+      );
+
+      expect(mainContextMenuHandler.loadOptions).toHaveBeenCalledWith(
+        "Test Reprompt Cipher (Test Username)",
+        "6",
+        "https://test.com",
+        repromptCipher
+      );
+    });
   });
 });
diff --git a/apps/browser/src/autofill/browser/cipher-context-menu-handler.ts b/apps/browser/src/autofill/browser/cipher-context-menu-handler.ts
index fe6479aae5..1d1be8f838 100644
--- a/apps/browser/src/autofill/browser/cipher-context-menu-handler.ts
+++ b/apps/browser/src/autofill/browser/cipher-context-menu-handler.ts
@@ -1,4 +1,5 @@
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { StateFactory } from "@bitwarden/common/platform/factories/state-factory";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
@@ -11,6 +12,7 @@ import {
   authServiceFactory,
   AuthServiceInitOptions,
 } from "../../auth/background/service-factories/auth-service.factory";
+import { userVerificationServiceFactory } from "../../auth/background/service-factories/user-verification-service.factory";
 import { Account } from "../../models/account";
 import { CachedServices } from "../../platform/background/service-factories/factory-options";
 import { BrowserApi } from "../../platform/browser/browser-api";
@@ -37,7 +39,8 @@ export class CipherContextMenuHandler {
   constructor(
     private mainContextMenuHandler: MainContextMenuHandler,
     private authService: AuthService,
-    private cipherService: CipherService
+    private cipherService: CipherService,
+    private userVerificationService: UserVerificationService
   ) {}
 
   static async create(cachedServices: CachedServices) {
@@ -76,7 +79,8 @@ export class CipherContextMenuHandler {
     return new CipherContextMenuHandler(
       await MainContextMenuHandler.mv3Create(cachedServices),
       await authServiceFactory(cachedServices, serviceOptions),
-      await cipherServiceFactory(cachedServices, serviceOptions)
+      await cipherServiceFactory(cachedServices, serviceOptions),
+      await userVerificationServiceFactory(cachedServices, serviceOptions)
     );
   }
 
@@ -176,7 +180,11 @@ export class CipherContextMenuHandler {
   }
 
   private async updateForCipher(url: string, cipher: CipherView) {
-    if (cipher == null || cipher.type !== CipherType.Login) {
+    if (
+      cipher == null ||
+      cipher.type !== CipherType.Login ||
+      (await this.userVerificationService.hasMasterPasswordAndMasterKeyHash())
+    ) {
       return;
     }
 
diff --git a/apps/browser/src/autofill/services/autofill.service.ts b/apps/browser/src/autofill/services/autofill.service.ts
index 8b7ec91653..571b4af721 100644
--- a/apps/browser/src/autofill/services/autofill.service.ts
+++ b/apps/browser/src/autofill/services/autofill.service.ts
@@ -1,6 +1,7 @@
 import { EventCollectionService } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
 import { TotpService } from "@bitwarden/common/abstractions/totp.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { EventType, FieldType, UriMatchType } from "@bitwarden/common/enums";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
@@ -45,7 +46,8 @@ export default class AutofillService implements AutofillServiceInterface {
     private totpService: TotpService,
     private eventCollectionService: EventCollectionService,
     private logService: LogService,
-    private settingsService: SettingsService
+    private settingsService: SettingsService,
+    private userVerificationService: UserVerificationService
   ) {}
 
   getFormsWithPasswordFields(pageDetails: AutofillPageDetails): FormData[] {
@@ -238,7 +240,10 @@ export default class AutofillService implements AutofillServiceInterface {
       return null;
     }
 
-    if (cipher.reprompt !== CipherRepromptType.None) {
+    if (
+      cipher.reprompt !== CipherRepromptType.None &&
+      (await this.userVerificationService.hasMasterPasswordAndMasterKeyHash())
+    ) {
       await BrowserApi.tabSendMessageData(tab, "passwordReprompt", {
         cipherId: cipher.id,
         action: "autofill",
diff --git a/apps/browser/src/background/commands.background.ts b/apps/browser/src/background/commands.background.ts
index 118953b9da..0cbf91c666 100644
--- a/apps/browser/src/background/commands.background.ts
+++ b/apps/browser/src/background/commands.background.ts
@@ -1,4 +1,4 @@
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
diff --git a/apps/browser/src/background/idle.background.ts b/apps/browser/src/background/idle.background.ts
index 3854d2383b..7200301c79 100644
--- a/apps/browser/src/background/idle.background.ts
+++ b/apps/browser/src/background/idle.background.ts
@@ -1,5 +1,5 @@
 import { NotificationsService } from "@bitwarden/common/abstractions/notifications.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 
 import { BrowserStateService } from "../platform/services/abstractions/browser-state.service";
diff --git a/apps/browser/src/background/main.background.ts b/apps/browser/src/background/main.background.ts
index 59a1b444e0..617acc2bf7 100644
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@@ -1,27 +1,33 @@
 import { AvatarUpdateService as AvatarUpdateServiceAbstraction } from "@bitwarden/common/abstractions/account/avatar-update.service";
 import { ApiService as ApiServiceAbstraction } from "@bitwarden/common/abstractions/api.service";
 import { AuditService as AuditServiceAbstraction } from "@bitwarden/common/abstractions/audit.service";
+import { DevicesServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices.service.abstraction";
 import { EventCollectionService as EventCollectionServiceAbstraction } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { EventUploadService as EventUploadServiceAbstraction } from "@bitwarden/common/abstractions/event/event-upload.service";
 import { NotificationsService as NotificationsServiceAbstraction } from "@bitwarden/common/abstractions/notifications.service";
 import { SearchService as SearchServiceAbstraction } from "@bitwarden/common/abstractions/search.service";
 import { SettingsService as SettingsServiceAbstraction } from "@bitwarden/common/abstractions/settings.service";
 import { TotpService as TotpServiceAbstraction } from "@bitwarden/common/abstractions/totp.service";
-import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { InternalOrganizationServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService as InternalPolicyServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { ProviderService as ProviderServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/provider.service";
 import { PolicyApiService } from "@bitwarden/common/admin-console/services/policy/policy-api.service";
 import { ProviderService } from "@bitwarden/common/admin-console/services/provider.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService as AuthServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { KeyConnectorService as KeyConnectorServiceAbstraction } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { TokenService as TokenServiceAbstraction } from "@bitwarden/common/auth/abstractions/token.service";
 import { TwoFactorService as TwoFactorServiceAbstraction } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { UserVerificationApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification-api.service.abstraction";
 import { UserVerificationService as UserVerificationServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+import { AuthRequestCryptoServiceImplementation } from "@bitwarden/common/auth/services/auth-request-crypto.service.implementation";
 import { AuthService } from "@bitwarden/common/auth/services/auth.service";
+import { DeviceTrustCryptoService } from "@bitwarden/common/auth/services/device-trust-crypto.service.implementation";
+import { DevicesApiServiceImplementation } from "@bitwarden/common/auth/services/devices-api.service.implementation";
 import { KeyConnectorService } from "@bitwarden/common/auth/services/key-connector.service";
 import { TokenService } from "@bitwarden/common/auth/services/token.service";
 import { TwoFactorService } from "@bitwarden/common/auth/services/two-factor.service";
@@ -59,12 +65,13 @@ import { WebCryptoFunctionService } from "@bitwarden/common/platform/services/we
 import { AvatarUpdateService } from "@bitwarden/common/services/account/avatar-update.service";
 import { ApiService } from "@bitwarden/common/services/api.service";
 import { AuditService } from "@bitwarden/common/services/audit.service";
+import { DevicesServiceImplementation } from "@bitwarden/common/services/devices/devices.service.implementation";
 import { EventCollectionService } from "@bitwarden/common/services/event/event-collection.service";
 import { EventUploadService } from "@bitwarden/common/services/event/event-upload.service";
 import { NotificationsService } from "@bitwarden/common/services/notifications.service";
 import { SearchService } from "@bitwarden/common/services/search.service";
 import { TotpService } from "@bitwarden/common/services/totp.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
 import {
   PasswordGenerationService,
   PasswordGenerationServiceAbstraction,
@@ -128,7 +135,7 @@ import { KeyGenerationService } from "../platform/services/key-generation.servic
 import { LocalBackedSessionStorageService } from "../platform/services/local-backed-session-storage.service";
 import { BrowserSendService } from "../services/browser-send.service";
 import { BrowserSettingsService } from "../services/browser-settings.service";
-import VaultTimeoutService from "../services/vaultTimeout/vaultTimeout.service";
+import VaultTimeoutService from "../services/vault-timeout/vault-timeout.service";
 import { BrowserFolderService } from "../vault/services/browser-folder.service";
 import { VaultFilterService } from "../vault/services/vault-filter.service";
 
@@ -156,7 +163,7 @@ export default class MainBackground {
   cipherService: CipherServiceAbstraction;
   folderService: InternalFolderServiceAbstraction;
   collectionService: CollectionServiceAbstraction;
-  vaultTimeoutService: VaultTimeoutServiceAbstraction;
+  vaultTimeoutService: VaultTimeoutService;
   vaultTimeoutSettingsService: VaultTimeoutSettingsServiceAbstraction;
   syncService: SyncServiceAbstraction;
   passwordGenerationService: PasswordGenerationServiceAbstraction;
@@ -196,6 +203,10 @@ export default class MainBackground {
   cipherContextMenuHandler: CipherContextMenuHandler;
   configService: ConfigServiceAbstraction;
   configApiService: ConfigApiServiceAbstraction;
+  devicesApiService: DevicesApiServiceAbstraction;
+  devicesService: DevicesServiceAbstraction;
+  deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction;
+  authRequestCryptoService: AuthRequestCryptoServiceAbstraction;
   browserPopoutWindowService: BrowserPopoutWindowService;
 
   // Passed to the popup for Safari to workaround issues with theming, downloading, etc.
@@ -387,6 +398,23 @@ export default class MainBackground {
         that.runtimeBackground.processMessage(message, that as any, null);
       };
     })();
+
+    this.devicesApiService = new DevicesApiServiceImplementation(this.apiService);
+    this.deviceTrustCryptoService = new DeviceTrustCryptoService(
+      this.cryptoFunctionService,
+      this.cryptoService,
+      this.encryptService,
+      this.stateService,
+      this.appIdService,
+      this.devicesApiService,
+      this.i18nService,
+      this.platformUtilsService
+    );
+
+    this.devicesService = new DevicesServiceImplementation(this.devicesApiService);
+
+    this.authRequestCryptoService = new AuthRequestCryptoServiceImplementation(this.cryptoService);
+
     this.authService = new AuthService(
       this.cryptoService,
       this.apiService,
@@ -402,14 +430,26 @@ export default class MainBackground {
       this.i18nService,
       this.encryptService,
       this.passwordStrengthService,
-      this.policyService
+      this.policyService,
+      this.deviceTrustCryptoService,
+      this.authRequestCryptoService
+    );
+
+    this.userVerificationApiService = new UserVerificationApiService(this.apiService);
+
+    this.userVerificationService = new UserVerificationService(
+      this.stateService,
+      this.cryptoService,
+      this.i18nService,
+      this.userVerificationApiService
     );
 
     this.vaultTimeoutSettingsService = new VaultTimeoutSettingsService(
       this.cryptoService,
       this.tokenService,
       this.policyService,
-      this.stateService
+      this.stateService,
+      this.userVerificationService
     );
 
     this.vaultTimeoutService = new VaultTimeoutService(
@@ -420,7 +460,6 @@ export default class MainBackground {
       this.platformUtilsService,
       this.messagingService,
       this.searchService,
-      this.keyConnectorService,
       this.stateService,
       this.authService,
       this.vaultTimeoutSettingsService,
@@ -471,13 +510,15 @@ export default class MainBackground {
       this.eventUploadService
     );
     this.totpService = new TotpService(this.cryptoFunctionService, this.logService);
+
     this.autofillService = new AutofillService(
       this.cipherService,
       this.stateService,
       this.totpService,
       this.eventCollectionService,
       this.logService,
-      this.settingsService
+      this.settingsService,
+      this.userVerificationService
     );
     this.auditService = new AuditService(this.cryptoFunctionService, this.apiService);
     this.exportService = new VaultExportService(
@@ -499,15 +540,6 @@ export default class MainBackground {
       this.authService,
       this.messagingService
     );
-
-    this.userVerificationApiService = new UserVerificationApiService(this.apiService);
-
-    this.userVerificationService = new UserVerificationService(
-      this.cryptoService,
-      this.i18nService,
-      this.userVerificationApiService
-    );
-
     this.configService = new ConfigService(
       this.stateService,
       this.configApiService,
@@ -638,7 +670,8 @@ export default class MainBackground {
       this.cipherContextMenuHandler = new CipherContextMenuHandler(
         this.mainContextMenuHandler,
         this.authService,
-        this.cipherService
+        this.cipherService,
+        this.userVerificationService
       );
     }
   }
@@ -648,7 +681,7 @@ export default class MainBackground {
 
     await this.stateService.init();
 
-    await (this.vaultTimeoutService as VaultTimeoutService).init(true);
+    await this.vaultTimeoutService.init(true);
     await (this.i18nService as BrowserI18nService).init();
     await (this.eventUploadService as EventUploadService).init(true);
     await this.runtimeBackground.init();
diff --git a/apps/browser/src/background/nativeMessaging.background.ts b/apps/browser/src/background/nativeMessaging.background.ts
index e482c7cc83..d393022b7b 100644
--- a/apps/browser/src/background/nativeMessaging.background.ts
+++ b/apps/browser/src/background/nativeMessaging.background.ts
@@ -10,7 +10,11 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 
 import { BrowserApi } from "../platform/browser/browser-api";
 
@@ -42,6 +46,7 @@ type ReceiveMessage = {
 
   // Unlock key
   keyB64?: string;
+  userKeyB64?: string;
 };
 
 type ReceiveMessageOuter = {
@@ -320,16 +325,55 @@ export class NativeMessagingBackground {
         }
 
         if (message.response === "unlocked") {
-          await this.cryptoService.setKey(
-            new SymmetricCryptoKey(Utils.fromB64ToArray(message.keyB64))
-          );
+          try {
+            if (message.userKeyB64) {
+              const userKey = new SymmetricCryptoKey(
+                Utils.fromB64ToArray(message.userKeyB64)
+              ) as UserKey;
+              await this.cryptoService.setUserKey(userKey);
+            } else if (message.keyB64) {
+              // Backwards compatibility to support cases in which the user hasn't updated their desktop app
+              // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3472)
+              let encUserKey = await this.stateService.getEncryptedCryptoSymmetricKey();
+              encUserKey ||= await this.stateService.getMasterKeyEncryptedUserKey();
+              if (!encUserKey) {
+                throw new Error("No encrypted user key found");
+              }
+              const masterKey = new SymmetricCryptoKey(
+                Utils.fromB64ToArray(message.keyB64)
+              ) as MasterKey;
+              const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(
+                masterKey,
+                new EncString(encUserKey)
+              );
+              await this.cryptoService.setMasterKey(masterKey);
+              await this.cryptoService.setUserKey(userKey);
+            } else {
+              throw new Error("No key received");
+            }
+          } catch (e) {
+            this.logService.error("Unable to set key: " + e);
+            this.messagingService.send("showDialog", {
+              title: { key: "biometricsFailedTitle" },
+              content: { key: "biometricsFailedDesc" },
+              acceptButtonText: { key: "ok" },
+              cancelButtonText: null,
+              type: "danger",
+            });
+
+            // Exit early
+            if (this.resolver) {
+              this.resolver(message);
+            }
+            return;
+          }
 
           // Verify key is correct by attempting to decrypt a secret
           try {
             await this.cryptoService.getFingerprint(await this.stateService.getUserId());
           } catch (e) {
             this.logService.error("Unable to verify key: " + e);
-            await this.cryptoService.clearKey();
+            await this.cryptoService.clearKeys();
             this.showWrongUserDialog();
 
             // Exit early
diff --git a/apps/browser/src/background/service-factories/devices-api-service.factory.ts b/apps/browser/src/background/service-factories/devices-api-service.factory.ts
new file mode 100644
index 0000000000..8999b7c2c7
--- /dev/null
+++ b/apps/browser/src/background/service-factories/devices-api-service.factory.ts
@@ -0,0 +1,28 @@
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
+import { DevicesApiServiceImplementation } from "@bitwarden/common/auth/services/devices-api.service.implementation";
+
+import {
+  ApiServiceInitOptions,
+  apiServiceFactory,
+} from "../../platform/background/service-factories/api-service.factory";
+import {
+  FactoryOptions,
+  CachedServices,
+  factory,
+} from "../../platform/background/service-factories/factory-options";
+
+type DevicesApiServiceFactoryOptions = FactoryOptions;
+
+export type DevicesApiServiceInitOptions = DevicesApiServiceFactoryOptions & ApiServiceInitOptions;
+
+export function devicesApiServiceFactory(
+  cache: { devicesApiService?: DevicesApiServiceAbstraction } & CachedServices,
+  opts: DevicesApiServiceInitOptions
+): Promise<DevicesApiServiceAbstraction> {
+  return factory(
+    cache,
+    "devicesApiService",
+    opts,
+    async () => new DevicesApiServiceImplementation(await apiServiceFactory(cache, opts))
+  );
+}
diff --git a/apps/browser/src/background/service-factories/vault-timeout-service.factory.ts b/apps/browser/src/background/service-factories/vault-timeout-service.factory.ts
index 601867ad38..b019db3297 100644
--- a/apps/browser/src/background/service-factories/vault-timeout-service.factory.ts
+++ b/apps/browser/src/background/service-factories/vault-timeout-service.factory.ts
@@ -1,13 +1,9 @@
-import { VaultTimeoutService as AbstractVaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService as AbstractVaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 
 import {
   authServiceFactory,
   AuthServiceInitOptions,
 } from "../../auth/background/service-factories/auth-service.factory";
-import {
-  keyConnectorServiceFactory,
-  KeyConnectorServiceInitOptions,
-} from "../../auth/background/service-factories/key-connector-service.factory";
 import {
   CryptoServiceInitOptions,
   cryptoServiceFactory,
@@ -29,7 +25,7 @@ import {
   StateServiceInitOptions,
   stateServiceFactory,
 } from "../../platform/background/service-factories/state-service.factory";
-import VaultTimeoutService from "../../services/vaultTimeout/vaultTimeout.service";
+import VaultTimeoutService from "../../services/vault-timeout/vault-timeout.service";
 import {
   cipherServiceFactory,
   CipherServiceInitOptions,
@@ -64,7 +60,6 @@ export type VaultTimeoutServiceInitOptions = VaultTimeoutServiceFactoryOptions &
   PlatformUtilsServiceInitOptions &
   MessagingServiceInitOptions &
   SearchServiceInitOptions &
-  KeyConnectorServiceInitOptions &
   StateServiceInitOptions &
   AuthServiceInitOptions &
   VaultTimeoutSettingsServiceInitOptions;
@@ -86,7 +81,6 @@ export function vaultTimeoutServiceFactory(
         await platformUtilsServiceFactory(cache, opts),
         await messagingServiceFactory(cache, opts),
         await searchServiceFactory(cache, opts),
-        await keyConnectorServiceFactory(cache, opts),
         await stateServiceFactory(cache, opts),
         await authServiceFactory(cache, opts),
         await vaultTimeoutSettingsServiceFactory(cache, opts),
diff --git a/apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts b/apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts
index 724993127b..eda86c0a15 100644
--- a/apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts
+++ b/apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts
@@ -1,5 +1,5 @@
-import { VaultTimeoutSettingsService as AbstractVaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService as AbstractVaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
 
 import {
   policyServiceFactory,
@@ -9,6 +9,10 @@ import {
   tokenServiceFactory,
   TokenServiceInitOptions,
 } from "../../auth/background/service-factories/token-service.factory";
+import {
+  userVerificationServiceFactory,
+  UserVerificationServiceInitOptions,
+} from "../../auth/background/service-factories/user-verification-service.factory";
 import {
   CryptoServiceInitOptions,
   cryptoServiceFactory,
@@ -29,7 +33,8 @@ export type VaultTimeoutSettingsServiceInitOptions = VaultTimeoutSettingsService
   CryptoServiceInitOptions &
   TokenServiceInitOptions &
   PolicyServiceInitOptions &
-  StateServiceInitOptions;
+  StateServiceInitOptions &
+  UserVerificationServiceInitOptions;
 
 export function vaultTimeoutSettingsServiceFactory(
   cache: { vaultTimeoutSettingsService?: AbstractVaultTimeoutSettingsService } & CachedServices,
@@ -44,7 +49,8 @@ export function vaultTimeoutSettingsServiceFactory(
         await cryptoServiceFactory(cache, opts),
         await tokenServiceFactory(cache, opts),
         await policyServiceFactory(cache, opts),
-        await stateServiceFactory(cache, opts)
+        await stateServiceFactory(cache, opts),
+        await userVerificationServiceFactory(cache, opts)
       )
   );
 }
diff --git a/apps/browser/src/platform/services/browser-crypto.service.ts b/apps/browser/src/platform/services/browser-crypto.service.ts
index 1018c270cb..a6dce0f39e 100644
--- a/apps/browser/src/platform/services/browser-crypto.service.ts
+++ b/apps/browser/src/platform/services/browser-crypto.service.ts
@@ -1,13 +1,32 @@
 import { KeySuffixOptions } from "@bitwarden/common/enums";
+import { Utils } from "@bitwarden/common/platform/misc/utils";
+import {
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { CryptoService } from "@bitwarden/common/platform/services/crypto.service";
 
 export class BrowserCryptoService extends CryptoService {
-  protected async retrieveKeyFromStorage(keySuffix: KeySuffixOptions) {
-    if (keySuffix === "biometric") {
+  override async hasUserKeyStored(keySuffix: KeySuffixOptions, userId?: string): Promise<boolean> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      return await this.stateService.getBiometricUnlock({ userId: userId });
+    }
+    return super.hasUserKeyStored(keySuffix, userId);
+  }
+
+  /**
+   * Browser doesn't store biometric keys, so we retrieve them from the desktop and return
+   * if we successfully saved it into memory as the User Key
+   */
+  protected override async getKeyFromStorage(keySuffix: KeySuffixOptions): Promise<UserKey> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
       await this.platformUtilService.authenticateBiometric();
-      return (await this.getKey())?.keyB64;
+      const userKey = await this.stateService.getUserKey();
+      if (userKey) {
+        return new SymmetricCryptoKey(Utils.fromB64ToArray(userKey.keyB64)) as UserKey;
+      }
     }
 
-    return await super.retrieveKeyFromStorage(keySuffix);
+    return await super.getKeyFromStorage(keySuffix);
   }
 }
diff --git a/apps/browser/src/platform/services/browser-state.service.spec.ts b/apps/browser/src/platform/services/browser-state.service.spec.ts
index 874e13b7d8..d6bb83f7fb 100644
--- a/apps/browser/src/platform/services/browser-state.service.spec.ts
+++ b/apps/browser/src/platform/services/browser-state.service.spec.ts
@@ -41,7 +41,8 @@ describe("Browser State Service", () => {
     logService = mock();
     stateMigrationService = mock();
     stateFactory = mock();
-    useAccountCache = true;
+    // turn off account cache for tests
+    useAccountCache = false;
 
     state = new State(new GlobalState());
     state.accounts[userId] = new Account({
diff --git a/apps/browser/src/platform/services/browser-state.service.ts b/apps/browser/src/platform/services/browser-state.service.ts
index 37f50d6dc7..34fa1a1d0f 100644
--- a/apps/browser/src/platform/services/browser-state.service.ts
+++ b/apps/browser/src/platform/services/browser-state.service.ts
@@ -1,5 +1,12 @@
 import { BehaviorSubject } from "rxjs";
 
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { StateMigrationService } from "@bitwarden/common/platform/abstractions/state-migration.service";
+import {
+  AbstractStorageService,
+  AbstractMemoryStorageService,
+} from "@bitwarden/common/platform/abstractions/storage.service";
+import { StateFactory } from "@bitwarden/common/platform/factories/state-factory";
 import { GlobalState } from "@bitwarden/common/platform/models/domain/global-state";
 import { StorageOptions } from "@bitwarden/common/platform/models/domain/storage-options";
 import { StateService as BaseStateService } from "@bitwarden/common/platform/services/state.service";
@@ -26,14 +33,44 @@ export class BrowserStateService
   protected activeAccountSubject: BehaviorSubject<string>;
   @sessionSync({ initializer: (b: boolean) => b })
   protected activeAccountUnlockedSubject: BehaviorSubject<boolean>;
-  @sessionSync({
-    initializer: Account.fromJSON as any, // TODO: Remove this any when all any types are removed from Account
-    initializeAs: "record",
-  })
-  protected accountDiskCache: BehaviorSubject<Record<string, Account>>;
 
   protected accountDeserializer = Account.fromJSON;
 
+  constructor(
+    storageService: AbstractStorageService,
+    secureStorageService: AbstractStorageService,
+    memoryStorageService: AbstractMemoryStorageService,
+    logService: LogService,
+    stateMigrationService: StateMigrationService,
+    stateFactory: StateFactory<GlobalState, Account>,
+    useAccountCache = true
+  ) {
+    super(
+      storageService,
+      secureStorageService,
+      memoryStorageService,
+      logService,
+      stateMigrationService,
+      stateFactory,
+      useAccountCache
+    );
+
+    // TODO: This is a hack to fix having a disk cache on both the popup and
+    // the background page that can get out of sync. We need to work out the
+    // best way to handle caching with multiple instances of the state service.
+    if (useAccountCache) {
+      chrome.storage.onChanged.addListener((changes, namespace) => {
+        if (namespace === "local") {
+          for (const key of Object.keys(changes)) {
+            if (key !== "accountActivity" && this.accountDiskCache.value[key]) {
+              this.deleteDiskCache(key);
+            }
+          }
+        }
+      });
+    }
+  }
+
   async addAccount(account: Account) {
     // Apply browser overrides to default account values
     account = new Account(account);
@@ -132,4 +169,17 @@ export class BrowserStateService
       this.reconcileOptions(options, await this.defaultInMemoryOptions())
     );
   }
+
+  // Overriding the base class to prevent deleting the cache on save. We register a storage listener
+  // to delete the cache in the constructor above.
+  protected override async saveAccountToDisk(
+    account: Account,
+    options: StorageOptions
+  ): Promise<void> {
+    const storageLocation = options.useSecureStorage
+      ? this.secureStorageService
+      : this.storageService;
+
+    await storageLocation.save(`${options.userId}`, account, options);
+  }
 }
diff --git a/apps/browser/src/popup/app-routing.module.ts b/apps/browser/src/popup/app-routing.module.ts
index 7da3d3049f..c15bf86f08 100644
--- a/apps/browser/src/popup/app-routing.module.ts
+++ b/apps/browser/src/popup/app-routing.module.ts
@@ -1,14 +1,21 @@
 import { Injectable, NgModule } from "@angular/core";
 import { ActivatedRouteSnapshot, RouteReuseStrategy, RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
-import { UnauthGuard } from "@bitwarden/angular/auth/guards/unauth.guard";
+import {
+  redirectGuard,
+  AuthGuard,
+  lockGuard,
+  tdeDecryptionRequiredGuard,
+  UnauthGuard,
+} from "@bitwarden/angular/auth/guards";
+import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 
 import { EnvironmentComponent } from "../auth/popup/environment.component";
 import { HintComponent } from "../auth/popup/hint.component";
 import { HomeComponent } from "../auth/popup/home.component";
 import { LockComponent } from "../auth/popup/lock.component";
+import { LoginDecryptionOptionsComponent } from "../auth/popup/login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "../auth/popup/login-with-device.component";
 import { LoginComponent } from "../auth/popup/login.component";
 import { RegisterComponent } from "../auth/popup/register.component";
@@ -49,8 +56,9 @@ import { TabsComponent } from "./tabs.component";
 const routes: Routes = [
   {
     path: "",
-    redirectTo: "home",
     pathMatch: "full",
+    children: [], // Children lets us have an empty component.
+    canActivate: [redirectGuard({ loggedIn: "/tabs/vault", loggedOut: "/home", locked: "/lock" })],
   },
   {
     path: "vault",
@@ -72,13 +80,19 @@ const routes: Routes = [
   {
     path: "login-with-device",
     component: LoginWithDeviceComponent,
-    canActivate: [UnauthGuard],
+    canActivate: [],
+    data: { state: "login-with-device" },
+  },
+  {
+    path: "admin-approval-requested",
+    component: LoginWithDeviceComponent,
+    canActivate: [],
     data: { state: "login-with-device" },
   },
   {
     path: "lock",
     component: LockComponent,
-    canActivate: [LockGuard],
+    canActivate: [lockGuard()],
     data: { state: "lock" },
   },
   {
@@ -93,6 +107,14 @@ const routes: Routes = [
     canActivate: [UnauthGuard],
     data: { state: "2fa-options" },
   },
+  {
+    path: "login-initiated",
+    component: LoginDecryptionOptionsComponent,
+    canActivate: [
+      tdeDecryptionRequiredGuard(),
+      canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+    ],
+  },
   {
     path: "sso",
     component: SsoComponent,
diff --git a/apps/browser/src/popup/app.module.ts b/apps/browser/src/popup/app.module.ts
index 3665df7dec..f7539d6fa6 100644
--- a/apps/browser/src/popup/app.module.ts
+++ b/apps/browser/src/popup/app.module.ts
@@ -20,6 +20,7 @@ import { EnvironmentComponent } from "../auth/popup/environment.component";
 import { HintComponent } from "../auth/popup/hint.component";
 import { HomeComponent } from "../auth/popup/home.component";
 import { LockComponent } from "../auth/popup/lock.component";
+import { LoginDecryptionOptionsComponent } from "../auth/popup/login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "../auth/popup/login-with-device.component";
 import { LoginComponent } from "../auth/popup/login.component";
 import { RegisterComponent } from "../auth/popup/register.component";
@@ -121,6 +122,7 @@ import "../platform/popup/locales";
     LockComponent,
     LoginComponent,
     LoginWithDeviceComponent,
+    LoginDecryptionOptionsComponent,
     OptionsComponent,
     GeneratorComponent,
     PasswordGeneratorHistoryComponent,
diff --git a/apps/browser/src/popup/components/user-verification.component.html b/apps/browser/src/popup/components/user-verification.component.html
index 8d7f1ed870..25bd81cf39 100644
--- a/apps/browser/src/popup/components/user-verification.component.html
+++ b/apps/browser/src/popup/components/user-verification.component.html
@@ -1,4 +1,4 @@
-<ng-container *ngIf="!usesKeyConnector">
+<ng-container *ngIf="hasMasterPassword">
   <div class="box-content-row" appBoxRow>
     <label for="masterPassword">{{ "masterPass" | i18n }}</label>
     <input
@@ -14,7 +14,7 @@
     />
   </div>
 </ng-container>
-<ng-container *ngIf="usesKeyConnector">
+<ng-container *ngIf="!hasMasterPassword">
   <div class="box-content-row" appBoxRow>
     <label class="d-block">{{ "sendVerificationCode" | i18n }}</label>
     <button
diff --git a/apps/browser/src/popup/scss/base.scss b/apps/browser/src/popup/scss/base.scss
index c6afee2ce8..23d9bf0089 100644
--- a/apps/browser/src/popup/scss/base.scss
+++ b/apps/browser/src/popup/scss/base.scss
@@ -646,3 +646,37 @@ main {
     }
   }
 }
+
+#login-initiated {
+  .margin-auto {
+    margin: auto;
+  }
+  .mb-20px {
+    margin-bottom: 20px;
+  }
+
+  .mx-5px {
+    margin-left: 5px !important;
+    margin-right: 5px !important;
+  }
+
+  .muted-hr {
+    margin-top: 1rem;
+    margin-bottom: 1rem;
+    border-top: 1px solid rgba(0, 0, 0, 0.1);
+  }
+
+  .standard-x-margin {
+    margin-left: 5px;
+    margin-right: 5px;
+  }
+
+  .btn-top-margin {
+    margin-top: 12px;
+  }
+
+  #rememberThisDeviceHintText {
+    font-size: $font-size-small;
+    color: $text-muted;
+  }
+}
diff --git a/apps/browser/src/popup/services/services.module.ts b/apps/browser/src/popup/services/services.module.ts
index 13a6bdf502..191e2c7806 100644
--- a/apps/browser/src/popup/services/services.module.ts
+++ b/apps/browser/src/popup/services/services.module.ts
@@ -1,21 +1,21 @@
 import { APP_INITIALIZER, LOCALE_ID, NgModule } from "@angular/core";
 
-import { LockGuard as BaseLockGuardService } from "@bitwarden/angular/auth/guards/lock.guard";
-import { UnauthGuard as BaseUnauthGuardService } from "@bitwarden/angular/auth/guards/unauth.guard";
+import { UnauthGuard as BaseUnauthGuardService } from "@bitwarden/angular/auth/guards";
 import { MEMORY_STORAGE, SECURE_STORAGE } from "@bitwarden/angular/services/injection-tokens";
 import { JslibServicesModule } from "@bitwarden/angular/services/jslib-services.module";
 import { ThemingService } from "@bitwarden/angular/services/theming/theming.service";
 import { AbstractThemingService } from "@bitwarden/angular/services/theming/theming.service.abstraction";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuditService } from "@bitwarden/common/abstractions/audit.service";
+import { DevicesServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices.service.abstraction";
 import { EventCollectionService } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { EventUploadService } from "@bitwarden/common/abstractions/event/event-upload.service";
 import { NotificationsService } from "@bitwarden/common/abstractions/notifications.service";
 import { SearchService as SearchServiceAbstraction } from "@bitwarden/common/abstractions/search.service";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
 import { TotpService } from "@bitwarden/common/abstractions/totp.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import {
@@ -24,7 +24,9 @@ import {
 } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { ProviderService } from "@bitwarden/common/admin-console/abstractions/provider.service";
 import { PolicyApiService } from "@bitwarden/common/admin-console/services/policy/policy-api.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService as AuthServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { LoginService as LoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/login.service";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
@@ -84,7 +86,7 @@ import { VaultExportServiceAbstraction } from "@bitwarden/exporter/vault-export"
 
 import { BrowserOrganizationService } from "../../admin-console/services/browser-organization.service";
 import { BrowserPolicyService } from "../../admin-console/services/browser-policy.service";
-import { LockGuardService, UnauthGuardService } from "../../auth/popup/services";
+import { UnauthGuardService } from "../../auth/popup/services";
 import { AutofillService } from "../../autofill/services/abstractions/autofill.service";
 import MainBackground from "../../background/main.background";
 import { Account } from "../../models/account";
@@ -144,7 +146,6 @@ function getBgService<T>(service: keyof MainBackground) {
       deps: [InitService],
       multi: true,
     },
-    { provide: BaseLockGuardService, useClass: LockGuardService },
     { provide: BaseUnauthGuardService, useClass: UnauthGuardService },
     { provide: PopupUtilsService, useFactory: () => new PopupUtilsService(isPrivateMode) },
     {
@@ -252,6 +253,21 @@ function getBgService<T>(service: keyof MainBackground) {
       },
       deps: [EncryptService],
     },
+    {
+      provide: AuthRequestCryptoServiceAbstraction,
+      useFactory: getBgService<AuthRequestCryptoServiceAbstraction>("authRequestCryptoService"),
+      deps: [],
+    },
+    {
+      provide: DeviceTrustCryptoServiceAbstraction,
+      useFactory: getBgService<DeviceTrustCryptoServiceAbstraction>("deviceTrustCryptoService"),
+      deps: [],
+    },
+    {
+      provide: DevicesServiceAbstraction,
+      useFactory: getBgService<DevicesServiceAbstraction>("devicesService"),
+      deps: [],
+    },
     {
       provide: EventUploadService,
       useFactory: getBgService<EventUploadService>("eventUploadService"),
diff --git a/apps/browser/src/popup/settings/settings.component.html b/apps/browser/src/popup/settings/settings.component.html
index 987127d3d8..6591d11cc1 100644
--- a/apps/browser/src/popup/settings/settings.component.html
+++ b/apps/browser/src/popup/settings/settings.component.html
@@ -71,28 +71,29 @@
       <div class="box-content-row display-block" appBoxRow>
         <label for="vaultTimeoutAction">{{ "vaultTimeoutAction" | i18n }}</label>
         <select
-          #vaultTimeoutActionSelect
           id="vaultTimeoutAction"
           name="VaultTimeoutActions"
           formControlName="vaultTimeoutAction"
         >
-          <option *ngFor="let o of vaultTimeoutActionOptions" [ngValue]="o.value">
-            {{ o.name }}
+          <option *ngFor="let action of availableVaultTimeoutActions" [ngValue]="action">
+            {{ action | i18n }}
           </option>
         </select>
       </div>
+      <div
+        *ngIf="!availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock)"
+        id="unlockMethodHelp"
+        class="box-footer"
+      >
+        {{ "unlockMethodNeededToChangeTimeoutActionDesc" | i18n }}
+      </div>
       <div class="box-content-row box-content-row-checkbox" appBoxRow>
         <label for="pin">{{ "unlockWithPin" | i18n }}</label>
-        <input id="pin" type="checkbox" (change)="updatePin()" formControlName="pin" />
+        <input id="pin" type="checkbox" formControlName="pin" />
       </div>
       <div class="box-content-row box-content-row-checkbox" appBoxRow *ngIf="supportsBiometric">
         <label for="biometric">{{ "unlockWithBiometrics" | i18n }}</label>
-        <input
-          id="biometric"
-          type="checkbox"
-          (change)="updateBiometric()"
-          formControlName="biometric"
-        />
+        <input id="biometric" type="checkbox" formControlName="biometric" />
       </div>
       <div
         class="box-content-row box-content-row-checkbox"
@@ -108,6 +109,7 @@
         />
       </div>
       <button
+        *ngIf="availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock)"
         type="button"
         class="box-content-row box-content-row-flex text-default"
         appStopClick
diff --git a/apps/browser/src/popup/settings/settings.component.ts b/apps/browser/src/popup/settings/settings.component.ts
index 38f7a15819..30a1f03eac 100644
--- a/apps/browser/src/popup/settings/settings.component.ts
+++ b/apps/browser/src/popup/settings/settings.component.ts
@@ -1,15 +1,28 @@
-import { Component, ElementRef, OnInit, ViewChild } from "@angular/core";
+import { ChangeDetectorRef, Component, OnInit } from "@angular/core";
 import { FormBuilder } from "@angular/forms";
 import { Router } from "@angular/router";
-import { concatMap, debounceTime, filter, map, Observable, Subject, takeUntil, tap } from "rxjs";
+import {
+  BehaviorSubject,
+  combineLatest,
+  concatMap,
+  distinctUntilChanged,
+  filter,
+  firstValueFrom,
+  map,
+  Observable,
+  pairwise,
+  Subject,
+  switchMap,
+  takeUntil,
+} from "rxjs";
 import Swal from "sweetalert2";
 
 import { ModalService } from "@bitwarden/angular/services/modal.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { DeviceType } from "@bitwarden/common/enums";
 import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
@@ -47,16 +60,15 @@ const RateUrls = {
 })
 // eslint-disable-next-line rxjs-angular/prefer-takeuntil
 export class SettingsComponent implements OnInit {
-  @ViewChild("vaultTimeoutActionSelect", { read: ElementRef, static: true })
-  vaultTimeoutActionSelectRef: ElementRef;
+  protected readonly VaultTimeoutAction = VaultTimeoutAction;
+
+  availableVaultTimeoutActions: VaultTimeoutAction[] = [];
   vaultTimeoutOptions: any[];
-  vaultTimeoutActionOptions: any[];
   vaultTimeoutPolicyCallout: Observable<{
     timeout: { hours: number; minutes: number };
     action: VaultTimeoutAction;
   }>;
   supportsBiometric: boolean;
-  previousVaultTimeout: number = null;
   showChangeMasterPass = true;
 
   form = this.formBuilder.group({
@@ -67,6 +79,7 @@ export class SettingsComponent implements OnInit {
     enableAutoBiometricsPrompt: true,
   });
 
+  private refreshTimeoutSettings$ = new BehaviorSubject<void>(undefined);
   private destroy$ = new Subject<void>();
 
   constructor(
@@ -83,12 +96,14 @@ export class SettingsComponent implements OnInit {
     private stateService: StateService,
     private popupUtilsService: PopupUtilsService,
     private modalService: ModalService,
-    private keyConnectorService: KeyConnectorService,
-    private dialogService: DialogService
+    private userVerificationService: UserVerificationService,
+    private dialogService: DialogService,
+    private changeDetectorRef: ChangeDetectorRef
   ) {}
 
   async ngOnInit() {
-    this.vaultTimeoutPolicyCallout = this.policyService.get$(PolicyType.MaximumVaultTimeout).pipe(
+    const maximumVaultTimeoutPolicy = this.policyService.get$(PolicyType.MaximumVaultTimeout);
+    this.vaultTimeoutPolicyCallout = maximumVaultTimeoutPolicy.pipe(
       filter((policy) => policy != null),
       map((policy) => {
         let timeout;
@@ -99,13 +114,6 @@ export class SettingsComponent implements OnInit {
           };
         }
         return { timeout: timeout, action: policy.data?.action };
-      }),
-      tap((policy) => {
-        if (policy.action) {
-          this.form.controls.vaultTimeoutAction.disable({ emitEvent: false });
-        } else {
-          this.form.controls.vaultTimeoutAction.enable({ emitEvent: false });
-        }
       })
     );
 
@@ -131,35 +139,17 @@ export class SettingsComponent implements OnInit {
     this.vaultTimeoutOptions.push({ name: this.i18nService.t("onRestart"), value: -1 });
     this.vaultTimeoutOptions.push({ name: this.i18nService.t("never"), value: null });
 
-    this.vaultTimeoutActionOptions = [
-      { name: this.i18nService.t(VaultTimeoutAction.Lock), value: VaultTimeoutAction.Lock },
-      { name: this.i18nService.t(VaultTimeoutAction.LogOut), value: VaultTimeoutAction.LogOut },
-    ];
-
     let timeout = await this.vaultTimeoutSettingsService.getVaultTimeout();
     if (timeout === -2 && !showOnLocked) {
       timeout = -1;
     }
-    const pinSet = await this.vaultTimeoutSettingsService.isPinLockSet();
-
-    const initialValues = {
-      vaultTimeout: timeout,
-      vaultTimeoutAction: await this.vaultTimeoutSettingsService.getVaultTimeoutAction(),
-      pin: pinSet[0] || pinSet[1],
-      biometric: await this.vaultTimeoutSettingsService.isBiometricLockSet(),
-      enableAutoBiometricsPrompt: !(await this.stateService.getDisableAutoBiometricsPrompt()),
-    };
-    this.form.setValue(initialValues, { emitEvent: false });
-
-    this.previousVaultTimeout = timeout;
-    this.supportsBiometric = await this.platformUtilsService.supportsBiometric();
-    this.showChangeMasterPass = !(await this.keyConnectorService.getUsesKeyConnector());
+    const pinStatus = await this.vaultTimeoutSettingsService.isPinLockSet();
 
     this.form.controls.vaultTimeout.valueChanges
       .pipe(
-        debounceTime(250),
-        concatMap(async (value) => {
-          await this.saveVaultTimeout(value);
+        pairwise(),
+        concatMap(async ([previousValue, newValue]) => {
+          await this.saveVaultTimeout(previousValue, newValue);
         }),
         takeUntil(this.destroy$)
       )
@@ -167,25 +157,94 @@ export class SettingsComponent implements OnInit {
 
     this.form.controls.vaultTimeoutAction.valueChanges
       .pipe(
-        concatMap(async (action) => {
-          await this.saveVaultTimeoutAction(action);
+        pairwise(),
+        concatMap(async ([previousValue, newValue]) => {
+          await this.saveVaultTimeoutAction(previousValue, newValue);
+        }),
+        takeUntil(this.destroy$)
+      )
+      .subscribe();
+
+    const initialValues = {
+      vaultTimeout: timeout,
+      vaultTimeoutAction: await firstValueFrom(
+        this.vaultTimeoutSettingsService.vaultTimeoutAction$()
+      ),
+      pin: pinStatus !== "DISABLED",
+      biometric: await this.vaultTimeoutSettingsService.isBiometricLockSet(),
+      enableAutoBiometricsPrompt: !(await this.stateService.getDisableAutoBiometricsPrompt()),
+    };
+    this.form.patchValue(initialValues); // Emit event to initialize `pairwise` operator
+
+    this.supportsBiometric = await this.platformUtilsService.supportsBiometric();
+    this.showChangeMasterPass = await this.userVerificationService.hasMasterPassword();
+
+    this.form.controls.pin.valueChanges
+      .pipe(
+        concatMap(async (value) => {
+          await this.updatePin(value);
+          this.refreshTimeoutSettings$.next();
         }),
         takeUntil(this.destroy$)
       )
       .subscribe();
 
     this.form.controls.biometric.valueChanges
-      .pipe(takeUntil(this.destroy$))
-      .subscribe((enabled) => {
-        if (enabled) {
-          this.form.controls.enableAutoBiometricsPrompt.enable();
+      .pipe(
+        distinctUntilChanged(),
+        concatMap(async (enabled) => {
+          await this.updateBiometric(enabled);
+          if (enabled) {
+            this.form.controls.enableAutoBiometricsPrompt.enable();
+          } else {
+            this.form.controls.enableAutoBiometricsPrompt.disable();
+          }
+          this.refreshTimeoutSettings$.next();
+        }),
+        takeUntil(this.destroy$)
+      )
+      .subscribe();
+
+    this.refreshTimeoutSettings$
+      .pipe(
+        switchMap(() =>
+          combineLatest([
+            this.vaultTimeoutSettingsService.availableVaultTimeoutActions$(),
+            this.vaultTimeoutSettingsService.vaultTimeoutAction$(),
+          ])
+        ),
+        takeUntil(this.destroy$)
+      )
+      .subscribe(([availableActions, action]) => {
+        this.availableVaultTimeoutActions = availableActions;
+        this.form.controls.vaultTimeoutAction.setValue(action, { emitEvent: false });
+        // NOTE: The UI doesn't properly update without detect changes.
+        // I've even tried using an async pipe, but it still doesn't work. I'm not sure why.
+        // Using an async pipe means that we can't call `detectChanges` AFTER the data has change
+        // meaning that we are forced to use regular class variables instead of observables.
+        this.changeDetectorRef.detectChanges();
+      });
+
+    this.refreshTimeoutSettings$
+      .pipe(
+        switchMap(() =>
+          combineLatest([
+            this.vaultTimeoutSettingsService.availableVaultTimeoutActions$(),
+            maximumVaultTimeoutPolicy,
+          ])
+        ),
+        takeUntil(this.destroy$)
+      )
+      .subscribe(([availableActions, policy]) => {
+        if (policy?.data?.action || availableActions.length <= 1) {
+          this.form.controls.vaultTimeoutAction.disable({ emitEvent: false });
         } else {
-          this.form.controls.enableAutoBiometricsPrompt.disable();
+          this.form.controls.vaultTimeoutAction.enable({ emitEvent: false });
         }
       });
   }
 
-  async saveVaultTimeout(newValue: number) {
+  async saveVaultTimeout(previousValue: number, newValue: number) {
     if (newValue == null) {
       const confirmed = await this.dialogService.openSimpleDialog({
         title: { key: "warning" },
@@ -194,7 +253,7 @@ export class SettingsComponent implements OnInit {
       });
 
       if (!confirmed) {
-        this.form.controls.vaultTimeout.setValue(this.previousVaultTimeout);
+        this.form.controls.vaultTimeout.setValue(previousValue, { emitEvent: false });
         return;
       }
     }
@@ -210,18 +269,16 @@ export class SettingsComponent implements OnInit {
       return;
     }
 
-    this.previousVaultTimeout = this.form.value.vaultTimeout;
-
     await this.vaultTimeoutSettingsService.setVaultTimeoutOptions(
       newValue,
       this.form.value.vaultTimeoutAction
     );
-    if (this.previousVaultTimeout == null) {
+    if (newValue == null) {
       this.messagingService.send("bgReseedStorage");
     }
   }
 
-  async saveVaultTimeoutAction(newValue: VaultTimeoutAction) {
+  async saveVaultTimeoutAction(previousValue: VaultTimeoutAction, newValue: VaultTimeoutAction) {
     if (newValue === VaultTimeoutAction.LogOut) {
       const confirmed = await this.dialogService.openSimpleDialog({
         title: { key: "vaultTimeoutLogOutConfirmationTitle" },
@@ -230,13 +287,7 @@ export class SettingsComponent implements OnInit {
       });
 
       if (!confirmed) {
-        this.vaultTimeoutActionOptions.forEach((option: any, i) => {
-          if (option.value === this.form.value.vaultTimeoutAction) {
-            this.vaultTimeoutActionSelectRef.nativeElement.value =
-              i + ": " + this.form.value.vaultTimeoutAction;
-          }
-        });
-        this.form.controls.vaultTimeoutAction.patchValue(VaultTimeoutAction.Lock, {
+        this.form.controls.vaultTimeoutAction.setValue(previousValue, {
           emitEvent: false,
         });
         return;
@@ -256,26 +307,26 @@ export class SettingsComponent implements OnInit {
       this.form.value.vaultTimeout,
       newValue
     );
+    this.refreshTimeoutSettings$.next();
   }
 
-  async updatePin() {
-    if (this.form.value.pin) {
+  async updatePin(value: boolean) {
+    if (value) {
       const ref = this.modalService.open(SetPinComponent, { allowMultipleModals: true });
 
       if (ref == null) {
-        this.form.controls.pin.setValue(false);
+        this.form.controls.pin.setValue(false, { emitEvent: false });
         return;
       }
 
-      this.form.controls.pin.setValue(await ref.onClosedPromise());
+      this.form.controls.pin.setValue(await ref.onClosedPromise(), { emitEvent: false });
     } else {
-      await this.cryptoService.clearPinProtectedKey();
       await this.vaultTimeoutSettingsService.clear();
     }
   }
 
-  async updateBiometric() {
-    if (this.form.value.biometric && this.supportsBiometric) {
+  async updateBiometric(enabled: boolean) {
+    if (enabled && this.supportsBiometric) {
       let granted;
       try {
         granted = await BrowserApi.requestPermission({ permissions: ["nativeMessaging"] });
@@ -324,7 +375,7 @@ export class SettingsComponent implements OnInit {
       });
 
       await this.stateService.setBiometricAwaitingAcceptance(true);
-      await this.cryptoService.toggleKey();
+      await this.cryptoService.refreshAdditionalKeys();
 
       await Promise.race([
         submitted.then(async (result) => {
@@ -339,7 +390,7 @@ export class SettingsComponent implements OnInit {
             this.form.controls.biometric.setValue(result);
 
             Swal.close();
-            if (this.form.value.biometric === false) {
+            if (!result) {
               this.platformUtilsService.showToast(
                 "error",
                 this.i18nService.t("errorEnableBiometricTitle"),
diff --git a/apps/browser/src/safari/safari/SafariWebExtensionHandler.swift b/apps/browser/src/safari/safari/SafariWebExtensionHandler.swift
index 80ea214b4b..9536945340 100644
--- a/apps/browser/src/safari/safari/SafariWebExtensionHandler.swift
+++ b/apps/browser/src/safari/safari/SafariWebExtensionHandler.swift
@@ -19,11 +19,11 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
         os_log(.default, "Received message from browser.runtime.sendNativeMessage: %@", message as! CVarArg)
 
         let response = NSExtensionItem()
-        
+
         guard let command = message?["command"] as? String else {
             return
         }
-        
+
         switch (command) {
         case "readFromClipboard":
             let pasteboard = NSPasteboard.general
@@ -59,12 +59,12 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
             guard let data = blobData else {
                 return
             }
-            
+
             let panel = NSSavePanel()
             panel.canCreateDirectories = true
             panel.nameFieldStringValue = dlMsg.fileName
             let response = panel.runModal();
-           
+
             if response == NSApplication.ModalResponse.OK {
                 if let url = panel.url {
                     do {
@@ -87,12 +87,12 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
             }
             return
         case "biometricUnlock":
-            
+
             var error: NSError?
             let laContext = LAContext()
-            
+
             laContext.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error)
-            
+
             if let e = error, e.code != kLAErrorBiometryLockout {
                 response.userInfo = [
                     SFExtensionMessageKey: [
@@ -123,26 +123,32 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
                     guard let userId = message?["userId"] as? String else {
                         return
                     }
-                    let passwordName = userId + "_masterkey_biometric"
+                    let passwordName = userId + "_user_biometric"
                     var passwordLength: UInt32 = 0
                     var passwordPtr: UnsafeMutableRawPointer? = nil
-                    
+
                     var status = SecKeychainFindGenericPassword(nil, UInt32(ServiceNameBiometric.utf8.count), ServiceNameBiometric, UInt32(passwordName.utf8.count), passwordName, &passwordLength, &passwordPtr, nil)
                     if status != errSecSuccess {
                         let fallbackName = "key"
                         status = SecKeychainFindGenericPassword(nil, UInt32(ServiceNameBiometric.utf8.count), ServiceNameBiometric, UInt32(fallbackName.utf8.count), fallbackName, &passwordLength, &passwordPtr, nil)
                     }
-    
+
+                    // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3473)
+                    if status != errSecSuccess {
+                        let secondaryFallbackName = "_masterkey_biometric"
+                        status = SecKeychainFindGenericPassword(nil, UInt32(ServiceNameBiometric.utf8.count), ServiceNameBiometric, UInt32(secondaryFallbackName.utf8.count), secondaryFallbackName, &passwordLength, &passwordPtr, nil)
+                    }
+
                     if status == errSecSuccess {
                         let result = NSString(bytes: passwordPtr!, length: Int(passwordLength), encoding: String.Encoding.utf8.rawValue) as String?
                                     SecKeychainItemFreeContent(nil, passwordPtr)
-                        
+
                         response.userInfo = [ SFExtensionMessageKey: [
                             "message": [
                                 "command": "biometricUnlock",
                                 "response": "unlocked",
                                 "timestamp": Int64(NSDate().timeIntervalSince1970 * 1000),
-                                "keyB64": result!.replacingOccurrences(of: "\"", with: ""),
+                                "userKeyB64": result!.replacingOccurrences(of: "\"", with: ""),
                             ],
                         ]]
                     } else {
@@ -157,10 +163,10 @@ class SafariWebExtensionHandler: NSObject, NSExtensionRequestHandling {
                         ]
                     }
                 }
-                
+
                 context.completeRequest(returningItems: [response], completionHandler: nil)
             }
-            
+
             return
         default:
             return
diff --git a/apps/browser/src/services/vaultTimeout/vaultTimeout.service.ts b/apps/browser/src/services/vault-timeout/vault-timeout.service.ts
similarity index 93%
rename from apps/browser/src/services/vaultTimeout/vaultTimeout.service.ts
rename to apps/browser/src/services/vault-timeout/vault-timeout.service.ts
index b75a0c2032..228c63f0b8 100644
--- a/apps/browser/src/services/vaultTimeout/vaultTimeout.service.ts
+++ b/apps/browser/src/services/vault-timeout/vault-timeout.service.ts
@@ -1,4 +1,4 @@
-import { VaultTimeoutService as BaseVaultTimeoutService } from "@bitwarden/common/services/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService as BaseVaultTimeoutService } from "@bitwarden/common/services/vault-timeout/vault-timeout.service";
 
 import { SafariApp } from "../../browser/safariApp";
 
diff --git a/apps/cli/src/auth/commands/lock.command.ts b/apps/cli/src/auth/commands/lock.command.ts
index 3a33024a6f..912d4a7491 100644
--- a/apps/cli/src/auth/commands/lock.command.ts
+++ b/apps/cli/src/auth/commands/lock.command.ts
@@ -1,4 +1,4 @@
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 
 import { Response } from "../../models/response";
 import { MessageResponse } from "../../models/response/message.response";
diff --git a/apps/cli/src/auth/commands/login.command.ts b/apps/cli/src/auth/commands/login.command.ts
index fe9284e2e8..c6e16ccecd 100644
--- a/apps/cli/src/auth/commands/login.command.ts
+++ b/apps/cli/src/auth/commands/login.command.ts
@@ -406,15 +406,15 @@ export class LoginCommand {
     }
 
     try {
-      const { newPasswordHash, newEncKey, hint } = await this.collectNewMasterPasswordDetails(
+      const { newPasswordHash, newUserKey, hint } = await this.collectNewMasterPasswordDetails(
         "Your master password does not meet one or more of your organization policies. In order to access the vault, you must update your master password now."
       );
 
       const request = new PasswordRequest();
-      request.masterPasswordHash = await this.cryptoService.hashPassword(currentPassword, null);
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(currentPassword, null);
       request.masterPasswordHint = hint;
       request.newMasterPasswordHash = newPasswordHash;
-      request.key = newEncKey[1].encryptedString;
+      request.key = newUserKey[1].encryptedString;
 
       await this.apiService.postPassword(request);
 
@@ -444,12 +444,12 @@ export class LoginCommand {
     }
 
     try {
-      const { newPasswordHash, newEncKey, hint } = await this.collectNewMasterPasswordDetails(
+      const { newPasswordHash, newUserKey, hint } = await this.collectNewMasterPasswordDetails(
         "An organization administrator recently changed your master password. In order to access the vault, you must update your master password now."
       );
 
       const request = new UpdateTempPasswordRequest();
-      request.key = newEncKey[1].encryptedString;
+      request.key = newUserKey[1].encryptedString;
       request.newMasterPasswordHash = newPasswordHash;
       request.masterPasswordHint = hint;
 
@@ -467,8 +467,8 @@ export class LoginCommand {
 
   /**
    * Collect new master password and hint from the CLI. The collected password
-   * is validated against any applicable master password policies and a new encryption
-   * key is generated
+   * is validated against any applicable master password policies, a new master
+   * key is generated, and we use it to re-encrypt the user key
    * @param prompt - Message that is displayed during the initial prompt
    * @param error
    */
@@ -477,7 +477,7 @@ export class LoginCommand {
     error?: string
   ): Promise<{
     newPasswordHash: string;
-    newEncKey: [SymmetricCryptoKey, EncString];
+    newUserKey: [SymmetricCryptoKey, EncString];
     hint?: string;
   }> {
     if (this.email == null || this.email === "undefined") {
@@ -559,21 +559,24 @@ export class LoginCommand {
     const kdfConfig = await this.stateService.getKdfConfig();
 
     // Create new key and hash new password
-    const newKey = await this.cryptoService.makeKey(
+    const newMasterKey = await this.cryptoService.makeMasterKey(
       masterPassword,
       this.email.trim().toLowerCase(),
       kdf,
       kdfConfig
     );
-    const newPasswordHash = await this.cryptoService.hashPassword(masterPassword, newKey);
+    const newPasswordHash = await this.cryptoService.hashMasterKey(masterPassword, newMasterKey);
 
-    // Grab user's current enc key
-    const userEncKey = await this.cryptoService.getEncKey();
+    // Grab user key
+    const userKey = await this.cryptoService.getUserKey();
+    if (!userKey) {
+      throw new Error("User key not found.");
+    }
 
-    // Create new encKey for the User
-    const newEncKey = await this.cryptoService.remakeEncKey(newKey, userEncKey);
+    // Re-encrypt user key with new master key
+    const newUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(newMasterKey, userKey);
 
-    return { newPasswordHash, newEncKey, hint: masterPasswordHint };
+    return { newPasswordHash, newUserKey: newUserKey, hint: masterPasswordHint };
   }
 
   private async handleCaptchaRequired(
diff --git a/apps/cli/src/auth/commands/unlock.command.ts b/apps/cli/src/auth/commands/unlock.command.ts
index 3062567212..9901fe2930 100644
--- a/apps/cli/src/auth/commands/unlock.command.ts
+++ b/apps/cli/src/auth/commands/unlock.command.ts
@@ -44,17 +44,17 @@ export class UnlockCommand {
     const email = await this.stateService.getEmail();
     const kdf = await this.stateService.getKdfType();
     const kdfConfig = await this.stateService.getKdfConfig();
-    const key = await this.cryptoService.makeKey(password, email, kdf, kdfConfig);
-    const storedKeyHash = await this.cryptoService.getKeyHash();
+    const masterKey = await this.cryptoService.makeMasterKey(password, email, kdf, kdfConfig);
+    const storedKeyHash = await this.cryptoService.getMasterKeyHash();
 
     let passwordValid = false;
-    if (key != null) {
+    if (masterKey != null) {
       if (storedKeyHash != null) {
-        passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, key);
+        passwordValid = await this.cryptoService.compareAndUpdateKeyHash(password, masterKey);
       } else {
-        const serverKeyHash = await this.cryptoService.hashPassword(
+        const serverKeyHash = await this.cryptoService.hashMasterKey(
           password,
-          key,
+          masterKey,
           HashPurpose.ServerAuthorization
         );
         const request = new SecretVerificationRequest();
@@ -62,12 +62,12 @@ export class UnlockCommand {
         try {
           await this.apiService.postAccountVerifyPassword(request);
           passwordValid = true;
-          const localKeyHash = await this.cryptoService.hashPassword(
+          const localKeyHash = await this.cryptoService.hashMasterKey(
             password,
-            key,
+            masterKey,
             HashPurpose.LocalAuthorization
           );
-          await this.cryptoService.setKeyHash(localKeyHash);
+          await this.cryptoService.setMasterKeyHash(localKeyHash);
         } catch {
           // Ignore
         }
@@ -75,7 +75,9 @@ export class UnlockCommand {
     }
 
     if (passwordValid) {
-      await this.cryptoService.setKey(key);
+      await this.cryptoService.setMasterKey(masterKey);
+      const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+      await this.cryptoService.setUserKey(userKey);
 
       if (await this.keyConnectorService.getConvertAccountRequired()) {
         const convertToKeyConnectorCommand = new ConvertToKeyConnectorCommand(
diff --git a/apps/cli/src/bw.ts b/apps/cli/src/bw.ts
index 29c1443a71..1bcaa1a2ac 100644
--- a/apps/cli/src/bw.ts
+++ b/apps/cli/src/bw.ts
@@ -12,7 +12,13 @@ import { OrganizationService } from "@bitwarden/common/admin-console/services/or
 import { PolicyApiService } from "@bitwarden/common/admin-console/services/policy/policy-api.service";
 import { PolicyService } from "@bitwarden/common/admin-console/services/policy/policy.service";
 import { ProviderService } from "@bitwarden/common/admin-console/services/provider.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
+import { AuthRequestCryptoServiceImplementation } from "@bitwarden/common/auth/services/auth-request-crypto.service.implementation";
 import { AuthService } from "@bitwarden/common/auth/services/auth.service";
+import { DeviceTrustCryptoService } from "@bitwarden/common/auth/services/device-trust-crypto.service.implementation";
+import { DevicesApiServiceImplementation } from "@bitwarden/common/auth/services/devices-api.service.implementation";
 import { KeyConnectorService } from "@bitwarden/common/auth/services/key-connector.service";
 import { TokenService } from "@bitwarden/common/auth/services/token.service";
 import { TwoFactorService } from "@bitwarden/common/auth/services/two-factor.service";
@@ -38,8 +44,8 @@ import { OrganizationUserServiceImplementation } from "@bitwarden/common/service
 import { SearchService } from "@bitwarden/common/services/search.service";
 import { SettingsService } from "@bitwarden/common/services/settings.service";
 import { TotpService } from "@bitwarden/common/services/totp.service";
-import { VaultTimeoutService } from "@bitwarden/common/services/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/services/vault-timeout/vault-timeout.service";
 import {
   PasswordGenerationService,
   PasswordGenerationServiceAbstraction,
@@ -140,6 +146,9 @@ export class Main {
   organizationApiService: OrganizationApiServiceAbstraction;
   syncNotifierService: SyncNotifierService;
   sendApiService: SendApiService;
+  devicesApiService: DevicesApiServiceAbstraction;
+  deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction;
+  authRequestCryptoService: AuthRequestCryptoServiceAbstraction;
 
   constructor() {
     let p = null;
@@ -315,6 +324,20 @@ export class Main {
       this.stateService
     );
 
+    this.devicesApiService = new DevicesApiServiceImplementation(this.apiService);
+    this.deviceTrustCryptoService = new DeviceTrustCryptoService(
+      this.cryptoFunctionService,
+      this.cryptoService,
+      this.encryptService,
+      this.stateService,
+      this.appIdService,
+      this.devicesApiService,
+      this.i18nService,
+      this.platformUtilsService
+    );
+
+    this.authRequestCryptoService = new AuthRequestCryptoServiceImplementation(this.cryptoService);
+
     this.authService = new AuthService(
       this.cryptoService,
       this.apiService,
@@ -330,17 +353,27 @@ export class Main {
       this.i18nService,
       this.encryptService,
       this.passwordStrengthService,
-      this.policyService
+      this.policyService,
+      this.deviceTrustCryptoService,
+      this.authRequestCryptoService
     );
 
-    const lockedCallback = async () =>
-      await this.cryptoService.clearStoredKey(KeySuffixOptions.Auto);
+    const lockedCallback = async (userId?: string) =>
+      await this.cryptoService.clearStoredUserKey(KeySuffixOptions.Auto);
+
+    this.userVerificationService = new UserVerificationService(
+      this.stateService,
+      this.cryptoService,
+      this.i18nService,
+      this.userVerificationApiService
+    );
 
     this.vaultTimeoutSettingsService = new VaultTimeoutSettingsService(
       this.cryptoService,
       this.tokenService,
       this.policyService,
-      this.stateService
+      this.stateService,
+      this.userVerificationService
     );
 
     this.vaultTimeoutService = new VaultTimeoutService(
@@ -351,7 +384,6 @@ export class Main {
       this.platformUtilsService,
       this.messagingService,
       this.searchService,
-      this.keyConnectorService,
       this.stateService,
       this.authService,
       this.vaultTimeoutSettingsService,
@@ -406,12 +438,6 @@ export class Main {
     this.sendProgram = new SendProgram(this);
 
     this.userVerificationApiService = new UserVerificationApiService(this.apiService);
-
-    this.userVerificationService = new UserVerificationService(
-      this.cryptoService,
-      this.i18nService,
-      this.userVerificationApiService
-    );
   }
 
   async run() {
diff --git a/apps/cli/src/commands/serve.command.ts b/apps/cli/src/commands/serve.command.ts
index 8808dcaafb..78c7c0c481 100644
--- a/apps/cli/src/commands/serve.command.ts
+++ b/apps/cli/src/commands/serve.command.ts
@@ -5,7 +5,6 @@ import * as koa from "koa";
 import * as koaBodyParser from "koa-bodyparser";
 import * as koaJson from "koa-json";
 
-import { KeySuffixOptions } from "@bitwarden/common/enums";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 
 import { ConfirmCommand } from "../admin-console/commands/confirm.command";
@@ -425,11 +424,7 @@ export class ServeCommand {
       this.processResponse(res, Response.error("You are not logged in."));
       return true;
     }
-    if (await this.main.cryptoService.hasKeyInMemory()) {
-      return false;
-    } else if (await this.main.cryptoService.hasKeyStored(KeySuffixOptions.Auto)) {
-      // load key into memory
-      await this.main.cryptoService.getKey();
+    if (await this.main.cryptoService.hasUserKey()) {
       return false;
     }
     this.processResponse(res, Response.error("Vault is locked."));
diff --git a/apps/cli/src/program.ts b/apps/cli/src/program.ts
index 700a31b3c6..9eca236a3a 100644
--- a/apps/cli/src/program.ts
+++ b/apps/cli/src/program.ts
@@ -2,7 +2,6 @@ import * as chalk from "chalk";
 import * as program from "commander";
 
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
-import { KeySuffixOptions } from "@bitwarden/common/enums";
 
 import { LockCommand } from "./auth/commands/lock.command";
 import { LoginCommand } from "./auth/commands/login.command";
@@ -597,11 +596,8 @@ export class Program {
 
   protected async exitIfLocked() {
     await this.exitIfNotAuthed();
-    if (await this.main.cryptoService.hasKeyInMemory()) {
+    if (await this.main.cryptoService.hasUserKey()) {
       return;
-    } else if (await this.main.cryptoService.hasKeyStored(KeySuffixOptions.Auto)) {
-      // load key into memory
-      await this.main.cryptoService.getKey();
     } else if (process.env.BW_NOINTERACTION !== "true") {
       // must unlock
       if (await this.main.keyConnectorService.getUsesKeyConnector()) {
diff --git a/apps/cli/src/vault/create.command.ts b/apps/cli/src/vault/create.command.ts
index 49a61e6e59..3f4d53e973 100644
--- a/apps/cli/src/vault/create.command.ts
+++ b/apps/cli/src/vault/create.command.ts
@@ -126,8 +126,8 @@ export class CreateCommand {
       return Response.error("Premium status is required to use this feature.");
     }
 
-    const encKey = await this.cryptoService.getEncKey();
-    if (encKey == null) {
+    const userKey = await this.cryptoService.getUserKey();
+    if (userKey == null) {
       return Response.error(
         "You must update your encryption key before you can use this feature. " +
           "See https://help.bitwarden.com/article/update-encryption-key/"
diff --git a/apps/desktop/src/app/accounts/settings.component.html b/apps/desktop/src/app/accounts/settings.component.html
index 30deb88cfa..c3087809c0 100644
--- a/apps/desktop/src/app/accounts/settings.component.html
+++ b/apps/desktop/src/app/accounts/settings.component.html
@@ -55,43 +55,69 @@
                 [formControl]="form.controls.vaultTimeout"
                 ngDefaultControl
               ></app-vault-timeout-input>
-              <div class="form-group">
-                <label>{{ "vaultTimeoutAction" | i18n }}</label>
-                <div class="radio radio-mt-2">
-                  <label for="vaultTimeoutActionLock">
-                    <input
-                      type="radio"
-                      id="vaultTimeoutActionLock"
-                      value="{{ VaultTimeoutAction.Lock }}"
-                      aria-describedby="vaultTimeoutActionLockHelp"
-                      formControlName="vaultTimeoutAction"
-                    />
-                    {{ "lock" | i18n }}
-                  </label>
+              <ng-container
+                *ngIf="availableVaultTimeoutActions$ | async as availableVaultTimeoutActions"
+              >
+                <div class="form-group">
+                  <label>{{ "vaultTimeoutAction" | i18n }}</label>
+                  <div class="radio radio-mt-2">
+                    <label for="vaultTimeoutActionLock">
+                      <!--
+                        Using [attr.disabled] because reactive forms don't support disabling individual radio buttons, see:
+                        https://github.com/angular/angular/issues/11763
+                      -->
+                      <input
+                        type="radio"
+                        id="vaultTimeoutActionLock"
+                        value="{{ VaultTimeoutAction.Lock }}"
+                        aria-describedby="vaultTimeoutActionLockHelp"
+                        formControlName="vaultTimeoutAction"
+                        [attr.disabled]="
+                          !availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock)
+                            ? true
+                            : null
+                        "
+                      />
+                      {{ "lock" | i18n }}
+                    </label>
+                  </div>
+                  <small id="vaultTimeoutActionLockHelp" class="help-block">{{
+                    "vaultTimeoutActionLockDesc" | i18n
+                  }}</small>
+                  <div class="radio">
+                    <label for="vaultTimeoutActionLogOut">
+                      <input
+                        type="radio"
+                        id="vaultTimeoutActionLogOut"
+                        value="{{ VaultTimeoutAction.LogOut }}"
+                        aria-describedby="vaultTimeoutActionLogOutHelp"
+                        formControlName="vaultTimeoutAction"
+                        [attr.disabled]="
+                          !availableVaultTimeoutActions.includes(VaultTimeoutAction.LogOut)
+                            ? true
+                            : null
+                        "
+                      />
+                      {{ "logOut" | i18n }}
+                    </label>
+                  </div>
+                  <small id="vaultTimeoutActionLogOutHelp" class="help-block">{{
+                    "vaultTimeoutActionLogOutDesc" | i18n
+                  }}</small>
                 </div>
-                <small id="vaultTimeoutActionLockHelp" class="help-block">{{
-                  "vaultTimeoutActionLockDesc" | i18n
-                }}</small>
-                <div class="radio">
-                  <label for="vaultTimeoutActionLogOut">
-                    <input
-                      type="radio"
-                      id="vaultTimeoutActionLogOut"
-                      value="{{ VaultTimeoutAction.LogOut }}"
-                      aria-describedby="vaultTimeoutActionLogOutHelp"
-                      formControlName="vaultTimeoutAction"
-                    />
-                    {{ "logOut" | i18n }}
-                  </label>
+                <div
+                  *ngIf="!availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock)"
+                  class="form-group"
+                >
+                  <small id="unlockMethodNeededToChangeTimeoutActionHelp" class="help-block">{{
+                    "unlockMethodNeededToChangeTimeoutActionDesc" | i18n
+                  }}</small>
                 </div>
-                <small id="vaultTimeoutActionLogOutHelp" class="help-block">{{
-                  "vaultTimeoutActionLogOutDesc" | i18n
-                }}</small>
-              </div>
+              </ng-container>
               <div class="form-group">
                 <div class="checkbox">
                   <label for="pin">
-                    <input id="pin" type="checkbox" formControlName="pin" (change)="updatePin()" />
+                    <input id="pin" type="checkbox" formControlName="pin" />
                     {{ "unlockWithPin" | i18n }}
                   </label>
                 </div>
@@ -99,12 +125,7 @@
               <div class="form-group" *ngIf="supportsBiometric">
                 <div class="checkbox">
                   <label for="biometric">
-                    <input
-                      id="biometric"
-                      type="checkbox"
-                      formControlName="biometric"
-                      (change)="updateBiometric()"
-                    />
+                    <input id="biometric" type="checkbox" formControlName="biometric" />
                     {{ biometricText | i18n }}
                   </label>
                 </div>
@@ -125,7 +146,14 @@
                   </label>
                 </div>
               </div>
-              <div class="form-group" *ngIf="supportsBiometric && this.form.value.biometric">
+              <div
+                class="form-group"
+                *ngIf="
+                  supportsBiometric &&
+                  this.form.value.biometric &&
+                  (userHasMasterPassword || (this.form.value.pin && userHasPinSet))
+                "
+              >
                 <div class="checkbox form-group-child">
                   <label for="requirePasswordOnStart">
                     <input
diff --git a/apps/desktop/src/app/accounts/settings.component.ts b/apps/desktop/src/app/accounts/settings.component.ts
index 6eefc2ec52..7ccf4aca77 100644
--- a/apps/desktop/src/app/accounts/settings.component.ts
+++ b/apps/desktop/src/app/accounts/settings.component.ts
@@ -1,14 +1,15 @@
 import { Component, OnInit } from "@angular/core";
 import { FormBuilder } from "@angular/forms";
-import { Observable, Subject } from "rxjs";
-import { concatMap, debounceTime, filter, map, takeUntil, tap } from "rxjs/operators";
+import { BehaviorSubject, firstValueFrom, Observable, Subject } from "rxjs";
+import { concatMap, debounceTime, filter, map, switchMap, takeUntil, tap } from "rxjs/operators";
 
 import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { AbstractThemingService } from "@bitwarden/angular/services/theming/theming.service.abstraction";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
+import { UserVerificationService as UserVerificationServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { DeviceType, ThemeType, KeySuffixOptions } from "@bitwarden/common/enums";
 import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
@@ -22,7 +23,6 @@ import { flagEnabled } from "../../platform/flags";
 import { ElectronStateService } from "../../platform/services/electron-state.service.abstraction";
 import { isWindowsStore } from "../../utils";
 import { SetPinComponent } from "../components/set-pin.component";
-
 @Component({
   selector: "app-settings",
   templateUrl: "settings.component.html",
@@ -61,12 +61,16 @@ export class SettingsComponent implements OnInit {
 
   currentUserEmail: string;
 
+  availableVaultTimeoutActions$: Observable<VaultTimeoutAction[]>;
   vaultTimeoutPolicyCallout: Observable<{
     timeout: { hours: number; minutes: number };
     action: "lock" | "logOut";
   }>;
   previousVaultTimeout: number = null;
 
+  userHasMasterPassword: boolean;
+  userHasPinSet: boolean;
+
   form = this.formBuilder.group({
     // Security
     vaultTimeout: [null as number | null],
@@ -97,6 +101,7 @@ export class SettingsComponent implements OnInit {
     locale: [null as string | null],
   });
 
+  private refreshTimeoutSettings$ = new BehaviorSubject<void>(undefined);
   private destroy$ = new Subject<void>();
 
   constructor(
@@ -111,7 +116,8 @@ export class SettingsComponent implements OnInit {
     private modalService: ModalService,
     private themingService: AbstractThemingService,
     private settingsService: SettingsService,
-    private dialogService: DialogService
+    private dialogService: DialogService,
+    private userVerificationService: UserVerificationServiceAbstraction
   ) {
     const isMac = this.platformUtilsService.getDevice() === DeviceType.MacOsDesktop;
 
@@ -189,6 +195,8 @@ export class SettingsComponent implements OnInit {
   }
 
   async ngOnInit() {
+    this.userHasMasterPassword = await this.userVerificationService.hasMasterPassword();
+
     this.isWindows = (await this.platformUtilsService.getDevice()) === DeviceType.WindowsDesktop;
 
     if ((await this.stateService.getUserId()) == null) {
@@ -196,6 +204,10 @@ export class SettingsComponent implements OnInit {
     }
     this.currentUserEmail = await this.stateService.getEmail();
 
+    this.availableVaultTimeoutActions$ = this.refreshTimeoutSettings$.pipe(
+      switchMap(() => this.vaultTimeoutSettingsService.availableVaultTimeoutActions$())
+    );
+
     // Load timeout policy
     this.vaultTimeoutPolicyCallout = this.policyService.get$(PolicyType.MaximumVaultTimeout).pipe(
       filter((policy) => policy != null),
@@ -219,11 +231,15 @@ export class SettingsComponent implements OnInit {
     );
 
     // Load initial values
-    const pinSet = await this.vaultTimeoutSettingsService.isPinLockSet();
+    const pinStatus = await this.vaultTimeoutSettingsService.isPinLockSet();
+    this.userHasPinSet = pinStatus !== "DISABLED";
+
     const initialValues = {
       vaultTimeout: await this.vaultTimeoutSettingsService.getVaultTimeout(),
-      vaultTimeoutAction: await this.vaultTimeoutSettingsService.getVaultTimeoutAction(),
-      pin: pinSet[0] || pinSet[1],
+      vaultTimeoutAction: await firstValueFrom(
+        this.vaultTimeoutSettingsService.vaultTimeoutAction$()
+      ),
+      pin: this.userHasPinSet,
       biometric: await this.vaultTimeoutSettingsService.isBiometricLockSet(),
       autoPromptBiometrics: !(await this.stateService.getDisableAutoBiometricsPrompt()),
       requirePasswordOnStart:
@@ -264,6 +280,15 @@ export class SettingsComponent implements OnInit {
     this.autoPromptBiometricsText = await this.stateService.getNoAutoPromptBiometricsText();
     this.previousVaultTimeout = this.form.value.vaultTimeout;
 
+    this.refreshTimeoutSettings$
+      .pipe(
+        switchMap(() => this.vaultTimeoutSettingsService.vaultTimeoutAction$()),
+        takeUntil(this.destroy$)
+      )
+      .subscribe((action) => {
+        this.form.controls.vaultTimeoutAction.setValue(action, { emitEvent: false });
+      });
+
     // Form events
     this.form.controls.vaultTimeout.valueChanges
       .pipe(
@@ -284,6 +309,26 @@ export class SettingsComponent implements OnInit {
       )
       .subscribe();
 
+    this.form.controls.pin.valueChanges
+      .pipe(
+        concatMap(async (value) => {
+          await this.updatePin(value);
+          this.refreshTimeoutSettings$.next();
+        }),
+        takeUntil(this.destroy$)
+      )
+      .subscribe();
+
+    this.form.controls.biometric.valueChanges
+      .pipe(
+        concatMap(async (enabled) => {
+          await this.updateBiometric(enabled);
+          this.refreshTimeoutSettings$.next();
+        }),
+        takeUntil(this.destroy$)
+      )
+      .subscribe();
+
     this.form.controls.enableBrowserIntegration.valueChanges
       .pipe(takeUntil(this.destroy$))
       .subscribe((enabled) => {
@@ -362,52 +407,64 @@ export class SettingsComponent implements OnInit {
     );
   }
 
-  async updatePin() {
-    if (this.form.value.pin) {
+  async updatePin(value: boolean) {
+    if (value) {
       const ref = this.modalService.open(SetPinComponent, { allowMultipleModals: true });
 
       if (ref == null) {
-        this.form.controls.pin.setValue(false);
+        this.form.controls.pin.setValue(false, { emitEvent: false });
         return;
       }
 
-      this.form.controls.pin.setValue(await ref.onClosedPromise());
+      this.userHasPinSet = await ref.onClosedPromise();
+      this.form.controls.pin.setValue(this.userHasPinSet, { emitEvent: false });
     }
-    if (!this.form.value.pin) {
-      await this.cryptoService.clearPinProtectedKey();
+    if (!value) {
+      // If user turned off PIN without having a MP and has biometric + require MP/PIN on restart enabled
+      if (this.form.value.requirePasswordOnStart && !this.userHasMasterPassword) {
+        // then must turn that off to prevent user from getting into bad state
+        this.form.controls.requirePasswordOnStart.setValue(false);
+        await this.updateRequirePasswordOnStart();
+      }
+
       await this.vaultTimeoutSettingsService.clear();
     }
+    this.messagingService.send("redrawMenu");
   }
 
-  async updateBiometric() {
+  async updateBiometric(enabled: boolean) {
     // NOTE: A bug in angular causes [ngModel] to not reflect the backing field value
     // causing the checkbox to remain checked even if authentication fails.
     // The bug should resolve itself once the angular issue is resolved.
     // See: https://github.com/angular/angular/issues/13063
 
-    if (!this.form.value.biometric || !this.supportsBiometric) {
-      this.form.controls.biometric.setValue(false);
-      await this.stateService.setBiometricUnlock(null);
-      await this.cryptoService.toggleKey();
-      return;
-    }
+    try {
+      if (!enabled || !this.supportsBiometric) {
+        this.form.controls.biometric.setValue(false, { emitEvent: false });
+        await this.stateService.setBiometricUnlock(null);
+        await this.cryptoService.refreshAdditionalKeys();
+        return;
+      }
 
-    await this.stateService.setBiometricUnlock(true);
-    if (this.isWindows) {
-      // Recommended settings for Windows Hello
-      this.form.controls.requirePasswordOnStart.setValue(true);
-      this.form.controls.autoPromptBiometrics.setValue(false);
-      await this.stateService.setDisableAutoBiometricsPrompt(true);
-      await this.stateService.setBiometricRequirePasswordOnStart(true);
-      await this.stateService.setDismissedBiometricRequirePasswordOnStart();
-    }
-    await this.cryptoService.toggleKey();
+      await this.stateService.setBiometricUnlock(true);
+      if (this.isWindows) {
+        // Recommended settings for Windows Hello
+        this.form.controls.requirePasswordOnStart.setValue(true);
+        this.form.controls.autoPromptBiometrics.setValue(false);
+        await this.stateService.setDisableAutoBiometricsPrompt(true);
+        await this.stateService.setBiometricRequirePasswordOnStart(true);
+        await this.stateService.setDismissedBiometricRequirePasswordOnStart();
+      }
+      await this.cryptoService.refreshAdditionalKeys();
 
-    // Validate the key is stored in case biometrics fail.
-    const biometricSet = await this.cryptoService.hasKeyStored(KeySuffixOptions.Biometric);
-    this.form.controls.biometric.setValue(biometricSet);
-    if (!biometricSet) {
-      await this.stateService.setBiometricUnlock(null);
+      // Validate the key is stored in case biometrics fail.
+      const biometricSet = await this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric);
+      this.form.controls.biometric.setValue(biometricSet, { emitEvent: false });
+      if (!biometricSet) {
+        await this.stateService.setBiometricUnlock(null);
+      }
+    } finally {
+      this.messagingService.send("redrawMenu");
     }
   }
 
@@ -435,7 +492,7 @@ export class SettingsComponent implements OnInit {
       await this.stateService.setBiometricEncryptionClientKeyHalf(null);
     }
     await this.stateService.setDismissedBiometricRequirePasswordOnStart();
-    await this.cryptoService.toggleKey();
+    await this.cryptoService.refreshAdditionalKeys();
   }
 
   async saveFavicons() {
diff --git a/apps/desktop/src/app/app-routing.module.ts b/apps/desktop/src/app/app-routing.module.ts
index 6dd6b2142f..8e057bd68d 100644
--- a/apps/desktop/src/app/app-routing.module.ts
+++ b/apps/desktop/src/app/app-routing.module.ts
@@ -1,13 +1,20 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
+import {
+  AuthGuard,
+  lockGuard,
+  redirectGuard,
+  tdeDecryptionRequiredGuard,
+} from "@bitwarden/angular/auth/guards";
+import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 
 import { AccessibilityCookieComponent } from "../auth/accessibility-cookie.component";
 import { LoginGuard } from "../auth/guards/login.guard";
 import { HintComponent } from "../auth/hint.component";
 import { LockComponent } from "../auth/lock.component";
+import { LoginDecryptionOptionsComponent } from "../auth/login/login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "../auth/login/login-with-device.component";
 import { LoginComponent } from "../auth/login/login.component";
 import { RegisterComponent } from "../auth/register.component";
@@ -21,11 +28,16 @@ import { VaultComponent } from "../vault/app/vault/vault.component";
 import { SendComponent } from "./tools/send/send.component";
 
 const routes: Routes = [
-  { path: "", redirectTo: "/vault", pathMatch: "full" },
+  {
+    path: "",
+    pathMatch: "full",
+    children: [], // Children lets us have an empty component.
+    canActivate: [redirectGuard({ loggedIn: "/vault", loggedOut: "/login", locked: "/lock" })],
+  },
   {
     path: "lock",
     component: LockComponent,
-    canActivate: [LockGuard],
+    canActivate: [lockGuard()],
   },
   {
     path: "login",
@@ -36,7 +48,19 @@ const routes: Routes = [
     path: "login-with-device",
     component: LoginWithDeviceComponent,
   },
+  {
+    path: "admin-approval-requested",
+    component: LoginWithDeviceComponent,
+  },
   { path: "2fa", component: TwoFactorComponent },
+  {
+    path: "login-initiated",
+    component: LoginDecryptionOptionsComponent,
+    canActivate: [
+      tdeDecryptionRequiredGuard(),
+      canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+    ],
+  },
   { path: "register", component: RegisterComponent },
   {
     path: "vault",
diff --git a/apps/desktop/src/app/app.component.ts b/apps/desktop/src/app/app.component.ts
index cb44a7e5a9..b5321a2bc8 100644
--- a/apps/desktop/src/app/app.component.ts
+++ b/apps/desktop/src/app/app.component.ts
@@ -20,13 +20,15 @@ import { EventUploadService } from "@bitwarden/common/abstractions/event/event-u
 import { NotificationsService } from "@bitwarden/common/abstractions/notifications.service";
 import { SearchService } from "@bitwarden/common/abstractions/search.service";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
 import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
@@ -46,7 +48,7 @@ import { DialogService } from "@bitwarden/components";
 
 import { DeleteAccountComponent } from "../auth/delete-account.component";
 import { LoginApprovalComponent } from "../auth/login/login-approval.component";
-import { MenuUpdateRequest } from "../main/menu/menu.updater";
+import { MenuAccount, MenuUpdateRequest } from "../main/menu/menu.updater";
 import { PremiumComponent } from "../vault/app/accounts/premium.component";
 import { FolderAddEditComponent } from "../vault/app/vault/folder-add-edit.component";
 
@@ -77,6 +79,7 @@ const systemTimeoutOptions = {
     <ng-template #appGenerator></ng-template>
     <ng-template #loginApproval></ng-template>
     <app-header></app-header>
+
     <div id="container">
       <div class="loading" *ngIf="loading">
         <i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
@@ -137,6 +140,7 @@ export class AppComponent implements OnInit, OnDestroy {
     private policyService: InternalPolicyService,
     private modalService: ModalService,
     private keyConnectorService: KeyConnectorService,
+    private userVerificationService: UserVerificationService,
     private configService: ConfigServiceAbstraction,
     private dialogService: DialogService
   ) {}
@@ -400,6 +404,9 @@ export class AppComponent implements OnInit, OnDestroy {
               await this.openLoginApproval(message.notificationId);
             }
             break;
+          case "redrawMenu":
+            await this.updateAppMenu();
+            break;
         }
       });
     });
@@ -488,28 +495,32 @@ export class AppComponent implements OnInit, OnDestroy {
       updateRequest = {
         accounts: null,
         activeUserId: null,
-        hideChangeMasterPassword: true,
       };
     } else {
-      const accounts: { [userId: string]: any } = {};
+      const accounts: { [userId: string]: MenuAccount } = {};
       for (const i in stateAccounts) {
         if (i != null && stateAccounts[i]?.profile?.userId != null) {
           const userId = stateAccounts[i].profile.userId;
+          const availableTimeoutActions = await firstValueFrom(
+            this.vaultTimeoutSettingsService.availableVaultTimeoutActions$(userId)
+          );
+
           accounts[userId] = {
             isAuthenticated: await this.stateService.getIsAuthenticated({
               userId: userId,
             }),
             isLocked:
               (await this.authService.getAuthStatus(userId)) === AuthenticationStatus.Locked,
+            isLockable: availableTimeoutActions.includes(VaultTimeoutAction.Lock),
             email: stateAccounts[i].profile.email,
             userId: stateAccounts[i].profile.userId,
+            hasMasterPassword: await this.userVerificationService.hasMasterPassword(userId),
           };
         }
       }
       updateRequest = {
         accounts: accounts,
         activeUserId: await this.stateService.getUserId(),
-        hideChangeMasterPassword: await this.keyConnectorService.getUsesKeyConnector(),
       };
     }
 
diff --git a/apps/desktop/src/app/components/user-verification.component.html b/apps/desktop/src/app/components/user-verification.component.html
index 10b16a0408..7db7e54b66 100644
--- a/apps/desktop/src/app/components/user-verification.component.html
+++ b/apps/desktop/src/app/components/user-verification.component.html
@@ -1,4 +1,4 @@
-<ng-container *ngIf="!usesKeyConnector">
+<ng-container *ngIf="hasMasterPassword">
   <div class="box-content-row" appBoxRow>
     <label for="masterPassword">{{ "masterPass" | i18n }}</label>
     <input
@@ -14,7 +14,7 @@
     />
   </div>
 </ng-container>
-<ng-container *ngIf="usesKeyConnector">
+<ng-container *ngIf="!hasMasterPassword">
   <div class="box-content-row" appBoxRow>
     <label class="d-block">{{ "sendVerificationCode" | i18n }}</label>
     <button
diff --git a/apps/desktop/src/app/services/init.service.ts b/apps/desktop/src/app/services/init.service.ts
index 78840d1432..34300aed93 100644
--- a/apps/desktop/src/app/services/init.service.ts
+++ b/apps/desktop/src/app/services/init.service.ts
@@ -4,7 +4,6 @@ import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { AbstractThemingService } from "@bitwarden/angular/services/theming/theming.service.abstraction";
 import { EventUploadService as EventUploadServiceAbstraction } from "@bitwarden/common/abstractions/event/event-upload.service";
 import { NotificationsService as NotificationsServiceAbstraction } from "@bitwarden/common/abstractions/notifications.service";
-import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
 import { TwoFactorService as TwoFactorServiceAbstraction } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { CryptoService as CryptoServiceAbstraction } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
@@ -14,7 +13,7 @@ import { PlatformUtilsService as PlatformUtilsServiceAbstraction } from "@bitwar
 import { StateService as StateServiceAbstraction } from "@bitwarden/common/platform/abstractions/state.service";
 import { ContainerService } from "@bitwarden/common/platform/services/container.service";
 import { EventUploadService } from "@bitwarden/common/services/event/event-upload.service";
-import { VaultTimeoutService } from "@bitwarden/common/services/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/services/vault-timeout/vault-timeout.service";
 import { SyncService as SyncServiceAbstraction } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
 
 import { I18nService } from "../../platform/services/i18n.service";
@@ -26,7 +25,7 @@ export class InitService {
     @Inject(WINDOW) private win: Window,
     private environmentService: EnvironmentServiceAbstraction,
     private syncService: SyncServiceAbstraction,
-    private vaultTimeoutService: VaultTimeoutServiceAbstraction,
+    private vaultTimeoutService: VaultTimeoutService,
     private i18nService: I18nServiceAbstraction,
     private eventUploadService: EventUploadServiceAbstraction,
     private twoFactorService: TwoFactorServiceAbstraction,
@@ -48,7 +47,7 @@ export class InitService {
       // TODO: Remove this when implementing ticket PM-2637
       this.environmentService.initialized = true;
       this.syncService.fullSync(true);
-      (this.vaultTimeoutService as VaultTimeoutService).init(true);
+      await this.vaultTimeoutService.init(true);
       const locale = await this.stateService.getLocale();
       await (this.i18nService as I18nService).init(locale);
       (this.eventUploadService as EventUploadService).init(true);
diff --git a/apps/desktop/src/auth/lock.component.html b/apps/desktop/src/auth/lock.component.html
index 5db58b5937..a863fd5211 100644
--- a/apps/desktop/src/auth/lock.component.html
+++ b/apps/desktop/src/auth/lock.component.html
@@ -4,8 +4,12 @@
     <p>{{ "yourVaultIsLocked" | i18n }}</p>
     <div class="box last">
       <div class="box-content">
-        <div class="box-content-row box-content-row-flex" appBoxRow *ngIf="!hideInput">
-          <div class="row-main" *ngIf="pinLock">
+        <div
+          class="box-content-row box-content-row-flex"
+          appBoxRow
+          *ngIf="pinEnabled || masterPasswordEnabled"
+        >
+          <div class="row-main" *ngIf="pinEnabled">
             <label for="pin">{{ "pin" | i18n }}</label>
             <input
               id="pin"
@@ -17,7 +21,7 @@
               appInputVerbatim
             />
           </div>
-          <div class="row-main" *ngIf="!pinLock">
+          <div class="row-main" *ngIf="masterPasswordEnabled && !pinEnabled">
             <label for="masterPassword">{{ "masterPass" | i18n }}</label>
             <input
               id="masterPassword"
@@ -57,14 +61,14 @@
         <button
           type="button"
           class="btn block"
-          [ngClass]="{ 'primary font-weight-bold': hideInput }"
+          [ngClass]="{ 'primary font-weight-bold': !pinEnabled && !masterPasswordEnabled }"
           (click)="unlockBiometric()"
         >
           {{ biometricText | i18n }}
         </button>
       </div>
       <div class="buttons-row">
-        <button type="submit" class="btn primary block" *ngIf="!hideInput">
+        <button type="submit" class="btn primary block" *ngIf="pinEnabled || masterPasswordEnabled">
           <i class="bwi bwi-unlock" aria-hidden="true"></i> <b>{{ "unlock" | i18n }}</b>
         </button>
         <button type="button" class="btn block" (click)="logOut()">
diff --git a/apps/desktop/src/auth/lock.component.ts b/apps/desktop/src/auth/lock.component.ts
index f19ca4476f..abebe235b0 100644
--- a/apps/desktop/src/auth/lock.component.ts
+++ b/apps/desktop/src/auth/lock.component.ts
@@ -4,11 +4,12 @@ import { ipcRenderer } from "electron";
 
 import { LockComponent as BaseLockComponent } from "@bitwarden/angular/auth/components/lock.component";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { DeviceType, KeySuffixOptions } from "@bitwarden/common/enums";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
@@ -51,8 +52,9 @@ export class LockComponent extends BaseLockComponent {
     policyService: InternalPolicyService,
     passwordStrengthService: PasswordStrengthServiceAbstraction,
     logService: LogService,
-    keyConnectorService: KeyConnectorService,
-    dialogService: DialogService
+    dialogService: DialogService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    userVerificationService: UserVerificationService
   ) {
     super(
       router,
@@ -66,12 +68,13 @@ export class LockComponent extends BaseLockComponent {
       stateService,
       apiService,
       logService,
-      keyConnectorService,
       ngZone,
       policyApiService,
       policyService,
       passwordStrengthService,
-      dialogService
+      dialogService,
+      deviceTrustCryptoService,
+      userVerificationService
     );
   }
 
@@ -131,7 +134,7 @@ export class LockComponent extends BaseLockComponent {
     const userId = await this.stateService.getUserId();
     const val = await ipcRenderer.invoke("biometric", {
       action: BiometricStorageAction.EnabledForUser,
-      key: `${userId}_masterkey_biometric`,
+      key: `${userId}_user_biometric`,
       keySuffix: KeySuffixOptions.Biometric,
       userId: userId,
     } as BiometricMessage);
@@ -139,7 +142,7 @@ export class LockComponent extends BaseLockComponent {
   }
 
   private focusInput() {
-    document.getElementById(this.pinLock ? "pin" : "masterPassword").focus();
+    document.getElementById(this.pinEnabled ? "pin" : "masterPassword")?.focus();
   }
 
   private async displayBiometricUpdateWarning(): Promise<void> {
diff --git a/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.html b/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.html
new file mode 100644
index 0000000000..d2abb2071d
--- /dev/null
+++ b/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.html
@@ -0,0 +1,66 @@
+<div id="login-decryption-options-page">
+  <div id="content" class="content">
+    <img class="logo-image" alt="Bitwarden" />
+
+    <div class="container loading-spinner" *ngIf="loading">
+      <i class="bwi bwi-spinner bwi-spin bwi-3x" aria-hidden="true"></i>
+    </div>
+
+    <ng-container *ngIf="!loading">
+      <h1 id="heading">{{ "loginInitiated" | i18n }}</h1>
+      <h6
+        *ngIf="data.state == State.ExistingUserUntrustedDevice"
+        id="subHeading"
+        class="standard-bottom-margin"
+      >
+        {{ "deviceApprovalRequired" | i18n }}
+      </h6>
+
+      <form id="rememberDeviceForm" class="standard-bottom-margin" [formGroup]="rememberDeviceForm">
+        <div class="checkbox">
+          <label for="rememberDevice">
+            <input
+              id="rememberDevice"
+              type="checkbox"
+              name="rememberDevice"
+              formControlName="rememberDevice"
+            />
+            {{ "rememberThisDevice" | i18n }}
+          </label>
+        </div>
+        <span id="rememberThisDeviceHintText">{{ "uncheckIfPublicDevice" | i18n }}</span>
+      </form>
+
+      <div *ngIf="data.state == State.ExistingUserUntrustedDevice" class="buttons with-rows">
+        <div class="buttons-row" *ngIf="data.showApproveFromOtherDeviceBtn">
+          <button (click)="approveFromOtherDevice()" type="button" class="btn primary block">
+            {{ "approveFromYourOtherDevice" | i18n }}
+          </button>
+        </div>
+        <div class="buttons-row" *ngIf="data.showReqAdminApprovalBtn">
+          <button (click)="requestAdminApproval()" type="button" class="btn block">
+            {{ "requestAdminApproval" | i18n }}
+          </button>
+        </div>
+        <div class="buttons-row" *ngIf="data.showApproveWithMasterPasswordBtn">
+          <button (click)="approveWithMasterPassword()" type="button" class="btn block">
+            {{ "approveWithMasterPassword" | i18n }}
+          </button>
+        </div>
+      </div>
+
+      <div *ngIf="data.state == State.NewUser" class="buttons with-rows">
+        <div class="buttons-row">
+          <button (click)="createUser()" type="button" class="btn block">
+            {{ "continue" | i18n }}
+          </button>
+        </div>
+      </div>
+
+      <div style="text-align: center">
+        <p class="no-margin">{{ "loggingInAs" | i18n }} {{ data.userEmail }}</p>
+        <a [routerLink]="[]" (click)="logOut()">{{ "notYou" | i18n }}</a>
+      </div>
+    </ng-container>
+  </div>
+</div>
diff --git a/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.ts b/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.ts
new file mode 100644
index 0000000000..f64ec977ce
--- /dev/null
+++ b/apps/desktop/src/auth/login/login-decryption-options/login-decryption-options.component.ts
@@ -0,0 +1,19 @@
+import { Component } from "@angular/core";
+
+import { BaseLoginDecryptionOptionsComponent } from "@bitwarden/angular/auth/components/base-login-decryption-options.component";
+
+@Component({
+  selector: "desktop-login-decryption-options",
+  templateUrl: "login-decryption-options.component.html",
+})
+export class LoginDecryptionOptionsComponent extends BaseLoginDecryptionOptionsComponent {
+  override async createUser(): Promise<void> {
+    try {
+      await super.createUser();
+      this.messagingService.send("redrawMenu");
+      await this.router.navigate(["/vault"]);
+    } catch (error) {
+      this.validationService.showError(error);
+    }
+  }
+}
diff --git a/apps/desktop/src/auth/login/login-with-device.component.html b/apps/desktop/src/auth/login/login-with-device.component.html
index 29fb103494..a81c92ad1d 100644
--- a/apps/desktop/src/auth/login/login-with-device.component.html
+++ b/apps/desktop/src/auth/login/login-with-device.component.html
@@ -1,40 +1,72 @@
 <div id="login-with-device-page">
   <div id="content" class="content">
     <img class="logo-image" alt="Bitwarden" />
-    <p class="lead text-center">{{ "logInInitiated" | i18n }}</p>
 
-    <div class="box last">
-      <div class="box-content">
-        <div class="box-content-row" appBoxRow>
-          <div class="section">
-            <p class="section">{{ "notificationSentDevice" | i18n }}</p>
-            <p>
-              {{ "fingerprintMatchInfo" | i18n }}
-            </p>
-          </div>
+    <ng-container *ngIf="state == StateEnum.StandardAuthRequest">
+      <p class="lead text-center">{{ "loginInitiated" | i18n }}</p>
 
-          <div class="fingerprint section">
-            <h4>{{ "fingerprintPhraseHeader" | i18n }}</h4>
-            <code>{{ fingerprintPhrase }}</code>
-          </div>
+      <div class="box last">
+        <div class="box-content">
+          <div class="box-content-row" appBoxRow>
+            <div class="section">
+              <p class="section">{{ "notificationSentDevice" | i18n }}</p>
+              <p>
+                {{ "fingerprintMatchInfo" | i18n }}
+              </p>
+            </div>
 
-          <div class="section" *ngIf="showResendNotification">
-            <a [routerLink]="[]" disabled="true" (click)="startPasswordlessLogin()">{{
-              "resendNotification" | i18n
-            }}</a>
-          </div>
+            <div class="fingerprint section">
+              <h4>{{ "fingerprintPhraseHeader" | i18n }}</h4>
+              <code>{{ fingerprintPhrase }}</code>
+            </div>
 
-          <div class="sub-options another-method">
-            <p class="no-margin description-text">
-              {{ "needAnotherOption" | i18n }}
-              <a type="button" class="text text-primary" (click)="goToLogin()">
-                {{ "viewAllLoginOptions" | i18n }}
-              </a>
-            </p>
+            <div class="section" *ngIf="showResendNotification">
+              <a [routerLink]="[]" disabled="true" (click)="startPasswordlessLogin()">{{
+                "resendNotification" | i18n
+              }}</a>
+            </div>
+
+            <div class="sub-options another-method">
+              <p class="no-margin description-text">
+                {{ "needAnotherOption" | i18n }}
+                <a type="button" class="text text-primary" (click)="back()">
+                  {{ "viewAllLoginOptions" | i18n }}
+                </a>
+              </p>
+            </div>
           </div>
         </div>
       </div>
-    </div>
+    </ng-container>
+
+    <ng-container *ngIf="state == StateEnum.AdminAuthRequest">
+      <p class="lead text-center">{{ "adminApprovalRequested" | i18n }}</p>
+
+      <div class="box last">
+        <div class="box-content">
+          <div class="box-content-row" appBoxRow>
+            <div class="section">
+              <p class="section">{{ "adminApprovalRequestSentToAdmins" | i18n }}</p>
+              <p class="section">{{ "youWillBeNotifiedOnceApproved" | i18n }}</p>
+            </div>
+
+            <div class="fingerprint section">
+              <h4>{{ "fingerprintPhraseHeader" | i18n }}</h4>
+              <code>{{ fingerprintPhrase }}</code>
+            </div>
+
+            <div class="sub-options another-method">
+              <p class="no-margin description-text">
+                {{ "troubleLoggingIn" | i18n }}
+                <a type="button" class="text text-primary" (click)="back()">
+                  {{ "viewAllLoginOptions" | i18n }}
+                </a>
+              </p>
+            </div>
+          </div>
+        </div>
+      </div>
+    </ng-container>
   </div>
 </div>
 <ng-template #environment></ng-template>
diff --git a/apps/desktop/src/auth/login/login-with-device.component.ts b/apps/desktop/src/auth/login/login-with-device.component.ts
index 3b3ee83ae4..daca2d1993 100644
--- a/apps/desktop/src/auth/login/login-with-device.component.ts
+++ b/apps/desktop/src/auth/login/login-with-device.component.ts
@@ -1,3 +1,4 @@
+import { Location } from "@angular/common";
 import { Component, OnDestroy, OnInit, ViewChild, ViewContainerRef } from "@angular/core";
 import { Router } from "@angular/router";
 
@@ -5,7 +6,9 @@ import { LoginWithDeviceComponent as BaseLoginWithDeviceComponent } from "@bitwa
 import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { AnonymousHubService } from "@bitwarden/common/abstractions/anonymousHub.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -50,7 +53,10 @@ export class LoginWithDeviceComponent
     private modalService: ModalService,
     syncService: SyncService,
     stateService: StateService,
-    loginService: LoginService
+    loginService: LoginService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    authReqCryptoService: AuthRequestCryptoServiceAbstraction,
+    private location: Location
   ) {
     super(
       router,
@@ -67,7 +73,9 @@ export class LoginWithDeviceComponent
       anonymousHubService,
       validationService,
       stateService,
-      loginService
+      loginService,
+      deviceTrustCryptoService,
+      authReqCryptoService
     );
 
     super.onSuccessfulLogin = () => {
@@ -100,7 +108,7 @@ export class LoginWithDeviceComponent
     super.ngOnDestroy();
   }
 
-  goToLogin() {
-    this.router.navigate(["/login"]);
+  back() {
+    this.location.back();
   }
 }
diff --git a/apps/desktop/src/auth/login/login.component.ts b/apps/desktop/src/auth/login/login.component.ts
index 00aa0300f6..45b330f6da 100644
--- a/apps/desktop/src/auth/login/login.component.ts
+++ b/apps/desktop/src/auth/login/login.component.ts
@@ -7,8 +7,8 @@ import { EnvironmentSelectorComponent } from "@bitwarden/angular/auth/components
 import { LoginComponent as BaseLoginComponent } from "@bitwarden/angular/auth/components/login.component";
 import { FormValidationErrorsService } from "@bitwarden/angular/platform/abstractions/form-validation-errors.service";
 import { ModalService } from "@bitwarden/angular/services/modal.service";
-import { DevicesApiServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices-api.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
diff --git a/apps/desktop/src/auth/login/login.module.ts b/apps/desktop/src/auth/login/login.module.ts
index 35ad83e9db..9fb2b28915 100644
--- a/apps/desktop/src/auth/login/login.module.ts
+++ b/apps/desktop/src/auth/login/login.module.ts
@@ -5,12 +5,18 @@ import { EnvironmentSelectorComponent } from "@bitwarden/angular/auth/components
 
 import { SharedModule } from "../../app/shared/shared.module";
 
+import { LoginDecryptionOptionsComponent } from "./login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "./login-with-device.component";
 import { LoginComponent } from "./login.component";
 
 @NgModule({
   imports: [SharedModule, RouterModule],
-  declarations: [LoginComponent, LoginWithDeviceComponent, EnvironmentSelectorComponent],
+  declarations: [
+    LoginComponent,
+    LoginWithDeviceComponent,
+    EnvironmentSelectorComponent,
+    LoginDecryptionOptionsComponent,
+  ],
   exports: [LoginComponent, LoginWithDeviceComponent],
 })
 export class LoginModule {}
diff --git a/apps/desktop/src/auth/sso.component.ts b/apps/desktop/src/auth/sso.component.ts
index 75f380b0ed..22badf9d69 100644
--- a/apps/desktop/src/auth/sso.component.ts
+++ b/apps/desktop/src/auth/sso.component.ts
@@ -4,6 +4,7 @@ import { ActivatedRoute, Router } from "@angular/router";
 import { SsoComponent as BaseSsoComponent } from "@bitwarden/angular/auth/components/sso.component";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -30,7 +31,8 @@ export class SsoComponent extends BaseSsoComponent {
     cryptoFunctionService: CryptoFunctionService,
     environmentService: EnvironmentService,
     passwordGenerationService: PasswordGenerationServiceAbstraction,
-    logService: LogService
+    logService: LogService,
+    configService: ConfigServiceAbstraction
   ) {
     super(
       authService,
@@ -43,11 +45,17 @@ export class SsoComponent extends BaseSsoComponent {
       cryptoFunctionService,
       environmentService,
       passwordGenerationService,
-      logService
+      logService,
+      configService
     );
-    super.onSuccessfulLogin = () => {
-      return syncService.fullSync(true);
+    super.onSuccessfulLogin = async () => {
+      syncService.fullSync(true);
     };
+
+    super.onSuccessfulLoginTde = async () => {
+      syncService.fullSync(true);
+    };
+
     this.redirectUri = "bitwarden://sso-callback";
     this.clientId = "desktop";
   }
diff --git a/apps/desktop/src/auth/two-factor.component.ts b/apps/desktop/src/auth/two-factor.component.ts
index ee3764027a..bf3545820b 100644
--- a/apps/desktop/src/auth/two-factor.component.ts
+++ b/apps/desktop/src/auth/two-factor.component.ts
@@ -1,7 +1,8 @@
-import { Component, ViewChild, ViewContainerRef } from "@angular/core";
+import { Component, Inject, ViewChild, ViewContainerRef } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
 
 import { TwoFactorComponent as BaseTwoFactorComponent } from "@bitwarden/angular/auth/components/two-factor.component";
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
@@ -9,6 +10,7 @@ import { LoginService } from "@bitwarden/common/auth/abstractions/login.service"
 import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -43,7 +45,9 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     logService: LogService,
     twoFactorService: TwoFactorService,
     appIdService: AppIdService,
-    loginService: LoginService
+    loginService: LoginService,
+    configService: ConfigServiceAbstraction,
+    @Inject(WINDOW) protected win: Window
   ) {
     super(
       authService,
@@ -51,18 +55,22 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
       i18nService,
       apiService,
       platformUtilsService,
-      window,
+      win,
       environmentService,
       stateService,
       route,
       logService,
       twoFactorService,
       appIdService,
-      loginService
+      loginService,
+      configService
     );
-    super.onSuccessfulLogin = () => {
-      this.loginService.clearValues();
-      return syncService.fullSync(true);
+    super.onSuccessfulLogin = async () => {
+      syncService.fullSync(true);
+    };
+
+    super.onSuccessfulLoginTde = async () => {
+      syncService.fullSync(true);
     };
   }
 
diff --git a/apps/desktop/src/locales/en/messages.json b/apps/desktop/src/locales/en/messages.json
index ab8446ee46..eba53b45b3 100644
--- a/apps/desktop/src/locales/en/messages.json
+++ b/apps/desktop/src/locales/en/messages.json
@@ -1492,6 +1492,9 @@
   "vaultTimeoutActionLogOutDesc": {
     "message": "Re-authentication is required to access your vault again."
   },
+  "unlockMethodNeededToChangeTimeoutActionDesc": {
+    "message": "Set up an unlock method to change your vault timeout action."
+  },
   "lock": {
     "message": "Lock",
     "description": "Verb form: to make secure or inaccesible by"
@@ -2106,8 +2109,8 @@
   "logInWithAnotherDevice": {
     "message": "Log in with another device"
   },
-  "logInInitiated": {
-    "message": "Log in initiated"
+  "loginInitiated": {
+    "message": "Login initiated"
   },
   "notificationSentDevice": {
     "message": "A notification has been sent to your device."
@@ -2246,6 +2249,34 @@
   "windowsBiometricUpdateWarningTitle": {
     "message": "Recommended Settings Update"
   },
+  "deviceApprovalRequired": {
+    "message": "Device approval required. Select an approval option below:"
+  },
+  "rememberThisDevice": {
+    "message": "Remember this device"
+  },
+  "uncheckIfPublicDevice": {
+    "message": "Uncheck if using a public device"
+  },
+  "approveFromYourOtherDevice": {
+    "message": "Approve from your other device"
+  },
+  "requestAdminApproval": {
+    "message": "Request admin approval"
+  },
+  "approveWithMasterPassword": {
+    "message": "Approve with master password"
+  },
+  "region": {
+    "message": "Region"
+  },
+  "ssoIdentifierRequired": {
+    "message": "Organization SSO identifier is required."
+  },
+  "eu": {
+    "message": "EU",
+    "description": "European Union"
+  },
   "loggingInOn": {
     "message": "Logging in on"
   },
@@ -2260,5 +2291,29 @@
   },
   "accessDenied": {
     "message": "Access denied. You do not have permission to view this page."
+  },
+  "accountSuccessfullyCreated": {
+    "message": "Account successfully created!"
+  },
+  "adminApprovalRequested": {
+    "message": "Admin approval requested"
+  },
+  "adminApprovalRequestSentToAdmins": {
+    "message": "Your request has been sent to your admin."
+  },
+  "youWillBeNotifiedOnceApproved": {
+    "message": "You will be notified once approved."
+  },
+  "troubleLoggingIn": {
+    "message": "Trouble logging in?"
+  },
+  "loginApproved": {
+    "message": "Login approved"
+  },
+  "userEmailMissing": {
+    "message": "User email missing"
+  },
+  "deviceTrusted": {
+    "message": "Device trusted"
   }
 }
diff --git a/apps/desktop/src/main/menu/menu.account.ts b/apps/desktop/src/main/menu/menu.account.ts
index 10a6d6d77d..5060a4934c 100644
--- a/apps/desktop/src/main/menu/menu.account.ts
+++ b/apps/desktop/src/main/menu/menu.account.ts
@@ -15,14 +15,15 @@ export class AccountMenu implements IMenubarMenu {
   }
 
   get items(): MenuItemConstructorOptions[] {
-    return [
-      this.premiumMembership,
-      this.changeMasterPassword,
-      this.twoStepLogin,
-      this.fingerprintPhrase,
-      this.separator,
-      this.deleteAccount,
-    ];
+    const items = [this.premiumMembership];
+    if (this._hasMasterPassword) {
+      items.push(this.changeMasterPassword);
+    }
+    items.push(this.twoStepLogin);
+    items.push(this.fingerprintPhrase);
+    items.push(this.separator);
+    items.push(this.deleteAccount);
+    return items;
   }
 
   private readonly _i18nService: I18nService;
@@ -30,19 +31,22 @@ export class AccountMenu implements IMenubarMenu {
   private readonly _webVaultUrl: string;
   private readonly _window: BrowserWindow;
   private readonly _isLocked: boolean;
+  private readonly _hasMasterPassword: boolean;
 
   constructor(
     i18nService: I18nService,
     messagingService: MessagingService,
     webVaultUrl: string,
     window: BrowserWindow,
-    isLocked: boolean
+    isLocked: boolean,
+    hasMasterPassword: boolean
   ) {
     this._i18nService = i18nService;
     this._messagingService = messagingService;
     this._webVaultUrl = webVaultUrl;
     this._window = window;
     this._isLocked = isLocked;
+    this._hasMasterPassword = hasMasterPassword;
   }
 
   private get premiumMembership(): MenuItemConstructorOptions {
diff --git a/apps/desktop/src/main/menu/menu.bitwarden.ts b/apps/desktop/src/main/menu/menu.bitwarden.ts
index 3c3a16702e..6873f679de 100644
--- a/apps/desktop/src/main/menu/menu.bitwarden.ts
+++ b/apps/desktop/src/main/menu/menu.bitwarden.ts
@@ -52,9 +52,10 @@ export class BitwardenMenu extends FirstMenu implements IMenubarMenu {
     updater: UpdaterMain,
     window: BrowserWindow,
     accounts: { [userId: string]: MenuAccount },
-    isLocked: boolean
+    isLocked: boolean,
+    isLockable: boolean
   ) {
-    super(i18nService, messagingService, updater, window, accounts, isLocked);
+    super(i18nService, messagingService, updater, window, accounts, isLocked, isLockable);
   }
 
   private get aboutBitwarden(): MenuItemConstructorOptions {
diff --git a/apps/desktop/src/main/menu/menu.file.ts b/apps/desktop/src/main/menu/menu.file.ts
index 618acdc7fe..173b6066ab 100644
--- a/apps/desktop/src/main/menu/menu.file.ts
+++ b/apps/desktop/src/main/menu/menu.file.ts
@@ -51,9 +51,10 @@ export class FileMenu extends FirstMenu implements IMenubarMenu {
     updater: UpdaterMain,
     window: BrowserWindow,
     accounts: { [userId: string]: MenuAccount },
-    isLocked: boolean
+    isLocked: boolean,
+    isLockable: boolean
   ) {
-    super(i18nService, messagingService, updater, window, accounts, isLocked);
+    super(i18nService, messagingService, updater, window, accounts, isLocked, isLockable);
   }
 
   private get addNewLogin(): MenuItemConstructorOptions {
diff --git a/apps/desktop/src/main/menu/menu.first.ts b/apps/desktop/src/main/menu/menu.first.ts
index 805956f263..b164e280d0 100644
--- a/apps/desktop/src/main/menu/menu.first.ts
+++ b/apps/desktop/src/main/menu/menu.first.ts
@@ -9,33 +9,24 @@ import { UpdaterMain } from "../updater.main";
 import { MenuAccount } from "./menu.updater";
 
 export class FirstMenu {
-  protected readonly _i18nService: I18nService;
-  protected readonly _updater: UpdaterMain;
-  protected readonly _messagingService: MessagingService;
-  protected readonly _accounts: { [userId: string]: MenuAccount };
-  protected readonly _window: BrowserWindow;
-  protected readonly _isLocked: boolean;
-
   constructor(
-    i18nService: I18nService,
-    messagingService: MessagingService,
-    updater: UpdaterMain,
-    window: BrowserWindow,
-    accounts: { [userId: string]: MenuAccount },
-    isLocked: boolean
-  ) {
-    this._i18nService = i18nService;
-    this._updater = updater;
-    this._messagingService = messagingService;
-    this._window = window;
-    this._accounts = accounts;
-    this._isLocked = isLocked;
-  }
+    protected readonly _i18nService: I18nService,
+    protected readonly _messagingService: MessagingService,
+    protected readonly _updater: UpdaterMain,
+    protected readonly _window: BrowserWindow,
+    protected readonly _accounts: { [userId: string]: MenuAccount },
+    protected readonly _isLocked: boolean,
+    protected readonly _isLockable: boolean
+  ) {}
 
   protected get hasAccounts(): boolean {
     return this._accounts != null && Object.keys(this._accounts).length > 0;
   }
 
+  protected get hasLockableAccounts(): boolean {
+    return this._accounts != null && Object.values(this._accounts).some((a) => a.isLockable);
+  }
+
   protected get checkForUpdates(): MenuItemConstructorOptions {
     return {
       id: "checkForUpdates",
@@ -66,23 +57,29 @@ export class FirstMenu {
       id: "lock",
       label: this.localize("lockVault"),
       submenu: this.lockSubmenu,
-      enabled: this.hasAccounts,
+      enabled: this.hasLockableAccounts,
     };
   }
 
   protected get lockSubmenu(): MenuItemConstructorOptions[] {
     const value: MenuItemConstructorOptions[] = [];
     for (const userId in this._accounts) {
-      if (userId == null) {
+      if (!userId) {
+        continue;
+      }
+
+      const account = this._accounts[userId];
+
+      if (account == null || !account.isLockable) {
         continue;
       }
 
       value.push({
-        label: this._accounts[userId].email,
-        id: `lockNow_${this._accounts[userId].userId}`,
-        click: () => this.sendMessage("lockVault", { userId: this._accounts[userId].userId }),
-        enabled: !this._accounts[userId].isLocked,
-        visible: this._accounts[userId].isAuthenticated,
+        label: account.email,
+        id: `lockNow_${account.userId}`,
+        click: () => this.sendMessage("lockVault", { userId: account.userId }),
+        enabled: !account.isLocked,
+        visible: account.isAuthenticated,
       });
     }
     return value;
diff --git a/apps/desktop/src/main/menu/menu.updater.ts b/apps/desktop/src/main/menu/menu.updater.ts
index 75454a56f8..170804cae2 100644
--- a/apps/desktop/src/main/menu/menu.updater.ts
+++ b/apps/desktop/src/main/menu/menu.updater.ts
@@ -1,5 +1,4 @@
 export class MenuUpdateRequest {
-  hideChangeMasterPassword: boolean;
   activeUserId: string;
   accounts: { [userId: string]: MenuAccount };
 }
@@ -7,6 +6,8 @@ export class MenuUpdateRequest {
 export class MenuAccount {
   isAuthenticated: boolean;
   isLocked: boolean;
+  isLockable: boolean;
   userId: string;
   email: string;
+  hasMasterPassword: boolean;
 }
diff --git a/apps/desktop/src/main/menu/menubar.ts b/apps/desktop/src/main/menu/menubar.ts
index 6ac28a1c8d..c3f37ecbff 100644
--- a/apps/desktop/src/main/menu/menubar.ts
+++ b/apps/desktop/src/main/menu/menubar.ts
@@ -62,6 +62,10 @@ export class Menubar {
       isLocked = updateRequest.accounts[updateRequest.activeUserId]?.isLocked ?? true;
     }
 
+    const isLockable = !isLocked && updateRequest?.accounts[updateRequest.activeUserId]?.isLockable;
+    const hasMasterPassword =
+      updateRequest?.accounts[updateRequest.activeUserId]?.hasMasterPassword ?? false;
+
     this.items = [
       new FileMenu(
         i18nService,
@@ -69,11 +73,19 @@ export class Menubar {
         updaterMain,
         windowMain.win,
         updateRequest?.accounts,
-        isLocked
+        isLocked,
+        isLockable
       ),
       new EditMenu(i18nService, messagingService, isLocked),
       new ViewMenu(i18nService, messagingService, isLocked),
-      new AccountMenu(i18nService, messagingService, webVaultUrl, windowMain.win, isLocked),
+      new AccountMenu(
+        i18nService,
+        messagingService,
+        webVaultUrl,
+        windowMain.win,
+        isLocked,
+        hasMasterPassword
+      ),
       new WindowMenu(i18nService, messagingService, windowMain),
       new HelpMenu(
         i18nService,
@@ -91,7 +103,8 @@ export class Menubar {
             updaterMain,
             windowMain.win,
             updateRequest?.accounts,
-            isLocked
+            isLocked,
+            isLockable
           ),
         ],
         ...this.items,
diff --git a/apps/desktop/src/platform/services/electron-crypto.service.spec.ts b/apps/desktop/src/platform/services/electron-crypto.service.spec.ts
new file mode 100644
index 0000000000..92f9391b13
--- /dev/null
+++ b/apps/desktop/src/platform/services/electron-crypto.service.spec.ts
@@ -0,0 +1,91 @@
+import { mock, mockReset } from "jest-mock-extended";
+
+import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import {
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "@bitwarden/common/types/csprng";
+
+import { ElectronCryptoService } from "./electron-crypto.service";
+import { ElectronStateService } from "./electron-state.service.abstraction";
+
+describe("electronCryptoService", () => {
+  let electronCryptoService: ElectronCryptoService;
+
+  const cryptoFunctionService = mock<CryptoFunctionService>();
+  const encryptService = mock<EncryptService>();
+  const platformUtilService = mock<PlatformUtilsService>();
+  const logService = mock<LogService>();
+  const stateService = mock<ElectronStateService>();
+
+  const mockUserId = "mock user id";
+
+  beforeEach(() => {
+    mockReset(cryptoFunctionService);
+    mockReset(encryptService);
+    mockReset(platformUtilService);
+    mockReset(logService);
+    mockReset(stateService);
+
+    electronCryptoService = new ElectronCryptoService(
+      cryptoFunctionService,
+      encryptService,
+      platformUtilService,
+      logService,
+      stateService
+    );
+  });
+
+  it("instantiates", () => {
+    expect(electronCryptoService).not.toBeFalsy();
+  });
+
+  describe("setUserKey", () => {
+    let mockUserKey: UserKey;
+
+    beforeEach(() => {
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+    });
+
+    describe("Biometric Key refresh", () => {
+      it("sets an Biometric key if getBiometricUnlock is true and the platform supports secure storage", async () => {
+        stateService.getBiometricUnlock.mockResolvedValue(true);
+        platformUtilService.supportsSecureStorage.mockReturnValue(true);
+        stateService.getBiometricRequirePasswordOnStart.mockResolvedValue(false);
+
+        await electronCryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setUserKeyBiometric).toHaveBeenCalledWith(
+          expect.objectContaining({ key: expect.any(String), clientEncKeyHalf: null }),
+          {
+            userId: mockUserId,
+          }
+        );
+      });
+
+      it("clears the Biometric key if getBiometricUnlock is false or the platform does not support secure storage", async () => {
+        stateService.getBiometricUnlock.mockResolvedValue(true);
+        platformUtilService.supportsSecureStorage.mockReturnValue(false);
+
+        await electronCryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setUserKeyBiometric).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+      });
+
+      it("clears the old deprecated Biometric key whenever a User Key is set", async () => {
+        await electronCryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setCryptoMasterKeyBiometric).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+      });
+    });
+  });
+});
diff --git a/apps/desktop/src/platform/services/electron-crypto.service.ts b/apps/desktop/src/platform/services/electron-crypto.service.ts
index 1fb90e52ca..e21d200197 100644
--- a/apps/desktop/src/platform/services/electron-crypto.service.ts
+++ b/apps/desktop/src/platform/services/electron-crypto.service.ts
@@ -4,7 +4,12 @@ import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { CryptoService } from "@bitwarden/common/platform/services/crypto.service";
 import { CsprngString } from "@bitwarden/common/types/csprng";
 
@@ -21,36 +26,80 @@ export class ElectronCryptoService extends CryptoService {
     super(cryptoFunctionService, encryptService, platformUtilsService, logService, stateService);
   }
 
-  protected override async storeKey(key: SymmetricCryptoKey, userId?: string) {
-    await super.storeKey(key, userId);
+  override async hasUserKeyStored(keySuffix: KeySuffixOptions, userId?: string): Promise<boolean> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3474)
+      const oldKey = await this.stateService.hasCryptoMasterKeyBiometric({ userId: userId });
+      return oldKey || (await this.stateService.hasUserKeyBiometric({ userId: userId }));
+    }
+    return super.hasUserKeyStored(keySuffix, userId);
+  }
+
+  override async clearStoredUserKey(keySuffix: KeySuffixOptions, userId?: string): Promise<void> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      this.stateService.setUserKeyBiometric(null, { userId: userId });
+      this.clearDeprecatedKeys(KeySuffixOptions.Biometric, userId);
+      return;
+    }
+    super.clearStoredUserKey(keySuffix, userId);
+  }
+
+  protected override async storeAdditionalKeys(key: UserKey, userId?: string) {
+    await super.storeAdditionalKeys(key, userId);
 
     const storeBiometricKey = await this.shouldStoreKey(KeySuffixOptions.Biometric, userId);
 
     if (storeBiometricKey) {
       await this.storeBiometricKey(key, userId);
     } else {
-      await this.stateService.setCryptoMasterKeyBiometric(null, { userId: userId });
+      await this.stateService.setUserKeyBiometric(null, { userId: userId });
     }
+    await this.clearDeprecatedKeys(KeySuffixOptions.Biometric, userId);
   }
 
-  protected async storeBiometricKey(key: SymmetricCryptoKey, userId?: string): Promise<void> {
+  protected override async getKeyFromStorage(
+    keySuffix: KeySuffixOptions,
+    userId?: string
+  ): Promise<UserKey> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      await this.migrateBiometricKeyIfNeeded(userId);
+      const userKey = await this.stateService.getUserKeyBiometric({ userId: userId });
+      return new SymmetricCryptoKey(Utils.fromB64ToArray(userKey)) as UserKey;
+    }
+    return await super.getKeyFromStorage(keySuffix, userId);
+  }
+
+  protected async storeBiometricKey(key: UserKey, userId?: string): Promise<void> {
     let clientEncKeyHalf: CsprngString = null;
     if (await this.stateService.getBiometricRequirePasswordOnStart({ userId })) {
       clientEncKeyHalf = await this.getBiometricEncryptionClientKeyHalf(userId);
     }
-    await this.stateService.setCryptoMasterKeyBiometric(
+    await this.stateService.setUserKeyBiometric(
       { key: key.keyB64, clientEncKeyHalf },
       { userId: userId }
     );
   }
 
+  protected async shouldStoreKey(keySuffix: KeySuffixOptions, userId?: string): Promise<boolean> {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      const biometricUnlock = await this.stateService.getBiometricUnlock({ userId: userId });
+      return biometricUnlock && this.platformUtilService.supportsSecureStorage();
+    }
+    return await super.shouldStoreKey(keySuffix, userId);
+  }
+
+  protected override async clearAllStoredUserKeys(userId?: string): Promise<void> {
+    await this.stateService.setUserKeyBiometric(null, { userId: userId });
+    super.clearAllStoredUserKeys(userId);
+  }
+
   private async getBiometricEncryptionClientKeyHalf(userId?: string): Promise<CsprngString | null> {
     try {
       let biometricKey = await this.stateService
         .getBiometricEncryptionClientKeyHalf({ userId })
         .then((result) => result?.decrypt(null /* user encrypted */))
         .then((result) => result as CsprngString);
-      const userKey = await this.getKeyForUserEncryption();
+      const userKey = await this.getUserKeyWithLegacySupport();
       if (biometricKey == null && userKey != null) {
         const keyBytes = await this.cryptoFunctionService.randomBytes(32);
         biometricKey = Utils.fromBufferToUtf8(keyBytes) as CsprngString;
@@ -63,4 +112,34 @@ export class ElectronCryptoService extends CryptoService {
       return null;
     }
   }
+
+  // --LEGACY METHODS--
+  // We previously used the master key for additional keys, but now we use the user key.
+  // These methods support migrating the old keys to the new ones.
+  // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3475)
+
+  override async clearDeprecatedKeys(keySuffix: KeySuffixOptions, userId?: string) {
+    if (keySuffix === KeySuffixOptions.Biometric) {
+      await this.stateService.setCryptoMasterKeyBiometric(null, { userId: userId });
+    }
+
+    super.clearDeprecatedKeys(keySuffix, userId);
+  }
+
+  private async migrateBiometricKeyIfNeeded(userId?: string) {
+    if (await this.stateService.hasCryptoMasterKeyBiometric({ userId })) {
+      const oldBiometricKey = await this.stateService.getCryptoMasterKeyBiometric({ userId });
+      // decrypt
+      const masterKey = new SymmetricCryptoKey(Utils.fromB64ToArray(oldBiometricKey)) as MasterKey;
+      let encUserKey = await this.stateService.getEncryptedCryptoSymmetricKey();
+      encUserKey = encUserKey ?? (await this.stateService.getMasterKeyEncryptedUserKey());
+      if (!encUserKey) {
+        throw new Error("No user key found during biometric migration");
+      }
+      const userKey = await this.decryptUserKeyWithMasterKey(masterKey, new EncString(encUserKey));
+      // migrate
+      await this.storeBiometricKey(userKey, userId);
+      await this.stateService.setCryptoMasterKeyBiometric(null, { userId });
+    }
+  }
 }
diff --git a/apps/desktop/src/platform/services/electron-state.service.ts b/apps/desktop/src/platform/services/electron-state.service.ts
index 334cab9669..0503aeb52a 100644
--- a/apps/desktop/src/platform/services/electron-state.service.ts
+++ b/apps/desktop/src/platform/services/electron-state.service.ts
@@ -98,6 +98,10 @@ export class ElectronStateService
       options
     );
 
+    if (b64DeviceKey == null) {
+      return null;
+    }
+
     return new SymmetricCryptoKey(Utils.fromB64ToArray(b64DeviceKey)) as DeviceKey;
   }
 
diff --git a/apps/desktop/src/scss/pages.scss b/apps/desktop/src/scss/pages.scss
index 5b3ad4a858..fda75e834f 100644
--- a/apps/desktop/src/scss/pages.scss
+++ b/apps/desktop/src/scss/pages.scss
@@ -5,7 +5,8 @@
 #lock-page,
 #sso-page,
 #set-password-page,
-#remove-password-page {
+#remove-password-page,
+#login-decryption-options-page {
   display: flex;
   justify-content: center;
   align-items: center;
@@ -53,7 +54,8 @@
 #hint-page,
 #two-factor-page,
 #lock-page,
-#update-temp-password-page {
+#update-temp-password-page,
+#login-decryption-options-page {
   .content {
     width: 325px;
     transition: width 0.25s linear;
@@ -189,7 +191,8 @@
 }
 
 #login-page,
-#login-with-device-page {
+#login-with-device-page,
+#login-decryption-options-page {
   flex-direction: column;
   justify-content: unset;
   padding-top: 20px;
@@ -273,3 +276,14 @@
     }
   }
 }
+
+#login-decryption-options-page {
+  .standard-bottom-margin {
+    margin-bottom: 20px;
+  }
+
+  #rememberThisDeviceHintText {
+    font-size: $font-size-small;
+    color: $text-muted;
+  }
+}
diff --git a/apps/desktop/src/services/native-message-handler.service.ts b/apps/desktop/src/services/native-message-handler.service.ts
index 644dfe8f90..9f5f1d460d 100644
--- a/apps/desktop/src/services/native-message-handler.service.ts
+++ b/apps/desktop/src/services/native-message-handler.service.ts
@@ -8,7 +8,7 @@ import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.se
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
-import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "@bitwarden/common/platform/models/domain/enc-string";
 import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { StateService } from "@bitwarden/common/platform/services/state.service";
 
@@ -144,7 +144,9 @@ export class NativeMessageHandlerService {
   }
 
   private async handleEncryptedMessage(message: EncryptedMessage) {
-    message.encryptedCommand = EncString.fromJSON(message.encryptedCommand.toString());
+    message.encryptedCommand = EncString.fromJSON(
+      message.encryptedCommand.toString() as EncryptedString
+    );
     const decryptedCommandData = await this.decryptPayload(message);
     const { command } = decryptedCommandData;
 
diff --git a/apps/desktop/src/services/native-messaging.service.ts b/apps/desktop/src/services/native-messaging.service.ts
index 7647410fd7..3928778f31 100644
--- a/apps/desktop/src/services/native-messaging.service.ts
+++ b/apps/desktop/src/services/native-messaging.service.ts
@@ -136,14 +136,23 @@ export class NativeMessagingService {
           });
         }
 
-        const key = await this.cryptoService.getKeyFromStorage(
+        const userKey = await this.cryptoService.getUserKeyFromStorage(
           KeySuffixOptions.Biometric,
           message.userId
         );
+        const masterKey = await this.cryptoService.getMasterKey(message.userId);
 
-        if (key != null) {
+        if (userKey != null) {
+          // we send the master key still for backwards compatibility
+          // with older browser extensions
+          // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3472)
           this.send(
-            { command: "biometricUnlock", response: "unlocked", keyB64: key.keyB64 },
+            {
+              command: "biometricUnlock",
+              response: "unlocked",
+              keyB64: masterKey?.keyB64,
+              userKeyB64: userKey.keyB64,
+            },
             appId
           );
         } else {
diff --git a/apps/web/src/app/admin-console/organizations/members/components/bulk/bulk-confirm.component.ts b/apps/web/src/app/admin-console/organizations/members/components/bulk/bulk-confirm.component.ts
index 31ced8aee1..ae754faabe 100644
--- a/apps/web/src/app/admin-console/organizations/members/components/bulk/bulk-confirm.component.ts
+++ b/apps/web/src/app/admin-console/organizations/members/components/bulk/bulk-confirm.component.ts
@@ -7,6 +7,7 @@ import { OrganizationUserStatusType } from "@bitwarden/common/admin-console/enum
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 
 import { BulkUserDetails } from "./bulk-status.component";
 
@@ -98,7 +99,7 @@ export class BulkConfirmComponent implements OnInit {
     );
   }
 
-  protected getCryptoKey() {
+  protected getCryptoKey(): Promise<SymmetricCryptoKey> {
     return this.cryptoService.getOrgKey(this.organizationId);
   }
 
diff --git a/apps/web/src/app/admin-console/organizations/members/components/reset-password.component.ts b/apps/web/src/app/admin-console/organizations/members/components/reset-password.component.ts
index 5d2a5f54ba..7d0fae37e0 100644
--- a/apps/web/src/app/admin-console/organizations/members/components/reset-password.component.ts
+++ b/apps/web/src/app/admin-console/organizations/members/components/reset-password.component.ts
@@ -22,7 +22,10 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { DialogService } from "@bitwarden/components";
 
@@ -171,26 +174,32 @@ export class ResetPasswordComponent implements OnInit, OnDestroy {
             orgSymKey
           );
 
-          // Decrypt User's Reset Password Key to get EncKey
+          // Decrypt User's Reset Password Key to get UserKey
           const decValue = await this.cryptoService.rsaDecrypt(resetPasswordKey, decPrivateKey);
-          const userEncKey = new SymmetricCryptoKey(decValue);
+          const existingUserKey = new SymmetricCryptoKey(decValue) as UserKey;
 
-          // Create new key and hash new password
-          const newKey = await this.cryptoService.makeKey(
+          // Create new master key and hash new password
+          const newMasterKey = await this.cryptoService.makeMasterKey(
             this.newPassword,
             this.email.trim().toLowerCase(),
             kdfType,
             new KdfConfig(kdfIterations, kdfMemory, kdfParallelism)
           );
-          const newPasswordHash = await this.cryptoService.hashPassword(this.newPassword, newKey);
+          const newMasterKeyHash = await this.cryptoService.hashMasterKey(
+            this.newPassword,
+            newMasterKey
+          );
 
-          // Create new encKey for the User
-          const newEncKey = await this.cryptoService.remakeEncKey(newKey, userEncKey);
+          // Create new encrypted user key for the User
+          const newUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(
+            newMasterKey,
+            existingUserKey
+          );
 
           // Create request
           const request = new OrganizationUserResetPasswordRequest();
-          request.key = newEncKey[1].encryptedString;
-          request.newMasterPasswordHash = newPasswordHash;
+          request.key = newUserKey[1].encryptedString;
+          request.newMasterPasswordHash = newMasterKeyHash;
 
           // Change user's password
           return this.organizationUserService.putOrganizationUserResetPassword(
diff --git a/apps/web/src/app/admin-console/organizations/organization-routing.module.ts b/apps/web/src/app/admin-console/organizations/organization-routing.module.ts
index dca1b18530..c4ca1dc241 100644
--- a/apps/web/src/app/admin-console/organizations/organization-routing.module.ts
+++ b/apps/web/src/app/admin-console/organizations/organization-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 import {
   canAccessOrgAdmin,
   canAccessGroupsTab,
diff --git a/apps/web/src/app/admin-console/organizations/users/enroll-master-password-reset.component.ts b/apps/web/src/app/admin-console/organizations/users/enroll-master-password-reset.component.ts
index a533967d8f..535d7d375a 100644
--- a/apps/web/src/app/admin-console/organizations/users/enroll-master-password-reset.component.ts
+++ b/apps/web/src/app/admin-console/organizations/users/enroll-master-password-reset.component.ts
@@ -58,8 +58,8 @@ export class EnrollMasterPasswordReset {
         const publicKey = Utils.fromB64ToArray(orgKeys.publicKey);
 
         // RSA Encrypt user's encKey.key with organization public key
-        const encKey = await this.cryptoService.getEncKey();
-        const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey);
+        const userKey = await this.cryptoService.getUserKey();
+        const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, publicKey);
         keyString = encryptedKey.encryptedString;
         toastStringRef = "enrollPasswordResetSuccess";
 
diff --git a/apps/web/src/app/app.component.ts b/apps/web/src/app/app.component.ts
index 8ce51df9e6..3066dbe093 100644
--- a/apps/web/src/app/app.component.ts
+++ b/apps/web/src/app/app.component.ts
@@ -11,7 +11,7 @@ import { EventUploadService } from "@bitwarden/common/abstractions/event/event-u
 import { NotificationsService } from "@bitwarden/common/abstractions/notifications.service";
 import { SearchService } from "@bitwarden/common/abstractions/search.service";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
diff --git a/apps/web/src/app/auth/accept-organization.component.ts b/apps/web/src/app/auth/accept-organization.component.ts
index bdc3511f76..ef2dda138d 100644
--- a/apps/web/src/app/auth/accept-organization.component.ts
+++ b/apps/web/src/app/auth/accept-organization.component.ts
@@ -18,6 +18,7 @@ import { MessagingService } from "@bitwarden/common/platform/abstractions/messag
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { OrgKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 
 import { BaseAcceptComponent } from "../common/base.accept.component";
 
@@ -108,16 +109,14 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
     const request = new OrganizationUserAcceptInitRequest();
     request.token = qParams.token;
 
-    const [encryptedOrgShareKey, orgShareKey] = await this.cryptoService.makeShareKey();
-    const [orgPublicKey, encryptedOrgPrivateKey] = await this.cryptoService.makeKeyPair(
-      orgShareKey
-    );
+    const [encryptedOrgKey, orgKey] = await this.cryptoService.makeOrgKey<OrgKey>();
+    const [orgPublicKey, encryptedOrgPrivateKey] = await this.cryptoService.makeKeyPair(orgKey);
     const collection = await this.cryptoService.encrypt(
       this.i18nService.t("defaultCollection"),
-      orgShareKey
+      orgKey
     );
 
-    request.key = encryptedOrgShareKey.encryptedString;
+    request.key = encryptedOrgKey.encryptedString;
     request.keys = new OrganizationKeysRequest(
       orgPublicKey,
       encryptedOrgPrivateKey.encryptedString
@@ -141,8 +140,8 @@ export class AcceptOrganizationComponent extends BaseAcceptComponent {
       const publicKey = Utils.fromB64ToArray(response.publicKey);
 
       // RSA Encrypt user's encKey.key with organization public key
-      const encKey = await this.cryptoService.getEncKey();
-      const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey);
+      const userKey = await this.cryptoService.getUserKey();
+      const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, publicKey);
 
       // Add reset password key to accept request
       request.resetPasswordKey = encryptedKey.encryptedString;
diff --git a/apps/web/src/app/auth/lock.component.ts b/apps/web/src/app/auth/lock.component.ts
index 185ce241d4..1cb97fbd55 100644
--- a/apps/web/src/app/auth/lock.component.ts
+++ b/apps/web/src/app/auth/lock.component.ts
@@ -3,11 +3,12 @@ import { Router } from "@angular/router";
 
 import { LockComponent as BaseLockComponent } from "@bitwarden/angular/auth/components/lock.component";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -38,12 +39,13 @@ export class LockComponent extends BaseLockComponent {
     stateService: StateService,
     apiService: ApiService,
     logService: LogService,
-    keyConnectorService: KeyConnectorService,
     ngZone: NgZone,
     policyApiService: PolicyApiServiceAbstraction,
     policyService: InternalPolicyService,
     passwordStrengthService: PasswordStrengthServiceAbstraction,
-    dialogService: DialogService
+    dialogService: DialogService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    userVerificationService: UserVerificationService
   ) {
     super(
       router,
@@ -57,12 +59,13 @@ export class LockComponent extends BaseLockComponent {
       stateService,
       apiService,
       logService,
-      keyConnectorService,
       ngZone,
       policyApiService,
       policyService,
       passwordStrengthService,
-      dialogService
+      dialogService,
+      deviceTrustCryptoService,
+      userVerificationService
     );
   }
 
diff --git a/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.html b/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.html
new file mode 100644
index 0000000000..ed59cc1238
--- /dev/null
+++ b/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.html
@@ -0,0 +1,105 @@
+<div class="tw-container tw-mx-auto">
+  <div
+    class="tw-mx-auto tw-mt-5 tw-flex tw-max-w-lg tw-flex-col tw-items-center tw-justify-center tw-p-8"
+  >
+    <div class="tw-mb-6">
+      <img class="logo logo-themed" alt="Bitwarden" />
+    </div>
+
+    <ng-container *ngIf="loading">
+      <p class="text-center">
+        <i
+          class="bwi bwi-spinner bwi-spin bwi-2x text-muted"
+          title="{{ 'loading' | i18n }}"
+          aria-hidden="true"
+        ></i>
+        <span class="sr-only">{{ "loading" | i18n }}</span>
+      </p>
+    </ng-container>
+
+    <div
+      *ngIf="!loading"
+      class="tw-w-full tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-6"
+    >
+      <ng-container *ngIf="data.state == State.ExistingUserUntrustedDevice">
+        <h2 bitTypography="h2" class="tw-mb-6">{{ "loginInitiated" | i18n }}</h2>
+
+        <p bitTypography="body1" class="tw-mb-6">
+          {{ "deviceApprovalRequired" | i18n }}
+        </p>
+
+        <form [formGroup]="rememberDeviceForm">
+          <bit-form-control>
+            <input type="checkbox" bitCheckbox formControlName="rememberDevice" />
+            <bit-label>{{ "rememberThisDevice" | i18n }} </bit-label>
+            <bit-hint bitTypography="body2">{{ "uncheckIfPublicDevice" | i18n }}</bit-hint>
+          </bit-form-control>
+        </form>
+
+        <div class="tw-mb-6 tw-flex tw-flex-col tw-space-y-3">
+          <button
+            *ngIf="data.showApproveFromOtherDeviceBtn"
+            (click)="approveFromOtherDevice()"
+            bitButton
+            type="button"
+            buttonType="primary"
+            block
+          >
+            {{ "approveFromYourOtherDevice" | i18n }}
+          </button>
+
+          <button
+            *ngIf="data.showReqAdminApprovalBtn"
+            (click)="requestAdminApproval()"
+            bitButton
+            type="button"
+            buttonType="secondary"
+          >
+            {{ "requestAdminApproval" | i18n }}
+          </button>
+
+          <button
+            *ngIf="data.showApproveWithMasterPasswordBtn"
+            (click)="approveWithMasterPassword()"
+            bitButton
+            type="button"
+            buttonType="secondary"
+            block
+          >
+            {{ "approveWithMasterPassword" | i18n }}
+          </button>
+        </div>
+      </ng-container>
+
+      <ng-container *ngIf="data.state == State.NewUser">
+        <h2 bitTypography="h2" class="tw-mb-6">{{ "loggedInExclamation" | i18n }}</h2>
+
+        <form [formGroup]="rememberDeviceForm">
+          <bit-form-control>
+            <input type="checkbox" bitCheckbox formControlName="rememberDevice" />
+            <bit-label>{{ "rememberThisDevice" | i18n }} </bit-label>
+            <bit-hint bitTypography="body2">{{ "uncheckIfPublicDevice" | i18n }}</bit-hint>
+          </bit-form-control>
+        </form>
+
+        <button
+          bitButton
+          type="button"
+          buttonType="primary"
+          block
+          class="tw-mb-6"
+          [bitAction]="createUserAction"
+        >
+          {{ "continue" | i18n }}
+        </button>
+      </ng-container>
+
+      <hr class="tw-mb-6 tw-mt-0" />
+
+      <div class="tw-m-0 tw-text-sm">
+        <p class="tw-mb-1">{{ "loggingInAs" | i18n }} {{ data.userEmail }}</p>
+        <a [routerLink]="[]" (click)="logOut()">{{ "notYou" | i18n }}</a>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.ts b/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.ts
new file mode 100644
index 0000000000..2c97bd227f
--- /dev/null
+++ b/apps/web/src/app/auth/login/login-decryption-options/login-decryption-options.component.ts
@@ -0,0 +1,21 @@
+import { Component } from "@angular/core";
+
+import { BaseLoginDecryptionOptionsComponent } from "@bitwarden/angular/auth/components/base-login-decryption-options.component";
+@Component({
+  selector: "web-login-decryption-options",
+  templateUrl: "login-decryption-options.component.html",
+})
+export class LoginDecryptionOptionsComponent extends BaseLoginDecryptionOptionsComponent {
+  override async createUser(): Promise<void> {
+    try {
+      await super.createUser();
+      await this.router.navigate(["/vault"]);
+    } catch (error) {
+      this.validationService.showError(error);
+    }
+  }
+
+  createUserAction = async (): Promise<void> => {
+    return this.createUser();
+  };
+}
diff --git a/apps/web/src/app/auth/login/login-with-device.component.html b/apps/web/src/app/auth/login/login-with-device.component.html
index f190f8f5c6..80811ac8b6 100644
--- a/apps/web/src/app/auth/login/login-with-device.component.html
+++ b/apps/web/src/app/auth/login/login-with-device.component.html
@@ -5,42 +5,71 @@
 >
   <div>
     <img class="logo logo-themed" alt="Bitwarden" />
-    <p class="tw-mx-4 tw-mb-4 tw-mt-3 tw-text-center tw-text-xl">
-      {{ "loginOrCreateNewAccount" | i18n }}
-    </p>
 
-    <div
-      class="tw-mt-3 tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-6"
-    >
-      <h2 class="tw-mb-6 tw-text-xl tw-font-semibold">{{ "logInInitiated" | i18n }}</h2>
+    <ng-container *ngIf="state == StateEnum.StandardAuthRequest">
+      <p class="tw-mx-4 tw-mb-4 tw-mt-3 tw-text-center tw-text-xl">
+        {{ "loginOrCreateNewAccount" | i18n }}
+      </p>
 
-      <div class="tw-text-light">
-        <p class="tw-mb-6">{{ "notificationSentDevice" | i18n }}</p>
+      <div
+        class="tw-mt-3 tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-6"
+      >
+        <h2 class="tw-mb-6 tw-text-xl tw-font-semibold">{{ "loginInitiated" | i18n }}</h2>
 
-        <p class="tw-mb-6">
-          {{ "fingerprintMatchInfo" | i18n }}
-        </p>
+        <div class="tw-text-light">
+          <p class="tw-mb-6">{{ "notificationSentDevice" | i18n }}</p>
+
+          <p class="tw-mb-6">
+            {{ "fingerprintMatchInfo" | i18n }}
+          </p>
+        </div>
+
+        <div class="tw-mb-6">
+          <h4 class="tw-font-semibold">{{ "fingerprintPhraseHeader" | i18n }}</h4>
+          <p>
+            <code>{{ fingerprintPhrase }}</code>
+          </p>
+        </div>
+
+        <div class="tw-my-10" *ngIf="showResendNotification">
+          <a [routerLink]="[]" disabled="true" (click)="startPasswordlessLogin()">{{
+            "resendNotification" | i18n
+          }}</a>
+        </div>
+
+        <hr />
+
+        <div class="tw-text-light tw-mt-3">
+          {{ "loginWithDeviceEnabledNote" | i18n }}
+          <a routerLink="/login">{{ "viewAllLoginOptions" | i18n }}</a>
+        </div>
       </div>
+    </ng-container>
+    <ng-container *ngIf="state == StateEnum.AdminAuthRequest">
+      <div
+        class="tw-mt-3 tw-rounded-md tw-border tw-border-solid tw-border-secondary-300 tw-bg-background tw-p-6"
+      >
+        <h2 class="tw-mb-6 tw-text-xl tw-font-semibold">{{ "adminApprovalRequested" | i18n }}</h2>
 
-      <div class="tw-mb-6">
-        <h4 class="tw-font-semibold">{{ "fingerprintPhraseHeader" | i18n }}</h4>
-        <p>
-          <code>{{ fingerprintPhrase }}</code>
-        </p>
+        <div class="tw-text-light">
+          <p class="tw-mb-6">{{ "adminApprovalRequestSentToAdmins" | i18n }}</p>
+          <p class="tw-mb-6">{{ "youWillBeNotifiedOnceApproved" | i18n }}</p>
+        </div>
+
+        <div class="tw-mb-6">
+          <h4 class="tw-font-semibold">{{ "fingerprintPhraseHeader" | i18n }}</h4>
+          <p>
+            <code>{{ fingerprintPhrase }}</code>
+          </p>
+        </div>
+
+        <hr />
+
+        <div class="tw-text-light tw-mt-3">
+          {{ "troubleLoggingIn" | i18n }}
+          <a routerLink="/login-initiated">{{ "viewAllLoginOptions" | i18n }}</a>
+        </div>
       </div>
-
-      <div class="tw-my-10" *ngIf="showResendNotification">
-        <a [routerLink]="[]" disabled="true" (click)="startPasswordlessLogin()">{{
-          "resendNotification" | i18n
-        }}</a>
-      </div>
-
-      <hr />
-
-      <div class="tw-text-light tw-mt-3">
-        {{ "loginWithDeviceEnabledNote" | i18n }}
-        <a routerLink="/login">{{ "viewAllLoginOptions" | i18n }}</a>
-      </div>
-    </div>
+    </ng-container>
   </div>
 </div>
diff --git a/apps/web/src/app/auth/login/login-with-device.component.ts b/apps/web/src/app/auth/login/login-with-device.component.ts
index c5e73bf04b..ff66bdb886 100644
--- a/apps/web/src/app/auth/login/login-with-device.component.ts
+++ b/apps/web/src/app/auth/login/login-with-device.component.ts
@@ -4,7 +4,9 @@ import { Router } from "@angular/router";
 import { LoginWithDeviceComponent as BaseLoginWithDeviceComponent } from "@bitwarden/angular/auth/components/login-with-device.component";
 import { AnonymousHubService } from "@bitwarden/common/abstractions/anonymousHub.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -41,7 +43,9 @@ export class LoginWithDeviceComponent
     anonymousHubService: AnonymousHubService,
     validationService: ValidationService,
     stateService: StateService,
-    loginService: LoginService
+    loginService: LoginService,
+    deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    authReqCryptoService: AuthRequestCryptoServiceAbstraction
   ) {
     super(
       router,
@@ -58,7 +62,9 @@ export class LoginWithDeviceComponent
       anonymousHubService,
       validationService,
       stateService,
-      loginService
+      loginService,
+      deviceTrustCryptoService,
+      authReqCryptoService
     );
   }
 }
diff --git a/apps/web/src/app/auth/login/login.component.ts b/apps/web/src/app/auth/login/login.component.ts
index 316b353c49..3bc65542b7 100644
--- a/apps/web/src/app/auth/login/login.component.ts
+++ b/apps/web/src/app/auth/login/login.component.ts
@@ -6,7 +6,6 @@ import { first } from "rxjs/operators";
 
 import { LoginComponent as BaseLoginComponent } from "@bitwarden/angular/auth/components/login.component";
 import { FormValidationErrorsService } from "@bitwarden/angular/platform/abstractions/form-validation-errors.service";
-import { DevicesApiServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices-api.service.abstraction";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyData } from "@bitwarden/common/admin-console/models/data/policy.data";
@@ -14,6 +13,7 @@ import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/mod
 import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
 import { PolicyResponse } from "@bitwarden/common/admin-console/models/response/policy.response";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { ListResponse } from "@bitwarden/common/models/response/list.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
diff --git a/apps/web/src/app/auth/login/login.module.ts b/apps/web/src/app/auth/login/login.module.ts
index b01fa01588..2a074ca2a6 100644
--- a/apps/web/src/app/auth/login/login.module.ts
+++ b/apps/web/src/app/auth/login/login.module.ts
@@ -4,12 +4,13 @@ import { CheckboxModule } from "@bitwarden/components";
 
 import { SharedModule } from "../../../app/shared";
 
+import { LoginDecryptionOptionsComponent } from "./login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "./login-with-device.component";
 import { LoginComponent } from "./login.component";
 
 @NgModule({
   imports: [SharedModule, CheckboxModule],
-  declarations: [LoginComponent, LoginWithDeviceComponent],
-  exports: [LoginComponent, LoginWithDeviceComponent],
+  declarations: [LoginComponent, LoginWithDeviceComponent, LoginDecryptionOptionsComponent],
+  exports: [LoginComponent, LoginWithDeviceComponent, LoginDecryptionOptionsComponent],
 })
 export class LoginModule {}
diff --git a/apps/web/src/app/auth/recover-two-factor.component.ts b/apps/web/src/app/auth/recover-two-factor.component.ts
index 06816d8546..2d6140780a 100644
--- a/apps/web/src/app/auth/recover-two-factor.component.ts
+++ b/apps/web/src/app/auth/recover-two-factor.component.ts
@@ -35,7 +35,7 @@ export class RecoverTwoFactorComponent {
       request.recoveryCode = this.recoveryCode.replace(/\s/g, "").toLowerCase();
       request.email = this.email.trim().toLowerCase();
       const key = await this.authService.makePreloginKey(this.masterPassword, request.email);
-      request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, key);
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(this.masterPassword, key);
       this.formPromise = this.apiService.postTwoFactorRecover(request);
       await this.formPromise;
       this.platformUtilsService.showToast(
diff --git a/apps/web/src/app/settings/change-password.component.html b/apps/web/src/app/auth/settings/change-password.component.html
similarity index 94%
rename from apps/web/src/app/settings/change-password.component.html
rename to apps/web/src/app/auth/settings/change-password.component.html
index 3321b8f9df..7088cb5a68 100644
--- a/apps/web/src/app/settings/change-password.component.html
+++ b/apps/web/src/app/auth/settings/change-password.component.html
@@ -89,12 +89,12 @@
       <input
         class="form-check-input"
         type="checkbox"
-        id="rotateEncKey"
-        name="RotateEncKey"
-        [(ngModel)]="rotateEncKey"
-        (change)="rotateEncKeyClicked()"
+        id="rotateUserKey"
+        name="RotateUserKey"
+        [(ngModel)]="rotateUserKey"
+        (change)="rotateUserKeyClicked()"
       />
-      <label class="form-check-label" for="rotateEncKey">
+      <label class="form-check-label" for="rotateUserKey">
         {{ "rotateAccountEncKey" | i18n }}
       </label>
       <a
diff --git a/apps/web/src/app/settings/change-password.component.ts b/apps/web/src/app/auth/settings/change-password.component.ts
similarity index 82%
rename from apps/web/src/app/settings/change-password.component.ts
rename to apps/web/src/app/auth/settings/change-password.component.ts
index 83a13cbfff..00baee44d0 100644
--- a/apps/web/src/app/settings/change-password.component.ts
+++ b/apps/web/src/app/auth/settings/change-password.component.ts
@@ -10,7 +10,9 @@ import { OrganizationUserResetPasswordEnrollmentRequest } from "@bitwarden/commo
 import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { EmergencyAccessStatusType } from "@bitwarden/common/auth/enums/emergency-access-status-type";
 import { EmergencyAccessUpdateRequest } from "@bitwarden/common/auth/models/request/emergency-access-update.request";
 import { PasswordRequest } from "@bitwarden/common/auth/models/request/password.request";
@@ -22,7 +24,11 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { SendWithIdRequest } from "@bitwarden/common/tools/send/models/request/send-with-id.request";
 import { SendService } from "@bitwarden/common/tools/send/services/send.service.abstraction";
@@ -38,7 +44,7 @@ import { DialogService } from "@bitwarden/components";
   templateUrl: "change-password.component.html",
 })
 export class ChangePasswordComponent extends BaseChangePasswordComponent {
-  rotateEncKey = false;
+  rotateUserKey = false;
   currentMasterPassword: string;
   masterPasswordHint: string;
   checkForBreaches = true;
@@ -63,7 +69,9 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
     private router: Router,
     private organizationApiService: OrganizationApiServiceAbstraction,
     private organizationUserService: OrganizationUserService,
-    dialogService: DialogService
+    dialogService: DialogService,
+    private userVerificationService: UserVerificationService,
+    private deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction
   ) {
     super(
       i18nService,
@@ -78,7 +86,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
   }
 
   async ngOnInit() {
-    if (await this.keyConnectorService.getUsesKeyConnector()) {
+    if (!(await this.userVerificationService.hasMasterPassword())) {
       this.router.navigate(["/settings/security/two-factor"]);
     }
 
@@ -88,8 +96,8 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
     this.characterMinimumMessage = this.i18nService.t("characterMinimum", this.minimumLength);
   }
 
-  async rotateEncKeyClicked() {
-    if (this.rotateEncKey) {
+  async rotateUserKeyClicked() {
+    if (this.rotateUserKey) {
       const ciphers = await this.cipherService.getAllDecrypted();
       let hasOldAttachments = false;
       if (ciphers != null) {
@@ -115,7 +123,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
             "https://bitwarden.com/help/attachments/#add-storage-space"
           );
         }
-        this.rotateEncKey = false;
+        this.rotateUserKey = false;
         return;
       }
 
@@ -131,14 +139,14 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
       });
 
       if (!result) {
-        this.rotateEncKey = false;
+        this.rotateUserKey = false;
       }
     }
   }
 
   async submit() {
-    const hasEncKey = await this.cryptoService.hasEncKey();
-    if (!hasEncKey) {
+    const hasUserKey = await this.cryptoService.hasUserKey();
+    if (!hasUserKey) {
       this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
       return;
     }
@@ -170,7 +178,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
       return false;
     }
 
-    if (this.rotateEncKey) {
+    if (this.rotateUserKey) {
       await this.syncService.fullSync(true);
     }
 
@@ -179,22 +187,23 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
 
   async performSubmitActions(
     newMasterPasswordHash: string,
-    newKey: SymmetricCryptoKey,
-    newEncKey: [SymmetricCryptoKey, EncString]
+    newMasterKey: MasterKey,
+    newUserKey: [UserKey, EncString]
   ) {
+    const masterKey = await this.cryptoService.getOrDeriveMasterKey(this.currentMasterPassword);
     const request = new PasswordRequest();
-    request.masterPasswordHash = await this.cryptoService.hashPassword(
+    request.masterPasswordHash = await this.cryptoService.hashMasterKey(
       this.currentMasterPassword,
-      null
+      masterKey
     );
     request.masterPasswordHint = this.masterPasswordHint;
     request.newMasterPasswordHash = newMasterPasswordHash;
-    request.key = newEncKey[1].encryptedString;
+    request.key = newUserKey[1].encryptedString;
 
     try {
-      if (this.rotateEncKey) {
+      if (this.rotateUserKey) {
         this.formPromise = this.apiService.postPassword(request).then(() => {
-          return this.updateKey(newKey, request.newMasterPasswordHash);
+          return this.updateKey(newMasterKey, request.newMasterPasswordHash);
         });
       } else {
         this.formPromise = this.apiService.postPassword(request);
@@ -213,16 +222,16 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
     }
   }
 
-  private async updateKey(key: SymmetricCryptoKey, masterPasswordHash: string) {
-    const encKey = await this.cryptoService.makeEncKey(key);
-    const privateKey = await this.cryptoService.getPrivateKey();
+  private async updateKey(masterKey: MasterKey, masterPasswordHash: string) {
+    const [newUserKey, masterKeyEncUserKey] = await this.cryptoService.makeUserKey(masterKey);
+    const userPrivateKey = await this.cryptoService.getPrivateKey();
     let encPrivateKey: EncString = null;
-    if (privateKey != null) {
-      encPrivateKey = await this.cryptoService.encrypt(privateKey, encKey[0]);
+    if (userPrivateKey != null) {
+      encPrivateKey = await this.cryptoService.encrypt(userPrivateKey, newUserKey);
     }
     const request = new UpdateKeyRequest();
     request.privateKey = encPrivateKey != null ? encPrivateKey.encryptedString : null;
-    request.key = encKey[1].encryptedString;
+    request.key = masterKeyEncUserKey.encryptedString;
     request.masterPasswordHash = masterPasswordHash;
 
     const folders = await firstValueFrom(this.folderService.folderViews$);
@@ -230,7 +239,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
       if (folders[i].id == null) {
         continue;
       }
-      const folder = await this.folderService.encrypt(folders[i], encKey[0]);
+      const folder = await this.folderService.encrypt(folders[i], newUserKey);
       request.folders.push(new FolderWithIdRequest(folder));
     }
 
@@ -240,24 +249,26 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
         continue;
       }
 
-      const cipher = await this.cipherService.encrypt(ciphers[i], encKey[0]);
+      const cipher = await this.cipherService.encrypt(ciphers[i], newUserKey);
       request.ciphers.push(new CipherWithIdRequest(cipher));
     }
 
     const sends = await firstValueFrom(this.sendService.sends$);
     await Promise.all(
       sends.map(async (send) => {
-        const cryptoKey = await this.cryptoService.decryptToBytes(send.key, null);
-        send.key = (await this.cryptoService.encrypt(cryptoKey, encKey[0])) ?? send.key;
+        const sendKey = await this.cryptoService.decryptToBytes(send.key, null);
+        send.key = (await this.cryptoService.encrypt(sendKey, newUserKey)) ?? send.key;
         request.sends.push(new SendWithIdRequest(send));
       })
     );
 
+    await this.deviceTrustCryptoService.rotateDevicesTrust(newUserKey, masterPasswordHash);
+
     await this.apiService.postAccountKey(request);
 
-    await this.updateEmergencyAccesses(encKey[0]);
+    await this.updateEmergencyAccesses(newUserKey);
 
-    await this.updateAllResetPasswordKeys(encKey[0], masterPasswordHash);
+    await this.updateAllResetPasswordKeys(newUserKey, masterPasswordHash);
   }
 
   private async updateEmergencyAccesses(encKey: SymmetricCryptoKey) {
@@ -285,7 +296,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
     }
   }
 
-  private async updateAllResetPasswordKeys(encKey: SymmetricCryptoKey, masterPasswordHash: string) {
+  private async updateAllResetPasswordKeys(userKey: UserKey, masterPasswordHash: string) {
     const orgs = await this.organizationService.getAll();
 
     for (const org of orgs) {
@@ -299,7 +310,7 @@ export class ChangePasswordComponent extends BaseChangePasswordComponent {
       const publicKey = Utils.fromB64ToArray(response?.publicKey);
 
       // Re-enroll - encrypt user's encKey.key with organization public key
-      const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey);
+      const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, publicKey);
 
       // Create/Execute request
       const request = new OrganizationUserResetPasswordEnrollmentRequest();
diff --git a/apps/web/src/app/auth/settings/emergency-access/emergency-access-takeover.component.ts b/apps/web/src/app/auth/settings/emergency-access/emergency-access-takeover.component.ts
index fec3488e31..db9917bb93 100644
--- a/apps/web/src/app/auth/settings/emergency-access/emergency-access-takeover.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/emergency-access-takeover.component.ts
@@ -16,7 +16,10 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { DialogService } from "@bitwarden/components";
 
@@ -91,9 +94,9 @@ export class EmergencyAccessTakeoverComponent
     );
 
     const oldKeyBuffer = await this.cryptoService.rsaDecrypt(takeoverResponse.keyEncrypted);
-    const oldEncKey = new SymmetricCryptoKey(oldKeyBuffer);
+    const oldUserKey = new SymmetricCryptoKey(oldKeyBuffer) as UserKey;
 
-    if (oldEncKey == null) {
+    if (oldUserKey == null) {
       this.platformUtilsService.showToast(
         "error",
         this.i18nService.t("errorOccurred"),
@@ -102,7 +105,7 @@ export class EmergencyAccessTakeoverComponent
       return;
     }
 
-    const key = await this.cryptoService.makeKey(
+    const masterKey = await this.cryptoService.makeMasterKey(
       this.masterPassword,
       this.email,
       takeoverResponse.kdf,
@@ -112,12 +115,12 @@ export class EmergencyAccessTakeoverComponent
         takeoverResponse.kdfParallelism
       )
     );
-    const masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, key);
+    const masterKeyHash = await this.cryptoService.hashMasterKey(this.masterPassword, masterKey);
 
-    const encKey = await this.cryptoService.remakeEncKey(key, oldEncKey);
+    const encKey = await this.cryptoService.encryptUserKeyWithMasterKey(masterKey, oldUserKey);
 
     const request = new EmergencyAccessPasswordRequest();
-    request.newMasterPasswordHash = masterPasswordHash;
+    request.newMasterPasswordHash = masterKeyHash;
     request.key = encKey[1].encryptedString;
 
     this.apiService.postEmergencyAccessPassword(this.emergencyAccessId, request);
diff --git a/apps/web/src/app/auth/settings/emergency-access/emergency-access-view.component.ts b/apps/web/src/app/auth/settings/emergency-access/emergency-access-view.component.ts
index 9507980248..f7936d361b 100644
--- a/apps/web/src/app/auth/settings/emergency-access/emergency-access-view.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/emergency-access-view.component.ts
@@ -5,7 +5,10 @@ import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { EmergencyAccessViewResponse } from "@bitwarden/common/auth/models/response/emergency-access.response";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  SymmetricCryptoKey,
+  UserKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
 import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
@@ -87,13 +90,13 @@ export class EmergencyAccessViewComponent implements OnInit {
 
     const decCiphers: CipherView[] = [];
     const oldKeyBuffer = await this.cryptoService.rsaDecrypt(response.keyEncrypted);
-    const oldEncKey = new SymmetricCryptoKey(oldKeyBuffer);
+    const oldUserKey = new SymmetricCryptoKey(oldKeyBuffer) as UserKey;
 
     const promises: any[] = [];
     ciphers.forEach((cipherResponse) => {
       const cipherData = new CipherData(cipherResponse);
       const cipher = new Cipher(cipherData);
-      promises.push(cipher.decrypt(oldEncKey).then((c) => decCiphers.push(c)));
+      promises.push(cipher.decrypt(oldUserKey).then((c) => decCiphers.push(c)));
     });
 
     await Promise.all(promises);
diff --git a/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts b/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
index 6e0e9b0502..06b5110222 100644
--- a/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
+++ b/apps/web/src/app/auth/settings/emergency-access/emergency-access.component.ts
@@ -300,9 +300,12 @@ export class EmergencyAccessComponent implements OnInit {
     }
   }
 
-  // Encrypt the master password hash using the grantees public key, and send it to bitwarden for escrow.
+  // Encrypt the user key with the grantees public key, and send it to bitwarden for escrow.
   private async doConfirmation(details: EmergencyAccessGranteeDetailsResponse) {
-    const encKey = await this.cryptoService.getEncKey();
+    const userKey = await this.cryptoService.getUserKey();
+    if (!userKey) {
+      throw new Error("No user key found");
+    }
     const publicKeyResponse = await this.apiService.getUserPublicKey(details.granteeId);
     const publicKey = Utils.fromB64ToArray(publicKeyResponse.publicKey);
 
@@ -315,7 +318,7 @@ export class EmergencyAccessComponent implements OnInit {
       // Ignore errors since it's just a debug message
     }
 
-    const encryptedKey = await this.cryptoService.rsaEncrypt(encKey.key, publicKey);
+    const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, publicKey);
     const request = new EmergencyAccessConfirmRequest();
     request.key = encryptedKey.encryptedString;
     await this.apiService.postEmergencyAccessConfirm(details.id, request);
diff --git a/apps/web/src/app/auth/settings/two-factor-verify.component.html b/apps/web/src/app/auth/settings/two-factor-verify.component.html
index 523514f1ae..87d6b09984 100644
--- a/apps/web/src/app/auth/settings/two-factor-verify.component.html
+++ b/apps/web/src/app/auth/settings/two-factor-verify.component.html
@@ -1,6 +1,5 @@
 <form #form (ngSubmit)="submit()" [appApiAction]="formPromise" ngNativeValidate>
   <div class="modal-body">
-    <p>{{ "twoStepLoginAuthDesc" | i18n }}</p>
     <app-user-verification [(ngModel)]="secret" ngDefaultControl name="secret">
     </app-user-verification>
   </div>
diff --git a/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.html b/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.html
index a15ce41738..0770ea4dfe 100644
--- a/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.html
+++ b/apps/web/src/app/auth/shared/components/user-verification/user-verification.component.html
@@ -1,4 +1,4 @@
-<ng-container *ngIf="!usesKeyConnector">
+<ng-container *ngIf="hasMasterPassword">
   <bit-form-field disableMargin>
     <bit-label>{{ "masterPass" | i18n }}</bit-label>
     <input
@@ -14,7 +14,7 @@
     <bit-hint>{{ "confirmIdentity" | i18n }}</bit-hint>
   </bit-form-field>
 </ng-container>
-<ng-container *ngIf="usesKeyConnector">
+<ng-container *ngIf="!hasMasterPassword">
   <div class="tw-mb-6">
     <label class="tw-block">{{ "sendVerificationCode" | i18n }}</label>
     <button type="button" bitButton buttonType="secondary" [bitAction]="requestOTP" appAutofocus>
diff --git a/apps/web/src/app/auth/sso.component.ts b/apps/web/src/app/auth/sso.component.ts
index 0b1ec0e000..fbd626db7f 100644
--- a/apps/web/src/app/auth/sso.component.ts
+++ b/apps/web/src/app/auth/sso.component.ts
@@ -10,6 +10,7 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { HttpStatusCode } from "@bitwarden/common/enums";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -39,7 +40,8 @@ export class SsoComponent extends BaseSsoComponent {
     logService: LogService,
     private orgDomainApiService: OrgDomainApiServiceAbstraction,
     private loginService: LoginService,
-    private validationService: ValidationService
+    private validationService: ValidationService,
+    configService: ConfigServiceAbstraction
   ) {
     super(
       authService,
@@ -52,7 +54,8 @@ export class SsoComponent extends BaseSsoComponent {
       cryptoFunctionService,
       environmentService,
       passwordGenerationService,
-      logService
+      logService,
+      configService
     );
     this.redirectUri = window.location.origin + "/sso-connector.html";
     this.clientId = "web";
diff --git a/apps/web/src/app/auth/two-factor.component.ts b/apps/web/src/app/auth/two-factor.component.ts
index 57b384e97c..2990331761 100644
--- a/apps/web/src/app/auth/two-factor.component.ts
+++ b/apps/web/src/app/auth/two-factor.component.ts
@@ -1,7 +1,8 @@
-import { Component, ViewChild, ViewContainerRef } from "@angular/core";
+import { Component, Inject, ViewChild, ViewContainerRef } from "@angular/core";
 import { ActivatedRoute, Router } from "@angular/router";
 
 import { TwoFactorComponent as BaseTwoFactorComponent } from "@bitwarden/angular/auth/components/two-factor.component";
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
@@ -9,6 +10,7 @@ import { LoginService } from "@bitwarden/common/auth/abstractions/login.service"
 import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
@@ -42,7 +44,9 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     twoFactorService: TwoFactorService,
     appIdService: AppIdService,
     private routerService: RouterService,
-    loginService: LoginService
+    loginService: LoginService,
+    configService: ConfigServiceAbstraction,
+    @Inject(WINDOW) protected win: Window
   ) {
     super(
       authService,
@@ -50,14 +54,15 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
       i18nService,
       apiService,
       platformUtilsService,
-      window,
+      win,
       environmentService,
       stateService,
       route,
       logService,
       twoFactorService,
       appIdService,
-      loginService
+      loginService,
+      configService
     );
     this.onSuccessfulLoginNavigate = this.goAfterLogIn;
   }
@@ -81,7 +86,7 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
     );
   }
 
-  async goAfterLogIn() {
+  goAfterLogIn = async () => {
     this.loginService.clearValues();
     const previousUrl = this.routerService.getPreviousUrl();
     if (previousUrl) {
@@ -103,9 +108,9 @@ export class TwoFactorComponent extends BaseTwoFactorComponent {
 
       this.router.navigate([this.successRoute], {
         queryParams: {
-          identifier: this.identifier,
+          identifier: this.orgIdentifier,
         },
       });
     }
-  }
+  };
 }
diff --git a/apps/web/src/app/billing/settings/organization-plans.component.ts b/apps/web/src/app/billing/settings/organization-plans.component.ts
index 5c6359af95..c84d9511a1 100644
--- a/apps/web/src/app/billing/settings/organization-plans.component.ts
+++ b/apps/web/src/app/billing/settings/organization-plans.component.ts
@@ -31,7 +31,10 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+} from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
 
 import { secretsManagerSubscribeFormFactory } from "../organizations/secrets-manager/sm-subscribe.component";
@@ -415,19 +418,19 @@ export class OrganizationPlansComponent implements OnInit, OnDestroy {
       const doSubmit = async (): Promise<string> => {
         let orgId: string = null;
         if (this.createOrganization) {
-          const shareKey = await this.cryptoService.makeShareKey();
-          const key = shareKey[0].encryptedString;
+          const orgKey = await this.cryptoService.makeOrgKey<OrgKey>();
+          const key = orgKey[0].encryptedString;
           const collection = await this.cryptoService.encrypt(
             this.i18nService.t("defaultCollection"),
-            shareKey[1]
+            orgKey[1]
           );
           const collectionCt = collection.encryptedString;
-          const orgKeys = await this.cryptoService.makeKeyPair(shareKey[1]);
+          const orgKeys = await this.cryptoService.makeKeyPair(orgKey[1]);
 
           if (this.selfHosted) {
             orgId = await this.createSelfHosted(key, collectionCt, orgKeys);
           } else {
-            orgId = await this.createCloudHosted(key, collectionCt, orgKeys, shareKey[1]);
+            orgId = await this.createCloudHosted(key, collectionCt, orgKeys, orgKey[1]);
           }
 
           this.platformUtilsService.showToast(
diff --git a/apps/web/src/app/core/event.service.ts b/apps/web/src/app/core/event.service.ts
index 1247c5a367..d3e8f2d158 100644
--- a/apps/web/src/app/core/event.service.ts
+++ b/apps/web/src/app/core/event.service.ts
@@ -80,6 +80,9 @@ export class EventService {
       case EventType.User_MigratedKeyToKeyConnector:
         msg = humanReadableMsg = this.i18nService.t("migratedKeyConnector");
         break;
+      case EventType.User_RequestedDeviceApproval:
+        msg = humanReadableMsg = this.i18nService.t("requestedDeviceApproval");
+        break;
       // Cipher
       case EventType.Cipher_Created:
         msg = this.i18nService.t("createdItemId", this.formatCipherId(ev, options));
@@ -307,6 +310,20 @@ export class EventService {
           this.getShortId(ev.organizationUserId)
         );
         break;
+      case EventType.OrganizationUser_ApprovedAuthRequest:
+        msg = this.i18nService.t("approvedAuthRequest", this.formatOrgUserId(ev));
+        humanReadableMsg = this.i18nService.t(
+          "approvedAuthRequest",
+          this.getShortId(ev.organizationUserId)
+        );
+        break;
+      case EventType.OrganizationUser_RejectedAuthRequest:
+        msg = this.i18nService.t("rejectedAuthRequest", this.formatOrgUserId(ev));
+        humanReadableMsg = this.i18nService.t(
+          "rejectedAuthRequest",
+          this.getShortId(ev.organizationUserId)
+        );
+        break;
       // Org
       case EventType.Organization_Updated:
         msg = humanReadableMsg = this.i18nService.t("editedOrgSettings");
diff --git a/apps/web/src/app/core/init.service.ts b/apps/web/src/app/core/init.service.ts
index 8e0e0d600f..3437c4f3e9 100644
--- a/apps/web/src/app/core/init.service.ts
+++ b/apps/web/src/app/core/init.service.ts
@@ -4,7 +4,6 @@ import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { AbstractThemingService } from "@bitwarden/angular/services/theming/theming.service.abstraction";
 import { EventUploadService as EventUploadServiceAbstraction } from "@bitwarden/common/abstractions/event/event-upload.service";
 import { NotificationsService as NotificationsServiceAbstraction } from "@bitwarden/common/abstractions/notifications.service";
-import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
 import { TwoFactorService as TwoFactorServiceAbstraction } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { CryptoService as CryptoServiceAbstraction } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
@@ -16,7 +15,7 @@ import { I18nService as I18nServiceAbstraction } from "@bitwarden/common/platfor
 import { StateService as StateServiceAbstraction } from "@bitwarden/common/platform/abstractions/state.service";
 import { ContainerService } from "@bitwarden/common/platform/services/container.service";
 import { EventUploadService } from "@bitwarden/common/services/event/event-upload.service";
-import { VaultTimeoutService as VaultTimeoutService } from "@bitwarden/common/services/vaultTimeout/vaultTimeout.service";
+import { VaultTimeoutService } from "@bitwarden/common/services/vault-timeout/vault-timeout.service";
 
 import { I18nService } from "../core/i18n.service";
 
@@ -26,7 +25,7 @@ export class InitService {
     @Inject(WINDOW) private win: Window,
     private environmentService: EnvironmentServiceAbstraction,
     private notificationsService: NotificationsServiceAbstraction,
-    private vaultTimeoutService: VaultTimeoutServiceAbstraction,
+    private vaultTimeoutService: VaultTimeoutService,
     private i18nService: I18nServiceAbstraction,
     private eventUploadService: EventUploadServiceAbstraction,
     private twoFactorService: TwoFactorServiceAbstraction,
@@ -48,7 +47,7 @@ export class InitService {
       this.environmentService.initialized = true;
 
       setTimeout(() => this.notificationsService.init(), 3000);
-      (this.vaultTimeoutService as VaultTimeoutService).init(true);
+      await this.vaultTimeoutService.init(true);
       const locale = await this.stateService.getLocale();
       await (this.i18nService as I18nService).init(locale);
       (this.eventUploadService as EventUploadService).init(true);
diff --git a/apps/web/src/app/guards/home.guard.ts b/apps/web/src/app/guards/home.guard.ts
deleted file mode 100644
index bbcf3448c7..0000000000
--- a/apps/web/src/app/guards/home.guard.ts
+++ /dev/null
@@ -1,24 +0,0 @@
-import { Injectable } from "@angular/core";
-import { ActivatedRouteSnapshot, CanActivate, Router } from "@angular/router";
-
-import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
-import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
-
-@Injectable({
-  providedIn: "root",
-})
-export class HomeGuard implements CanActivate {
-  constructor(private router: Router, private authService: AuthService) {}
-
-  async canActivate(route: ActivatedRouteSnapshot) {
-    const authStatus = await this.authService.getAuthStatus();
-
-    if (authStatus === AuthenticationStatus.LoggedOut) {
-      return this.router.createUrlTree(["/login"], { queryParams: route.queryParams });
-    }
-    if (authStatus === AuthenticationStatus.Locked) {
-      return this.router.createUrlTree(["/lock"], { queryParams: route.queryParams });
-    }
-    return this.router.createUrlTree(["/vault"], { queryParams: route.queryParams });
-  }
-}
diff --git a/apps/web/src/app/layouts/navbar.component.html b/apps/web/src/app/layouts/navbar.component.html
index edb7836554..cecd5599ab 100644
--- a/apps/web/src/app/layouts/navbar.component.html
+++ b/apps/web/src/app/layouts/navbar.component.html
@@ -84,7 +84,7 @@
               {{ "getApps" | i18n }}
             </a>
             <bit-menu-divider></bit-menu-divider>
-            <button bitMenuItem type="button" (click)="lock()">
+            <button *ngIf="canLock$ | async" bitMenuItem type="button" (click)="lock()">
               <i class="bwi bwi-fw bwi-lock" aria-hidden="true"></i>
               {{ "lockNow" | i18n }}
             </button>
diff --git a/apps/web/src/app/layouts/navbar.component.ts b/apps/web/src/app/layouts/navbar.component.ts
index f272166331..8dc36e4fb3 100644
--- a/apps/web/src/app/layouts/navbar.component.ts
+++ b/apps/web/src/app/layouts/navbar.component.ts
@@ -1,6 +1,7 @@
 import { Component, OnInit } from "@angular/core";
-import { Observable } from "rxjs";
+import { map, Observable } from "rxjs";
 
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import {
   canAccessAdmin,
   OrganizationService,
@@ -8,6 +9,7 @@ import {
 import { ProviderService } from "@bitwarden/common/admin-console/abstractions/provider.service";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { Provider } from "@bitwarden/common/models/domain/provider";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
@@ -26,6 +28,7 @@ export class NavbarComponent implements OnInit {
   providers: Provider[] = [];
   userId: string;
   organizations$: Observable<Organization[]>;
+  canLock$: Observable<boolean>;
 
   constructor(
     private messagingService: MessagingService,
@@ -34,6 +37,7 @@ export class NavbarComponent implements OnInit {
     private providerService: ProviderService,
     private syncService: SyncService,
     private organizationService: OrganizationService,
+    private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
     private i18nService: I18nService
   ) {
     this.selfHosted = this.platformUtilsService.isSelfHost();
@@ -56,6 +60,9 @@ export class NavbarComponent implements OnInit {
     this.organizations$ = this.organizationService.memberOrganizations$.pipe(
       canAccessAdmin(this.i18nService)
     );
+    this.canLock$ = this.vaultTimeoutSettingsService
+      .availableVaultTimeoutActions$()
+      .pipe(map((actions) => actions.includes(VaultTimeoutAction.Lock)));
   }
 
   lock() {
diff --git a/apps/web/src/app/oss-routing.module.ts b/apps/web/src/app/oss-routing.module.ts
index 0f7a15b17a..e6f4caa112 100644
--- a/apps/web/src/app/oss-routing.module.ts
+++ b/apps/web/src/app/oss-routing.module.ts
@@ -1,9 +1,15 @@
 import { NgModule } from "@angular/core";
 import { Route, RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
-import { LockGuard } from "@bitwarden/angular/auth/guards/lock.guard";
-import { UnauthGuard } from "@bitwarden/angular/auth/guards/unauth.guard";
+import {
+  AuthGuard,
+  lockGuard,
+  redirectGuard,
+  tdeDecryptionRequiredGuard,
+  UnauthGuard,
+} from "@bitwarden/angular/auth/guards";
+import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 
 import { SubscriptionRoutingModule } from "../app/billing/settings/subscription-routing.module";
 import { flagEnabled, Flags } from "../utils/flags";
@@ -16,6 +22,7 @@ import { AcceptEmergencyComponent } from "./auth/accept-emergency.component";
 import { AcceptOrganizationComponent } from "./auth/accept-organization.component";
 import { HintComponent } from "./auth/hint.component";
 import { LockComponent } from "./auth/lock.component";
+import { LoginDecryptionOptionsComponent } from "./auth/login/login-decryption-options/login-decryption-options.component";
 import { LoginWithDeviceComponent } from "./auth/login/login-with-device.component";
 import { LoginComponent } from "./auth/login/login.component";
 import { RecoverDeleteComponent } from "./auth/recover-delete.component";
@@ -31,7 +38,6 @@ import { UpdatePasswordComponent } from "./auth/update-password.component";
 import { UpdateTempPasswordComponent } from "./auth/update-temp-password.component";
 import { VerifyEmailTokenComponent } from "./auth/verify-email-token.component";
 import { VerifyRecoverDeleteComponent } from "./auth/verify-recover-delete.component";
-import { HomeGuard } from "./guards/home.guard";
 import { FrontendLayoutComponent } from "./layouts/frontend-layout.component";
 import { UserLayoutComponent } from "./layouts/user-layout.component";
 import { ReportsModule } from "./reports";
@@ -56,7 +62,7 @@ const routes: Routes = [
         path: "",
         pathMatch: "full",
         children: [], // Children lets us have an empty component.
-        canActivate: [HomeGuard], // Redirects either to vault, login or lock page.
+        canActivate: [redirectGuard()], // Redirects either to vault, login, or lock page.
       },
       { path: "login", component: LoginComponent, canActivate: [UnauthGuard] },
       {
@@ -64,7 +70,20 @@ const routes: Routes = [
         component: LoginWithDeviceComponent,
         data: { titleId: "loginWithDevice" },
       },
+      {
+        path: "admin-approval-requested",
+        component: LoginWithDeviceComponent,
+        data: { titleId: "loginWithDevice" },
+      },
       { path: "2fa", component: TwoFactorComponent, canActivate: [UnauthGuard] },
+      {
+        path: "login-initiated",
+        component: LoginDecryptionOptionsComponent,
+        canActivate: [
+          tdeDecryptionRequiredGuard(),
+          canAccessFeature(FeatureFlag.TrustedDeviceEncryption),
+        ],
+      },
       {
         path: "register",
         component: TrialInitiationComponent,
@@ -96,7 +115,7 @@ const routes: Routes = [
       {
         path: "lock",
         component: LockComponent,
-        canActivate: [LockGuard],
+        canActivate: [lockGuard()],
       },
       { path: "verify-email", component: VerifyEmailTokenComponent },
       {
diff --git a/apps/web/src/app/reports/reports-routing.module.ts b/apps/web/src/app/reports/reports-routing.module.ts
index cfb90d092f..6bbba15c9b 100644
--- a/apps/web/src/app/reports/reports-routing.module.ts
+++ b/apps/web/src/app/reports/reports-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 
 import { HasPremiumGuard } from "../core/guards/has-premium.guard";
 
diff --git a/apps/web/src/app/settings/account.component.ts b/apps/web/src/app/settings/account.component.ts
index 4cedadc40e..45f5375654 100644
--- a/apps/web/src/app/settings/account.component.ts
+++ b/apps/web/src/app/settings/account.component.ts
@@ -1,9 +1,7 @@
 import { Component, ViewChild, ViewContainerRef } from "@angular/core";
 
 import { ModalService } from "@bitwarden/angular/services/modal.service";
-import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
-import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 
 import { DeauthorizeSessionsComponent } from "../auth/settings/deauthorize-sessions.component";
 
@@ -26,13 +24,11 @@ export class AccountComponent {
 
   constructor(
     private modalService: ModalService,
-    private apiService: ApiService,
-    private keyConnectorService: KeyConnectorService,
-    private stateService: StateService
+    private userVerificationService: UserVerificationService
   ) {}
 
   async ngOnInit() {
-    this.showChangeEmail = !(await this.keyConnectorService.getUsesKeyConnector());
+    this.showChangeEmail = await this.userVerificationService.hasMasterPassword();
   }
 
   async deauthorizeSessions() {
diff --git a/apps/web/src/app/settings/change-email.component.ts b/apps/web/src/app/settings/change-email.component.ts
index c28bf3dcfd..76e78fcba9 100644
--- a/apps/web/src/app/settings/change-email.component.ts
+++ b/apps/web/src/app/settings/change-email.component.ts
@@ -42,8 +42,8 @@ export class ChangeEmailComponent implements OnInit {
   }
 
   async submit() {
-    const hasEncKey = await this.cryptoService.hasEncKey();
-    if (!hasEncKey) {
+    const hasUserKey = await this.cryptoService.hasUserKey();
+    if (!hasUserKey) {
       this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
       return;
     }
@@ -52,7 +52,10 @@ export class ChangeEmailComponent implements OnInit {
     if (!this.tokenSent) {
       const request = new EmailTokenRequest();
       request.newEmail = this.newEmail;
-      request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(
+        this.masterPassword,
+        await this.cryptoService.getOrDeriveMasterKey(this.masterPassword)
+      );
       try {
         this.formPromise = this.apiService.postEmailToken(request);
         await this.formPromise;
@@ -64,21 +67,24 @@ export class ChangeEmailComponent implements OnInit {
       const request = new EmailRequest();
       request.token = this.token;
       request.newEmail = this.newEmail;
-      request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(
+        this.masterPassword,
+        await this.cryptoService.getOrDeriveMasterKey(this.masterPassword)
+      );
       const kdf = await this.stateService.getKdfType();
       const kdfConfig = await this.stateService.getKdfConfig();
-      const newKey = await this.cryptoService.makeKey(
+      const newMasterKey = await this.cryptoService.makeMasterKey(
         this.masterPassword,
         this.newEmail,
         kdf,
         kdfConfig
       );
-      request.newMasterPasswordHash = await this.cryptoService.hashPassword(
+      request.newMasterPasswordHash = await this.cryptoService.hashMasterKey(
         this.masterPassword,
-        newKey
+        newMasterKey
       );
-      const newEncKey = await this.cryptoService.remakeEncKey(newKey);
-      request.key = newEncKey[1].encryptedString;
+      const newUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(newMasterKey);
+      request.key = newUserKey[1].encryptedString;
       try {
         this.formPromise = this.apiService.postEmail(request);
         await this.formPromise;
diff --git a/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts b/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
index ebf74f4457..dd2a8c45d9 100644
--- a/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
+++ b/apps/web/src/app/settings/change-kdf/change-kdf-confirmation.component.ts
@@ -46,8 +46,8 @@ export class ChangeKdfConfirmationComponent {
 
   async submit() {
     this.loading = true;
-    const hasEncKey = await this.cryptoService.hasEncKey();
-    if (!hasEncKey) {
+    const hasUserKey = await this.cryptoService.hasUserKey();
+    if (!hasUserKey) {
       this.platformUtilsService.showToast("error", null, this.i18nService.t("updateKey"));
       return;
     }
@@ -75,17 +75,21 @@ export class ChangeKdfConfirmationComponent {
     request.kdfIterations = this.kdfConfig.iterations;
     request.kdfMemory = this.kdfConfig.memory;
     request.kdfParallelism = this.kdfConfig.parallelism;
-    request.masterPasswordHash = await this.cryptoService.hashPassword(masterPassword, null);
+    const masterKey = await this.cryptoService.getOrDeriveMasterKey(masterPassword);
+    request.masterPasswordHash = await this.cryptoService.hashMasterKey(masterPassword, masterKey);
     const email = await this.stateService.getEmail();
-    const newKey = await this.cryptoService.makeKey(
+    const newMasterKey = await this.cryptoService.makeMasterKey(
       masterPassword,
       email,
       this.kdf,
       this.kdfConfig
     );
-    request.newMasterPasswordHash = await this.cryptoService.hashPassword(masterPassword, newKey);
-    const newEncKey = await this.cryptoService.remakeEncKey(newKey);
-    request.key = newEncKey[1].encryptedString;
+    request.newMasterPasswordHash = await this.cryptoService.hashMasterKey(
+      masterPassword,
+      newMasterKey
+    );
+    const newUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(newMasterKey);
+    request.key = newUserKey[1].encryptedString;
 
     await this.apiService.postAccountKdf(request);
   }
diff --git a/apps/web/src/app/settings/preferences.component.html b/apps/web/src/app/settings/preferences.component.html
index f8a81103cb..8fabe7e62a 100644
--- a/apps/web/src/app/settings/preferences.component.html
+++ b/apps/web/src/app/settings/preferences.component.html
@@ -27,37 +27,45 @@
       </app-vault-timeout-input>
     </div>
   </div>
-  <div class="form-group">
-    <label>{{ "vaultTimeoutAction" | i18n }}</label>
-    <div class="form-check form-check-block">
-      <input
-        class="form-check-input"
-        type="radio"
-        name="vaultTimeoutAction"
-        id="vaultTimeoutActionLock"
-        value="{{ VaultTimeoutAction.Lock }}"
-        formControlName="vaultTimeoutAction"
-      />
-      <label class="form-check-label" for="vaultTimeoutActionLock">
-        {{ "lock" | i18n }}
-        <small>{{ "vaultTimeoutActionLockDesc" | i18n }}</small>
-      </label>
+  <ng-container *ngIf="availableVaultTimeoutActions$ | async as availableVaultTimeoutActions">
+    <div *ngIf="availableVaultTimeoutActions.length > 1" class="form-group">
+      <label>{{ "vaultTimeoutAction" | i18n }}</label>
+      <div
+        *ngIf="availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock)"
+        class="form-check form-check-block"
+      >
+        <input
+          class="form-check-input"
+          type="radio"
+          name="vaultTimeoutAction"
+          id="vaultTimeoutActionLock"
+          value="{{ VaultTimeoutAction.Lock }}"
+          formControlName="vaultTimeoutAction"
+        />
+        <label class="form-check-label" for="vaultTimeoutActionLock">
+          {{ "lock" | i18n }}
+          <small>{{ "vaultTimeoutActionLockDesc" | i18n }}</small>
+        </label>
+      </div>
+      <div
+        *ngIf="availableVaultTimeoutActions.includes(VaultTimeoutAction.LogOut)"
+        class="form-check mt-2 form-check-block"
+      >
+        <input
+          class="form-check-input"
+          type="radio"
+          name="vaultTimeoutAction"
+          id="vaultTimeoutActionLogOut"
+          value="{{ VaultTimeoutAction.LogOut }}"
+          formControlName="vaultTimeoutAction"
+        />
+        <label class="form-check-label" for="vaultTimeoutActionLogOut">
+          {{ "logOut" | i18n }}
+          <small>{{ "vaultTimeoutActionLogOutDesc" | i18n }}</small>
+        </label>
+      </div>
     </div>
-    <div class="form-check mt-2 form-check-block">
-      <input
-        class="form-check-input"
-        type="radio"
-        name="vaultTimeoutAction"
-        id="vaultTimeoutActionLogOut"
-        value="{{ VaultTimeoutAction.LogOut }}"
-        formControlName="vaultTimeoutAction"
-      />
-      <label class="form-check-label" for="vaultTimeoutActionLogOut">
-        {{ "logOut" | i18n }}
-        <small>{{ "vaultTimeoutActionLogOutDesc" | i18n }}</small>
-      </label>
-    </div>
-  </div>
+  </ng-container>
   <div class="row">
     <div class="col-6">
       <div class="form-group">
diff --git a/apps/web/src/app/settings/preferences.component.ts b/apps/web/src/app/settings/preferences.component.ts
index 973aed0f5f..9412a3e8b6 100644
--- a/apps/web/src/app/settings/preferences.component.ts
+++ b/apps/web/src/app/settings/preferences.component.ts
@@ -1,10 +1,10 @@
 import { Component, OnInit } from "@angular/core";
 import { FormBuilder } from "@angular/forms";
-import { concatMap, filter, map, Observable, Subject, takeUntil, tap } from "rxjs";
+import { concatMap, filter, firstValueFrom, map, Observable, Subject, takeUntil, tap } from "rxjs";
 
 import { AbstractThemingService } from "@bitwarden/angular/services/theming/theming.service.abstraction";
 import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { ThemeType } from "@bitwarden/common/enums";
@@ -24,6 +24,8 @@ export class PreferencesComponent implements OnInit {
   // For use in template
   protected readonly VaultTimeoutAction = VaultTimeoutAction;
 
+  protected availableVaultTimeoutActions$: Observable<VaultTimeoutAction[]>;
+
   vaultTimeoutPolicyCallout: Observable<{
     timeout: { hours: number; minutes: number };
     action: VaultTimeoutAction;
@@ -89,6 +91,9 @@ export class PreferencesComponent implements OnInit {
   }
 
   async ngOnInit() {
+    this.availableVaultTimeoutActions$ =
+      this.vaultTimeoutSettingsService.availableVaultTimeoutActions$();
+
     this.vaultTimeoutPolicyCallout = this.policyService.get$(PolicyType.MaximumVaultTimeout).pipe(
       filter((policy) => policy != null),
       map((policy) => {
@@ -133,7 +138,9 @@ export class PreferencesComponent implements OnInit {
       .subscribe();
     const initialFormValues = {
       vaultTimeout: await this.vaultTimeoutSettingsService.getVaultTimeout(),
-      vaultTimeoutAction: await this.vaultTimeoutSettingsService.getVaultTimeoutAction(),
+      vaultTimeoutAction: await firstValueFrom(
+        this.vaultTimeoutSettingsService.vaultTimeoutAction$()
+      ),
       enableFavicons: !(await this.settingsService.getDisableFavicon()),
       enableFullWidth: await this.stateService.getEnableFullWidth(),
       theme: await this.stateService.getTheme(),
diff --git a/apps/web/src/app/settings/security-keys.component.ts b/apps/web/src/app/settings/security-keys.component.ts
index 887ba3d587..2a01f6d010 100644
--- a/apps/web/src/app/settings/security-keys.component.ts
+++ b/apps/web/src/app/settings/security-keys.component.ts
@@ -2,7 +2,7 @@ import { Component, OnInit, ViewChild, ViewContainerRef } from "@angular/core";
 
 import { ModalService } from "@bitwarden/angular/services/modal.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 
 import { ApiKeyComponent } from "./api-key.component";
@@ -20,14 +20,14 @@ export class SecurityKeysComponent implements OnInit {
   showChangeKdf = true;
 
   constructor(
-    private keyConnectorService: KeyConnectorService,
+    private userVerificationService: UserVerificationService,
     private stateService: StateService,
     private modalService: ModalService,
     private apiService: ApiService
   ) {}
 
   async ngOnInit() {
-    this.showChangeKdf = !(await this.keyConnectorService.getUsesKeyConnector());
+    this.showChangeKdf = await this.userVerificationService.hasMasterPassword();
   }
 
   async viewUserApiKey() {
diff --git a/apps/web/src/app/settings/security-routing.module.ts b/apps/web/src/app/settings/security-routing.module.ts
index 1d47a0d775..d08d4be16f 100644
--- a/apps/web/src/app/settings/security-routing.module.ts
+++ b/apps/web/src/app/settings/security-routing.module.ts
@@ -1,9 +1,9 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
+import { ChangePasswordComponent } from "../auth/settings/change-password.component";
 import { TwoFactorSetupComponent } from "../auth/settings/two-factor-setup.component";
 
-import { ChangePasswordComponent } from "./change-password.component";
 import { SecurityKeysComponent } from "./security-keys.component";
 import { SecurityComponent } from "./security.component";
 
diff --git a/apps/web/src/app/settings/security.component.ts b/apps/web/src/app/settings/security.component.ts
index 1c70f85eda..3237a2e6a2 100644
--- a/apps/web/src/app/settings/security.component.ts
+++ b/apps/web/src/app/settings/security.component.ts
@@ -1,6 +1,6 @@
 import { Component } from "@angular/core";
 
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 
 @Component({
   selector: "app-security",
@@ -9,9 +9,9 @@ import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-con
 export class SecurityComponent {
   showChangePassword = true;
 
-  constructor(private keyConnectorService: KeyConnectorService) {}
+  constructor(private userVerificationService: UserVerificationService) {}
 
   async ngOnInit() {
-    this.showChangePassword = !(await this.keyConnectorService.getUsesKeyConnector());
+    this.showChangePassword = await this.userVerificationService.hasMasterPassword();
   }
 }
diff --git a/apps/web/src/app/settings/update-key.component.html b/apps/web/src/app/settings/update-key.component.html
index b39a5eb7e1..7b94a6dca0 100644
--- a/apps/web/src/app/settings/update-key.component.html
+++ b/apps/web/src/app/settings/update-key.component.html
@@ -1,4 +1,4 @@
-<div class="modal fade" role="dialog" aria-modal="true" aria-labelledby="updateEncKeyTitle">
+<div class="modal fade" role="dialog" aria-modal="true" aria-labelledby="updateUserKeyTitle">
   <div class="modal-dialog modal-dialog-scrollable" role="document">
     <form
       class="modal-content"
@@ -8,7 +8,7 @@
       ngNativeValidate
     >
       <div class="modal-header">
-        <h1 class="modal-title" id="updateEncKeyTitle">{{ "updateEncryptionKey" | i18n }}</h1>
+        <h1 class="modal-title" id="updateUserKeyTitle">{{ "updateEncryptionKey" | i18n }}</h1>
         <button
           type="button"
           class="close"
diff --git a/apps/web/src/app/settings/update-key.component.ts b/apps/web/src/app/settings/update-key.component.ts
index 9f46d73269..8c7d7cf882 100644
--- a/apps/web/src/app/settings/update-key.component.ts
+++ b/apps/web/src/app/settings/update-key.component.ts
@@ -36,8 +36,8 @@ export class UpdateKeyComponent {
   ) {}
 
   async submit() {
-    const hasEncKey = await this.cryptoService.hasEncKey();
-    if (hasEncKey) {
+    const hasUserKey = await this.cryptoService.hasUserKey();
+    if (hasUserKey) {
       return;
     }
 
@@ -68,17 +68,20 @@ export class UpdateKeyComponent {
   }
 
   private async makeRequest(): Promise<UpdateKeyRequest> {
-    const key = await this.cryptoService.getKey();
-    const encKey = await this.cryptoService.makeEncKey(key);
+    const masterKey = await this.cryptoService.getMasterKey();
+    const newUserKey = await this.cryptoService.makeUserKey(masterKey);
     const privateKey = await this.cryptoService.getPrivateKey();
     let encPrivateKey: EncString = null;
     if (privateKey != null) {
-      encPrivateKey = await this.cryptoService.encrypt(privateKey, encKey[0]);
+      encPrivateKey = await this.cryptoService.encrypt(privateKey, newUserKey[0]);
     }
     const request = new UpdateKeyRequest();
     request.privateKey = encPrivateKey != null ? encPrivateKey.encryptedString : null;
-    request.key = encKey[1].encryptedString;
-    request.masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, null);
+    request.key = newUserKey[1].encryptedString;
+    request.masterPasswordHash = await this.cryptoService.hashMasterKey(
+      this.masterPassword,
+      await this.cryptoService.getOrDeriveMasterKey(this.masterPassword)
+    );
 
     await this.syncService.fullSync(true);
 
@@ -87,7 +90,7 @@ export class UpdateKeyComponent {
       if (folders[i].id == null) {
         continue;
       }
-      const folder = await this.folderService.encrypt(folders[i], encKey[0]);
+      const folder = await this.folderService.encrypt(folders[i], newUserKey[0]);
       request.folders.push(new FolderWithIdRequest(folder));
     }
 
@@ -96,7 +99,7 @@ export class UpdateKeyComponent {
       if (ciphers[i].organizationId != null) {
         continue;
       }
-      const cipher = await this.cipherService.encrypt(ciphers[i], encKey[0]);
+      const cipher = await this.cipherService.encrypt(ciphers[i], newUserKey[0]);
       request.ciphers.push(new CipherWithIdRequest(cipher));
     }
 
diff --git a/apps/web/src/app/settings/vault-timeout-input.component.html b/apps/web/src/app/settings/vault-timeout-input.component.html
index eb61770c75..3791fa7e54 100644
--- a/apps/web/src/app/settings/vault-timeout-input.component.html
+++ b/apps/web/src/app/settings/vault-timeout-input.component.html
@@ -9,7 +9,9 @@
     >
       <option *ngFor="let o of vaultTimeoutOptions" [ngValue]="o.value">{{ o.name }}</option>
     </select>
-    <small class="form-text text-muted">{{ "vaultTimeoutDesc" | i18n }}</small>
+    <small class="form-text text-muted">{{
+      ((canLockVault$ | async) ? "vaultTimeoutDesc" : "vaultTimeoutLogoutDesc") | i18n
+    }}</small>
   </div>
   <div class="form-group" *ngIf="showCustom" formGroupName="custom">
     <label for="customVaultTimeout">{{ "customVaultTimeout" | i18n }}</label>
diff --git a/apps/web/src/app/shared/loose-components.module.ts b/apps/web/src/app/shared/loose-components.module.ts
index 0acb456a41..62702349f9 100644
--- a/apps/web/src/app/shared/loose-components.module.ts
+++ b/apps/web/src/app/shared/loose-components.module.ts
@@ -26,6 +26,7 @@ import { RecoverTwoFactorComponent } from "../auth/recover-two-factor.component"
 import { RegisterFormModule } from "../auth/register-form/register-form.module";
 import { RemovePasswordComponent } from "../auth/remove-password.component";
 import { SetPasswordComponent } from "../auth/set-password.component";
+import { ChangePasswordComponent } from "../auth/settings/change-password.component";
 import { DeauthorizeSessionsComponent } from "../auth/settings/deauthorize-sessions.component";
 import { EmergencyAccessAddEditComponent } from "../auth/settings/emergency-access/emergency-access-add-edit.component";
 import { EmergencyAccessAttachmentsComponent } from "../auth/settings/emergency-access/emergency-access-attachments.component";
@@ -76,7 +77,6 @@ import { ApiKeyComponent } from "../settings/api-key.component";
 import { ChangeAvatarComponent } from "../settings/change-avatar.component";
 import { ChangeEmailComponent } from "../settings/change-email.component";
 import { ChangeKdfModule } from "../settings/change-kdf/change-kdf.module";
-import { ChangePasswordComponent } from "../settings/change-password.component";
 import { DeleteAccountComponent } from "../settings/delete-account.component";
 import { DomainRulesComponent } from "../settings/domain-rules.component";
 import { LowKdfComponent } from "../settings/low-kdf.component";
diff --git a/apps/web/src/app/vault/individual-vault/vault-filter/components/link-sso.component.ts b/apps/web/src/app/vault/individual-vault/vault-filter/components/link-sso.component.ts
index bf16d2513f..026e1f883a 100644
--- a/apps/web/src/app/vault/individual-vault/vault-filter/components/link-sso.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault-filter/components/link-sso.component.ts
@@ -5,6 +5,7 @@ import { SsoComponent } from "@bitwarden/angular/auth/components/sso.component";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -32,7 +33,8 @@ export class LinkSsoComponent extends SsoComponent implements AfterContentInit {
     passwordGenerationService: PasswordGenerationServiceAbstraction,
     stateService: StateService,
     environmentService: EnvironmentService,
-    logService: LogService
+    logService: LogService,
+    configService: ConfigServiceAbstraction
   ) {
     super(
       authService,
@@ -45,7 +47,8 @@ export class LinkSsoComponent extends SsoComponent implements AfterContentInit {
       cryptoFunctionService,
       environmentService,
       passwordGenerationService,
-      logService
+      logService,
+      configService
     );
 
     this.returnUri = "/settings/organizations";
diff --git a/apps/web/src/app/vault/individual-vault/vault.component.ts b/apps/web/src/app/vault/individual-vault/vault.component.ts
index 83f7da5168..6d985fc83a 100644
--- a/apps/web/src/app/vault/individual-vault/vault.component.ts
+++ b/apps/web/src/app/vault/individual-vault/vault.component.ts
@@ -36,6 +36,7 @@ import { TotpService } from "@bitwarden/common/abstractions/totp.service";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { DEFAULT_PBKDF2_ITERATIONS, EventType, KdfType } from "@bitwarden/common/enums";
 import { ServiceUtils } from "@bitwarden/common/misc/serviceUtils";
 import { TreeNode } from "@bitwarden/common/models/domain/tree-node";
@@ -172,7 +173,8 @@ export class VaultComponent implements OnInit, OnDestroy {
     private eventCollectionService: EventCollectionService,
     private searchService: SearchService,
     private searchPipe: SearchPipe,
-    private configService: ConfigServiceAbstraction
+    private configService: ConfigServiceAbstraction,
+    private userVerificationService: UserVerificationService
   ) {}
 
   async ngOnInit() {
@@ -187,13 +189,15 @@ export class VaultComponent implements OnInit, OnDestroy {
       first(),
       switchMap(async (params: Params) => {
         this.showVerifyEmail = !(await this.tokenService.getEmailVerified());
-        this.showLowKdf = await this.isLowKdfIteration();
+        this.showLowKdf = (await this.userVerificationService.hasMasterPassword())
+          ? await this.isLowKdfIteration()
+          : false;
         await this.syncService.fullSync(false);
 
         const canAccessPremium = await this.stateService.getCanAccessPremium();
         this.showPremiumCallout =
           !this.showVerifyEmail && !canAccessPremium && !this.platformUtilsService.isSelfHost();
-        this.showUpdateKey = !(await this.cryptoService.hasEncKey());
+        this.showUpdateKey = !(await this.cryptoService.hasUserKey());
 
         const cipherId = getCipherIdFromParams(params);
         if (!cipherId) {
diff --git a/apps/web/src/locales/en/messages.json b/apps/web/src/locales/en/messages.json
index b91ea4add5..02970032d3 100644
--- a/apps/web/src/locales/en/messages.json
+++ b/apps/web/src/locales/en/messages.json
@@ -3536,6 +3536,9 @@
   "vaultTimeoutDesc": {
     "message": "Choose when your vault will take the vault timeout action."
   },
+  "vaultTimeoutLogoutDesc": {
+    "message": "Choose when your vault will be logged out."
+  },
   "oneMinute": {
     "message": "1 minute"
   },
@@ -6835,28 +6838,60 @@
   "updateKdfSettings": {
     "message": "Update KDF settings"
   },
+  "loginInitiated": {
+    "message": "Login initiated"
+  },
+  "deviceApprovalRequired": {
+    "message": "Device approval required. Select an approval option below:"
+  },
+  "rememberThisDevice": {
+    "message": "Remember this device"
+  },
+  "uncheckIfPublicDevice": {
+    "message": "Uncheck if using a public device"
+  },
+  "approveFromYourOtherDevice": {
+    "message": "Approve from your other device"
+  },
+  "requestAdminApproval": {
+    "message": "Request admin approval"
+  },
+  "approveWithMasterPassword": {
+    "message": "Approve with master password"
+  },
+  "trustedDeviceEncryption": {
+    "message": "Trusted device encryption"
+  },
   "trustedDevices": {
     "message": "Trusted devices"
   },
-  "memberDecryptionTdeDescriptionPartOne": {
+  "memberDecryptionOptionTdeDescriptionPartOne": {
     "message": "Once authenticated, members will decrypt vault data using a key stored on their device. The",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO Required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
   },
-  "memberDecryptionTdeDescriptionLinkOne": {
+  "memberDecryptionOptionTdeDescriptionLinkOne": {
     "message": "single organization",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
   },
-  "memberDecryptionTdeDescriptionPartTwo": {
-    "message": "policy and ",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+  "memberDecryptionOptionTdeDescriptionPartTwo": {
+    "message": "policy,",
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
   },
-  "memberDecryptionTdeDescriptionLinkTwo": {
+  "memberDecryptionOptionTdeDescriptionLinkTwo": {
+    "message": "SSO required",
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+  },
+  "memberDecryptionOptionTdeDescriptionPartThree": {
+    "message": "policy, and",
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+  },
+  "memberDecryptionOptionTdeDescriptionLinkThree": {
     "message": "account recovery administration",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
   },
-  "memberDecryptionTdeDescriptionPartThree": {
+  "memberDecryptionOptionTdeDescriptionPartFour": {
     "message": "policy with automatic enrollment will turn on when this option is used.",
-    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
+    "description": "This will be used as part of a larger sentence, broken up to include links. The full sentence will read 'Once authenticated, members will decrypt vault data using a key stored on their device. The single organization policy, SSO required policy, and account recovery administration policy with automatic enrollment will turn on when this option is used.'"
   },
   "notFound": {
     "message": "$RESOURCE$ not found",
@@ -6945,6 +6980,27 @@
   "removeMembersWithoutMasterPasswordWarning": {
     "message": "Removing members who do not have master passwords without setting one for them may restrict access to their full account."
   },
+  "approvedAuthRequest": {
+    "message": "Approved device for $ID$.",
+    "placeholders": {
+      "id": {
+        "content": "$1",
+        "example": "First 8 Character of a GUID"
+      }
+    }
+  },
+  "rejectedAuthRequest": {
+    "message": "Denied device for $ID$.",
+    "placeholders": {
+      "id": {
+        "content": "$1",
+        "example": "First 8 Character of a GUID"
+      }
+    }
+  },
+  "requestedDeviceApproval": {
+    "message": "Requested device approval."
+  },
   "startYour7DayFreeTrialOfBitwardenFor": {
     "message": "Start your 7-Day free trial of Bitwarden for $ORG$",
     "placeholders": {
@@ -6966,6 +7022,30 @@
   "selectedRegionFlag": {
     "message": "Selected region flag"
   },
+  "accountSuccessfullyCreated": {
+    "message": "Account successfully created!"
+  },
+  "adminApprovalRequested": {
+    "message": "Admin approval requested"
+  },
+  "adminApprovalRequestSentToAdmins": {
+    "message": "Your request has been sent to your admin."
+  },
+  "youWillBeNotifiedOnceApproved": {
+    "message": "You will be notified once approved."
+  },
+  "troubleLoggingIn": {
+    "message": "Trouble logging in?"
+  },
+  "loginApproved": {
+    "message": "Login approved"
+  },
+  "userEmailMissing": {
+    "message": "User email missing"
+  }, 
+  "deviceTrusted": {
+    "message": "Device trusted"
+  },
   "sendsNoItemsTitle": {
     "message": "No active Sends",
     "description": "'Send' is a noun and the name of a feature called 'Bitwarden Send'. It should not be translated."
@@ -7076,6 +7156,9 @@
   "maxServiceAccountCost": {
     "message": "Max potential service account cost"
   },
+  "loggedInExclamation": {
+    "message": "Logged in!"
+  },
   "smBetaEndedDesc": {
     "message": "The Secrets Manager Beta ended $BETA_ENDING_DATE$. You have $DAYS$ days left to add Secrets Manager to your paid subscription and maintain access to Secrets Manager data. Contact Customer Success to add Secrets Manager to your subscription.",
     "placeholders": {
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/core/services/auth-requests/admin-auth-request-update.request.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/core/services/auth-requests/admin-auth-request-update.request.ts
index a190d5809c..21f9c5c1ee 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/core/services/auth-requests/admin-auth-request-update.request.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/core/services/auth-requests/admin-auth-request-update.request.ts
@@ -2,7 +2,7 @@ export class AdminAuthRequestUpdateRequest {
   /**
    *
    * @param requestApproved - Whether the request was approved/denied. If true, the key must be provided.
-   * @param encryptedUserKey The user's symmetric key that has been encrypted with a device public key if the request was approved.
+   * @param encryptedUserKey The user key that has been encrypted with a device public key if the request was approved.
    */
   constructor(public requestApproved: boolean, public encryptedUserKey?: string) {}
 }
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/device-approvals/device-approvals.component.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/device-approvals/device-approvals.component.ts
index b0f7b8bcad..965132d637 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/device-approvals/device-approvals.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/manage/device-approvals/device-approvals.component.ts
@@ -65,16 +65,16 @@ export class DeviceApprovalsComponent implements OnInit, OnDestroy {
   }
 
   /**
-   * Creates a copy of the user's symmetric key that has been encrypted with the provided device's public key.
+   * Creates a copy of the user key that has been encrypted with the provided device's public key.
    * @param devicePublicKey
    * @param resetPasswordDetails
    * @private
    */
-  private async getEncryptedUserSymKey(
+  private async getEncryptedUserKey(
     devicePublicKey: string,
     resetPasswordDetails: OrganizationUserResetPasswordDetailsResponse
   ): Promise<EncString> {
-    const encryptedUserSymKey = resetPasswordDetails.resetPasswordKey;
+    const encryptedUserKey = resetPasswordDetails.resetPasswordKey;
     const encryptedOrgPrivateKey = resetPasswordDetails.encryptedPrivateKey;
     const devicePubKey = Utils.fromB64ToArray(devicePublicKey);
 
@@ -85,12 +85,12 @@ export class DeviceApprovalsComponent implements OnInit, OnDestroy {
       orgSymKey
     );
 
-    // Decrypt User's symmetric key with decrypted org private key
-    const decValue = await this.cryptoService.rsaDecrypt(encryptedUserSymKey, decOrgPrivateKey);
-    const userSymKey = new SymmetricCryptoKey(decValue);
+    // Decrypt user key with decrypted org private key
+    const decValue = await this.cryptoService.rsaDecrypt(encryptedUserKey, decOrgPrivateKey);
+    const userKey = new SymmetricCryptoKey(decValue);
 
-    // Re-encrypt User's Symmetric Key with the Device Public Key
-    return await this.cryptoService.rsaEncrypt(userSymKey.key, devicePubKey);
+    // Re-encrypt user Key with the Device Public Key
+    return await this.cryptoService.rsaEncrypt(userKey.key, devicePubKey);
   }
 
   async approveRequest(authRequest: PendingAuthRequestView) {
@@ -110,7 +110,7 @@ export class DeviceApprovalsComponent implements OnInit, OnDestroy {
         return;
       }
 
-      const encryptedKey = await this.getEncryptedUserSymKey(authRequest.publicKey, details);
+      const encryptedKey = await this.getEncryptedUserKey(authRequest.publicKey, details);
 
       await this.organizationAuthRequestService.approvePendingRequest(
         this.organizationId,
diff --git a/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts b/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
index 00fd124ff6..5c6c10724c 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/organizations/organizations-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 import { canAccessFeature } from "@bitwarden/angular/guard/feature-flag.guard";
 import { canAccessSettingsTab } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/bulk/bulk-confirm.component.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/bulk/bulk-confirm.component.ts
index 6b3fdd75c4..e14983d4ec 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/manage/bulk/bulk-confirm.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/manage/bulk/bulk-confirm.component.ts
@@ -3,6 +3,7 @@ import { Component, Input } from "@angular/core";
 import { ProviderUserStatusType } from "@bitwarden/common/admin-console/enums";
 import { ProviderUserBulkConfirmRequest } from "@bitwarden/common/admin-console/models/request/provider/provider-user-bulk-confirm.request";
 import { ProviderUserBulkRequest } from "@bitwarden/common/admin-console/models/request/provider/provider-user-bulk.request";
+import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { BulkConfirmComponent as OrganizationBulkConfirmComponent } from "@bitwarden/web-vault/app/admin-console/organizations/members/components/bulk/bulk-confirm.component";
 import { BulkUserDetails } from "@bitwarden/web-vault/app/admin-console/organizations/members/components/bulk/bulk-status.component";
 
@@ -13,20 +14,20 @@ import { BulkUserDetails } from "@bitwarden/web-vault/app/admin-console/organiza
 export class BulkConfirmComponent extends OrganizationBulkConfirmComponent {
   @Input() providerId: string;
 
-  protected isAccepted(user: BulkUserDetails) {
+  protected override isAccepted(user: BulkUserDetails) {
     return user.status === ProviderUserStatusType.Accepted;
   }
 
-  protected async getPublicKeys() {
+  protected override async getPublicKeys() {
     const request = new ProviderUserBulkRequest(this.filteredUsers.map((user) => user.id));
     return await this.apiService.postProviderUsersPublicKey(this.providerId, request);
   }
 
-  protected getCryptoKey() {
+  protected override getCryptoKey(): Promise<SymmetricCryptoKey> {
     return this.cryptoService.getProviderKey(this.providerId);
   }
 
-  protected async postConfirmRequest(userIdsWithKeys: any[]) {
+  protected override async postConfirmRequest(userIdsWithKeys: any[]) {
     const request = new ProviderUserBulkConfirmRequest(userIdsWithKeys);
     return await this.apiService.postProviderUserBulkConfirm(this.providerId, request);
   }
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
index 3be8ea6785..5bc2764038 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/providers-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 import { Provider } from "@bitwarden/common/models/domain/provider";
 import { ProvidersComponent } from "@bitwarden/web-vault/app/admin-console/providers/providers.component";
 import { FrontendLayoutComponent } from "@bitwarden/web-vault/app/layouts/frontend-layout.component";
diff --git a/bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.ts b/bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.ts
index c15f793aa3..1bc2365b9c 100644
--- a/bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.ts
+++ b/bitwarden_license/bit-web/src/app/admin-console/providers/setup/setup.component.ts
@@ -8,6 +8,7 @@ import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.se
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
+import { ProviderKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
 
 @Component({
@@ -78,8 +79,8 @@ export class SetupComponent implements OnInit {
 
   async doSubmit() {
     try {
-      const shareKey = await this.cryptoService.makeShareKey();
-      const key = shareKey[0].encryptedString;
+      const providerKey = await this.cryptoService.makeOrgKey<ProviderKey>();
+      const key = providerKey[0].encryptedString;
 
       const request = new ProviderSetupRequest();
       request.name = this.name;
diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
index 4eedc89d6e..fa589b2438 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.html
@@ -81,11 +81,15 @@
           {{ "trustedDevices" | i18n }}
         </bit-label>
         <bit-hint>
-          {{ "memberDecryptionTdeDescriptionPartOne" | i18n }}
-          <a routerLink="../policies">{{ "memberDecryptionTdeDescriptionLinkOne" | i18n }}</a>
-          {{ "memberDecryptionTdeDescriptionPartTwo" | i18n }}
-          <a routerLink="../policies">{{ "memberDecryptionTdeDescriptionLinkTwo" | i18n }}</a>
-          {{ "memberDecryptionTdeDescriptionPartThree" | i18n }}
+          {{ "memberDecryptionOptionTdeDescriptionPartOne" | i18n }}
+          <a routerLink="../policies">{{ "memberDecryptionOptionTdeDescriptionLinkOne" | i18n }}</a>
+          {{ "memberDecryptionOptionTdeDescriptionPartTwo" | i18n }}
+          <a routerLink="../policies">{{ "memberDecryptionOptionTdeDescriptionLinkTwo" | i18n }}</a>
+          {{ "memberDecryptionOptionTdeDescriptionPartThree" | i18n }}
+          <a routerLink="../policies">{{
+            "memberDecryptionOptionTdeDescriptionLinkThree" | i18n
+          }}</a>
+          {{ "memberDecryptionOptionTdeDescriptionPartFour" | i18n }}
         </bit-hint>
       </bit-radio-button>
     </bit-radio-group>
diff --git a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
index 1ea6c6dd79..e159d4744b 100644
--- a/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
+++ b/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts
@@ -239,7 +239,7 @@ export class SsoComponent implements OnInit, OnDestroy {
       FeatureFlag.TrustedDeviceEncryption
     );
 
-    this.showTdeOptions = tdeFeatureFlag && !this.platformUtilsService.isSelfHost();
+    this.showTdeOptions = tdeFeatureFlag;
     // If the tde flag is not enabled, continue showing the key connector options to keep the UI the same
     // Once the flag is removed, we can rely on the platformUtilsService.isSelfHost() check alone
     this.showKeyConnectorOptions = !tdeFeatureFlag || this.platformUtilsService.isSelfHost();
diff --git a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.html b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.html
index 2951cec9bf..263281ed77 100644
--- a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.html
+++ b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.html
@@ -68,7 +68,7 @@
 
               <bit-menu-divider></bit-menu-divider>
 
-              <button bitMenuItem type="button" (click)="lock()">
+              <button *ngIf="canLock$ | async" bitMenuItem type="button" (click)="lock()">
                 <i class="bwi bwi-fw bwi-lock" aria-hidden="true"></i>
                 {{ "lockNow" | i18n }}
               </button>
diff --git a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.ts b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.ts
index 999a53081b..0b7625a390 100644
--- a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.ts
+++ b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.component.ts
@@ -2,6 +2,8 @@ import { Component, Input } from "@angular/core";
 import { ActivatedRoute } from "@angular/router";
 import { combineLatest, map, Observable } from "rxjs";
 
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { AccountProfile } from "@bitwarden/common/platform/models/domain/account";
@@ -23,10 +25,12 @@ export class HeaderComponent {
 
   protected routeData$: Observable<{ titleId: string }>;
   protected account$: Observable<AccountProfile>;
+  protected canLock$: Observable<boolean>;
 
   constructor(
     private route: ActivatedRoute,
     private stateService: StateService,
+    private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
     private messagingService: MessagingService
   ) {
     this.routeData$ = this.route.data.pipe(
@@ -45,6 +49,9 @@ export class HeaderComponent {
         return accounts[activeAccount]?.profile;
       })
     );
+    this.canLock$ = this.vaultTimeoutSettingsService
+      .availableVaultTimeoutActions$()
+      .pipe(map((actions) => actions.includes(VaultTimeoutAction.Lock)));
   }
 
   protected lock() {
diff --git a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.stories.ts b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.stories.ts
index 9ade2c1bec..8e480ae50a 100644
--- a/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.stories.ts
+++ b/bitwarden_license/bit-web/src/app/secrets-manager/shared/header.stories.ts
@@ -10,6 +10,8 @@ import {
 import { BehaviorSubject, combineLatest, map } from "rxjs";
 
 import { JslibModule } from "@bitwarden/angular/jslib.module";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import {
@@ -42,6 +44,12 @@ class MockMessagingService implements MessagingService {
   }
 }
 
+class MockVaultTimeoutService {
+  availableVaultTimeoutActions$() {
+    return new BehaviorSubject([VaultTimeoutAction.Lock]).asObservable();
+  }
+}
+
 @Component({
   selector: "product-switcher",
   template: `<button bitIconButton="bwi-filter"></button>`,
@@ -89,6 +97,7 @@ export default {
       declarations: [HeaderComponent, MockProductSwitcher, MockDynamicAvatar],
       providers: [
         { provide: StateService, useClass: MockStateService },
+        { provide: VaultTimeoutSettingsService, useClass: MockVaultTimeoutService },
         {
           provide: MessagingService,
           useFactory: () => {
diff --git a/bitwarden_license/bit-web/src/app/secrets-manager/sm-routing.module.ts b/bitwarden_license/bit-web/src/app/secrets-manager/sm-routing.module.ts
index f279314b43..5c18bab4e4 100644
--- a/bitwarden_license/bit-web/src/app/secrets-manager/sm-routing.module.ts
+++ b/bitwarden_license/bit-web/src/app/secrets-manager/sm-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from "@angular/core";
 import { RouterModule, Routes } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
 import { OrganizationPermissionsGuard } from "@bitwarden/web-vault/app/admin-console/organizations/guards/org-permissions.guard";
 import { buildFlaggedRoute } from "@bitwarden/web-vault/app/oss-routing.module";
diff --git a/bitwarden_license/bit-web/src/app/secrets-manager/sm.guard.ts b/bitwarden_license/bit-web/src/app/secrets-manager/sm.guard.ts
index 340f0484f7..ee653b8f4a 100644
--- a/bitwarden_license/bit-web/src/app/secrets-manager/sm.guard.ts
+++ b/bitwarden_license/bit-web/src/app/secrets-manager/sm.guard.ts
@@ -6,7 +6,7 @@ import {
   RouterStateSnapshot,
 } from "@angular/router";
 
-import { AuthGuard } from "@bitwarden/angular/auth/guards/auth.guard";
+import { AuthGuard } from "@bitwarden/angular/auth/guards";
 import { OrganizationService } from "@bitwarden/common/admin-console/abstractions/organization/organization.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
diff --git a/libs/angular/src/auth/components/base-login-decryption-options.component.ts b/libs/angular/src/auth/components/base-login-decryption-options.component.ts
new file mode 100644
index 0000000000..3350c3999c
--- /dev/null
+++ b/libs/angular/src/auth/components/base-login-decryption-options.component.ts
@@ -0,0 +1,291 @@
+import { Directive, OnDestroy, OnInit } from "@angular/core";
+import { FormBuilder, FormControl } from "@angular/forms";
+import { ActivatedRoute, Router } from "@angular/router";
+import {
+  firstValueFrom,
+  switchMap,
+  Subject,
+  catchError,
+  from,
+  of,
+  finalize,
+  takeUntil,
+  defer,
+  throwError,
+} from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { DevicesServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices.service.abstraction";
+import { OrganizationUserService } from "@bitwarden/common/abstractions/organization-user/organization-user.service";
+import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
+import { PasswordResetEnrollmentServiceAbstraction } from "@bitwarden/common/auth/abstractions/password-reset-enrollment.service.abstraction";
+import { TokenService } from "@bitwarden/common/auth/abstractions/token.service";
+import { KeysRequest } from "@bitwarden/common/models/request/keys.request";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
+import { AccountDecryptionOptions } from "@bitwarden/common/platform/models/domain/account";
+
+enum State {
+  NewUser,
+  ExistingUserUntrustedDevice,
+}
+
+type NewUserData = {
+  readonly state: State.NewUser;
+  readonly organizationId: string;
+  readonly userEmail: string;
+};
+
+type ExistingUserUntrustedDeviceData = {
+  readonly state: State.ExistingUserUntrustedDevice;
+  readonly showApproveFromOtherDeviceBtn: boolean;
+  readonly showReqAdminApprovalBtn: boolean;
+  readonly showApproveWithMasterPasswordBtn: boolean;
+  readonly userEmail: string;
+};
+
+type Data = NewUserData | ExistingUserUntrustedDeviceData;
+
+@Directive()
+export class BaseLoginDecryptionOptionsComponent implements OnInit, OnDestroy {
+  private destroy$ = new Subject<void>();
+
+  protected State = State;
+
+  protected data?: Data;
+  protected loading = true;
+
+  // Remember device means for the user to trust the device
+  rememberDeviceForm = this.formBuilder.group({
+    rememberDevice: [true],
+  });
+
+  get rememberDevice(): FormControl<boolean> {
+    return this.rememberDeviceForm?.controls.rememberDevice;
+  }
+
+  constructor(
+    protected formBuilder: FormBuilder,
+    protected devicesService: DevicesServiceAbstraction,
+    protected stateService: StateService,
+    protected router: Router,
+    protected activatedRoute: ActivatedRoute,
+    protected messagingService: MessagingService,
+    protected tokenService: TokenService,
+    protected loginService: LoginService,
+    protected organizationApiService: OrganizationApiServiceAbstraction,
+    protected cryptoService: CryptoService,
+    protected organizationUserService: OrganizationUserService,
+    protected apiService: ApiService,
+    protected i18nService: I18nService,
+    protected validationService: ValidationService,
+    protected deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    protected platformUtilsService: PlatformUtilsService,
+    protected passwordResetEnrollmentService: PasswordResetEnrollmentServiceAbstraction
+  ) {}
+
+  async ngOnInit() {
+    this.loading = true;
+
+    this.setupRememberDeviceValueChanges();
+
+    // Persist user choice from state if it exists
+    await this.setRememberDeviceDefaultValue();
+
+    try {
+      const accountDecryptionOptions: AccountDecryptionOptions =
+        await this.stateService.getAccountDecryptionOptions();
+
+      // see sso-login.strategy - to determine if a user is new or not it just checks if there is a key on the token response..
+      // can we check if they have a user key or master key in crypto service? Would that be sufficient?
+      if (
+        !accountDecryptionOptions?.trustedDeviceOption?.hasAdminApproval &&
+        !accountDecryptionOptions?.hasMasterPassword
+      ) {
+        // We are dealing with a new account if:
+        //  - User does not have admin approval (i.e. has not enrolled into admin reset)
+        //  - AND does not have a master password
+
+        this.loadNewUserData();
+      } else {
+        this.loadUntrustedDeviceData(accountDecryptionOptions);
+      }
+
+      // Note: this is probably not a comprehensive write up of all scenarios:
+
+      // If the TDE feature flag is enabled and TDE is configured for the org that the user is a member of,
+      // then new and existing users can be redirected here after completing the SSO flow (and 2FA if enabled).
+
+      // First we must determine user type (new or existing):
+
+      // New User
+      // - present user with option to remember the device or not (trust the device)
+      // - present a continue button to proceed to the vault
+      //  - loadNewUserData() --> will need to load enrollment status and user email address.
+
+      // Existing User
+      // - Determine if user is an admin with access to account recovery in admin console
+      //  - Determine if user has a MP or not, if not, they must be redirected to set one (see PM-1035)
+      // - Determine if device is trusted or not via device crypto service (method not yet written)
+      //  - If not trusted, present user with login decryption options (approve from other device, approve with master password, request admin approval)
+      //    - loadUntrustedDeviceData()
+    } catch (err) {
+      this.validationService.showError(err);
+    }
+  }
+
+  private async setRememberDeviceDefaultValue() {
+    const rememberDeviceFromState = await this.deviceTrustCryptoService.getShouldTrustDevice();
+
+    const rememberDevice = rememberDeviceFromState ?? true;
+
+    this.rememberDevice.setValue(rememberDevice);
+  }
+
+  private setupRememberDeviceValueChanges() {
+    this.rememberDevice.valueChanges
+      .pipe(
+        switchMap((value) =>
+          defer(() => this.deviceTrustCryptoService.setShouldTrustDevice(value))
+        ),
+        takeUntil(this.destroy$)
+      )
+      .subscribe();
+  }
+
+  async loadNewUserData() {
+    const autoEnrollStatus$ = defer(() =>
+      this.stateService.getUserSsoOrganizationIdentifier()
+    ).pipe(
+      switchMap((organizationIdentifier) => {
+        if (organizationIdentifier == undefined) {
+          return throwError(() => new Error(this.i18nService.t("ssoIdentifierRequired")));
+        }
+
+        return from(this.organizationApiService.getAutoEnrollStatus(organizationIdentifier));
+      }),
+      catchError((err: unknown) => {
+        this.validationService.showError(err);
+        return of(undefined);
+      })
+    );
+
+    const email$ = from(this.stateService.getEmail()).pipe(
+      catchError((err: unknown) => {
+        this.validationService.showError(err);
+        return of(undefined);
+      }),
+      takeUntil(this.destroy$)
+    );
+
+    const autoEnrollStatus = await firstValueFrom(autoEnrollStatus$);
+    const email = await firstValueFrom(email$);
+
+    this.data = { state: State.NewUser, organizationId: autoEnrollStatus.id, userEmail: email };
+    this.loading = false;
+  }
+
+  loadUntrustedDeviceData(accountDecryptionOptions: AccountDecryptionOptions) {
+    this.loading = true;
+
+    const email$ = from(this.stateService.getEmail()).pipe(
+      catchError((err: unknown) => {
+        this.validationService.showError(err);
+        return of(undefined);
+      }),
+      takeUntil(this.destroy$)
+    );
+
+    email$
+      .pipe(
+        takeUntil(this.destroy$),
+        finalize(() => {
+          this.loading = false;
+        })
+      )
+      .subscribe((email) => {
+        const showApproveFromOtherDeviceBtn =
+          accountDecryptionOptions?.trustedDeviceOption?.hasLoginApprovingDevice || false;
+
+        const showReqAdminApprovalBtn =
+          !!accountDecryptionOptions?.trustedDeviceOption?.hasAdminApproval || false;
+
+        const showApproveWithMasterPasswordBtn =
+          accountDecryptionOptions?.hasMasterPassword || false;
+
+        const userEmail = email;
+
+        this.data = {
+          state: State.ExistingUserUntrustedDevice,
+          showApproveFromOtherDeviceBtn,
+          showReqAdminApprovalBtn,
+          showApproveWithMasterPasswordBtn,
+          userEmail,
+        };
+      });
+  }
+
+  async approveFromOtherDevice() {
+    if (this.data.state !== State.ExistingUserUntrustedDevice) {
+      return;
+    }
+
+    this.loginService.setEmail(this.data.userEmail);
+    this.router.navigate(["/login-with-device"]);
+  }
+
+  async requestAdminApproval() {
+    this.loginService.setEmail(this.data.userEmail);
+    this.router.navigate(["/admin-approval-requested"]);
+  }
+
+  async approveWithMasterPassword() {
+    this.router.navigate(["/lock"], { queryParams: { from: "login-initiated" } });
+  }
+
+  async createUser() {
+    if (this.data.state !== State.NewUser) {
+      return;
+    }
+
+    // this.loading to support clients without async-actions-support
+    this.loading = true;
+    try {
+      const { publicKey, privateKey } = await this.cryptoService.initAccount();
+      const keysRequest = new KeysRequest(publicKey, privateKey.encryptedString);
+      await this.apiService.postAccountKeys(keysRequest);
+
+      this.platformUtilsService.showToast(
+        "success",
+        null,
+        this.i18nService.t("accountSuccessfullyCreated")
+      );
+
+      await this.passwordResetEnrollmentService.enroll(this.data.organizationId);
+
+      if (this.rememberDeviceForm.value.rememberDevice) {
+        await this.deviceTrustCryptoService.trustDevice();
+      }
+    } catch (error) {
+      this.validationService.showError(error);
+    } finally {
+      this.loading = false;
+    }
+  }
+
+  logOut() {
+    this.loading = true; // to avoid an awkward delay in browser extension
+    this.messagingService.send("logout");
+  }
+
+  ngOnDestroy(): void {
+    this.destroy$.next();
+    this.destroy$.complete();
+  }
+}
diff --git a/libs/angular/src/auth/components/change-password.component.ts b/libs/angular/src/auth/components/change-password.component.ts
index f30987119a..b9c2d1be4f 100644
--- a/libs/angular/src/auth/components/change-password.component.ts
+++ b/libs/angular/src/auth/components/change-password.component.ts
@@ -12,7 +12,7 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { MasterKey, UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { DialogService } from "@bitwarden/components";
 
@@ -79,23 +79,28 @@ export class ChangePasswordComponent implements OnInit, OnDestroy {
     if (this.kdfConfig == null) {
       this.kdfConfig = await this.stateService.getKdfConfig();
     }
-    const key = await this.cryptoService.makeKey(
+
+    // Create new master key
+    const newMasterKey = await this.cryptoService.makeMasterKey(
       this.masterPassword,
       email.trim().toLowerCase(),
       this.kdf,
       this.kdfConfig
     );
-    const masterPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, key);
+    const newMasterKeyHash = await this.cryptoService.hashMasterKey(
+      this.masterPassword,
+      newMasterKey
+    );
 
-    let encKey: [SymmetricCryptoKey, EncString] = null;
-    const existingEncKey = await this.cryptoService.getEncKey();
-    if (existingEncKey == null) {
-      encKey = await this.cryptoService.makeEncKey(key);
+    let newProtectedUserKey: [UserKey, EncString] = null;
+    const userKey = await this.cryptoService.getUserKey();
+    if (userKey == null) {
+      newProtectedUserKey = await this.cryptoService.makeUserKey(newMasterKey);
     } else {
-      encKey = await this.cryptoService.remakeEncKey(key);
+      newProtectedUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(newMasterKey);
     }
 
-    await this.performSubmitActions(masterPasswordHash, key, encKey);
+    await this.performSubmitActions(newMasterKeyHash, newMasterKey, newProtectedUserKey);
   }
 
   async setupSubmitActions(): Promise<boolean> {
@@ -105,9 +110,9 @@ export class ChangePasswordComponent implements OnInit, OnDestroy {
   }
 
   async performSubmitActions(
-    masterPasswordHash: string,
-    key: SymmetricCryptoKey,
-    encKey: [SymmetricCryptoKey, EncString]
+    newMasterKeyHash: string,
+    newMasterKey: MasterKey,
+    newUserKey: [UserKey, EncString]
   ) {
     // Override in sub-class
   }
diff --git a/libs/angular/src/auth/components/lock.component.ts b/libs/angular/src/auth/components/lock.component.ts
index 68cc7dafe0..4692792378 100644
--- a/libs/angular/src/auth/components/lock.component.ts
+++ b/libs/angular/src/auth/components/lock.component.ts
@@ -4,16 +4,18 @@ import { firstValueFrom, Subject } from "rxjs";
 import { concatMap, take, takeUntil } from "rxjs/operators";
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
-import { VaultTimeoutService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { PolicyApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/policy/policy-api.service.abstraction";
 import { InternalPolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { MasterPasswordPolicyOptions } from "@bitwarden/common/admin-console/models/domain/master-password-policy-options";
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
 import { SecretVerificationRequest } from "@bitwarden/common/auth/models/request/secret-verification.request";
 import { MasterPasswordPolicyResponse } from "@bitwarden/common/auth/models/response/master-password-policy.response";
 import { HashPurpose, KeySuffixOptions } from "@bitwarden/common/enums";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -23,7 +25,8 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { PinLockType } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
 import { PasswordStrengthServiceAbstraction } from "@bitwarden/common/tools/password-strength";
 import { DialogService } from "@bitwarden/components";
 
@@ -33,20 +36,20 @@ export class LockComponent implements OnInit, OnDestroy {
   pin = "";
   showPassword = false;
   email: string;
-  pinLock = false;
+  pinEnabled = false;
+  masterPasswordEnabled = false;
   webVaultHostname = "";
   formPromise: Promise<MasterPasswordPolicyResponse>;
   supportsBiometric: boolean;
   biometricLock: boolean;
   biometricText: string;
-  hideInput: boolean;
 
   protected successRoute = "vault";
   protected forcePasswordResetRoute = "update-temp-password";
   protected onSuccessfulSubmit: () => Promise<void>;
 
   private invalidPinAttempts = 0;
-  private pinSet: [boolean, boolean];
+  private pinStatus: PinLockType;
 
   private enforcedMasterPasswordOptions: MasterPasswordPolicyOptions = undefined;
 
@@ -64,12 +67,13 @@ export class LockComponent implements OnInit, OnDestroy {
     protected stateService: StateService,
     protected apiService: ApiService,
     protected logService: LogService,
-    private keyConnectorService: KeyConnectorService,
     protected ngZone: NgZone,
     protected policyApiService: PolicyApiServiceAbstraction,
     protected policyService: InternalPolicyService,
     protected passwordStrengthService: PasswordStrengthServiceAbstraction,
-    protected dialogService: DialogService
+    protected dialogService: DialogService,
+    protected deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    protected userVerificationService: UserVerificationService
   ) {}
 
   async ngOnInit() {
@@ -89,7 +93,7 @@ export class LockComponent implements OnInit, OnDestroy {
   }
 
   async submit() {
-    if (this.pinLock) {
+    if (this.pinEnabled) {
       return await this.handlePinRequiredUnlock();
     }
 
@@ -114,18 +118,18 @@ export class LockComponent implements OnInit, OnDestroy {
       return;
     }
 
-    const success = (await this.cryptoService.getKey(KeySuffixOptions.Biometric)) != null;
+    const userKey = await this.cryptoService.getUserKeyFromStorage(KeySuffixOptions.Biometric);
 
-    if (success) {
-      await this.doContinue(false);
+    if (userKey) {
+      await this.setUserKeyAndContinue(userKey, false);
     }
 
-    return success;
+    return !!userKey;
   }
 
   togglePassword() {
     this.showPassword = !this.showPassword;
-    const input = document.getElementById(this.pinLock ? "pin" : "masterPassword");
+    const input = document.getElementById(this.pinEnabled ? "pin" : "masterPassword");
     if (this.ngZone.isStable) {
       input.focus();
     } else {
@@ -151,25 +155,58 @@ export class LockComponent implements OnInit, OnDestroy {
     try {
       const kdf = await this.stateService.getKdfType();
       const kdfConfig = await this.stateService.getKdfConfig();
-      if (this.pinSet[0]) {
-        const key = await this.cryptoService.makeKeyFromPin(
+      let userKeyPin: EncString;
+      let oldPinKey: EncString;
+      switch (this.pinStatus) {
+        case "PERSISTANT": {
+          userKeyPin = await this.stateService.getPinKeyEncryptedUserKey();
+          const oldEncryptedPinKey = await this.stateService.getEncryptedPinProtected();
+          oldPinKey = oldEncryptedPinKey ? new EncString(oldEncryptedPinKey) : undefined;
+          break;
+        }
+        case "TRANSIENT": {
+          userKeyPin = await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
+          oldPinKey = await this.stateService.getDecryptedPinProtected();
+          break;
+        }
+        case "DISABLED": {
+          throw new Error("Pin is disabled");
+        }
+        default: {
+          const _exhaustiveCheck: never = this.pinStatus;
+          return _exhaustiveCheck;
+        }
+      }
+
+      let userKey: UserKey;
+      if (oldPinKey) {
+        userKey = await this.cryptoService.decryptAndMigrateOldPinKey(
+          this.pinStatus === "TRANSIENT",
           this.pin,
           this.email,
           kdf,
           kdfConfig,
-          await this.stateService.getDecryptedPinProtected()
+          oldPinKey
         );
-        const encKey = await this.cryptoService.getEncKey(key);
-        const protectedPin = await this.stateService.getProtectedPin();
-        const decPin = await this.cryptoService.decryptToUtf8(new EncString(protectedPin), encKey);
-        failed = decPin !== this.pin;
-        if (!failed) {
-          await this.setKeyAndContinue(key);
-        }
       } else {
-        const key = await this.cryptoService.makeKeyFromPin(this.pin, this.email, kdf, kdfConfig);
-        failed = false;
-        await this.setKeyAndContinue(key);
+        userKey = await this.cryptoService.decryptUserKeyWithPin(
+          this.pin,
+          this.email,
+          kdf,
+          kdfConfig,
+          userKeyPin
+        );
+      }
+
+      const protectedPin = await this.stateService.getProtectedPin();
+      const decryptedPin = await this.cryptoService.decryptToUtf8(
+        new EncString(protectedPin),
+        userKey
+      );
+      failed = decryptedPin !== this.pin;
+
+      if (!failed) {
+        await this.setUserKeyAndContinue(userKey);
       }
     } catch {
       failed = true;
@@ -205,18 +242,28 @@ export class LockComponent implements OnInit, OnDestroy {
     const kdf = await this.stateService.getKdfType();
     const kdfConfig = await this.stateService.getKdfConfig();
 
-    const key = await this.cryptoService.makeKey(this.masterPassword, this.email, kdf, kdfConfig);
-    const storedKeyHash = await this.cryptoService.getKeyHash();
+    const masterKey = await this.cryptoService.makeMasterKey(
+      this.masterPassword,
+      this.email,
+      kdf,
+      kdfConfig
+    );
+    const storedPasswordHash = await this.cryptoService.getMasterKeyHash();
 
     let passwordValid = false;
 
-    if (storedKeyHash != null) {
-      passwordValid = await this.cryptoService.compareAndUpdateKeyHash(this.masterPassword, key);
-    } else {
-      const request = new SecretVerificationRequest();
-      const serverKeyHash = await this.cryptoService.hashPassword(
+    if (storedPasswordHash != null) {
+      // Offline unlock possible
+      passwordValid = await this.cryptoService.compareAndUpdateKeyHash(
         this.masterPassword,
-        key,
+        masterKey
+      );
+    } else {
+      // Online only
+      const request = new SecretVerificationRequest();
+      const serverKeyHash = await this.cryptoService.hashMasterKey(
+        this.masterPassword,
+        masterKey,
         HashPurpose.ServerAuthorization
       );
       request.masterPasswordHash = serverKeyHash;
@@ -225,14 +272,16 @@ export class LockComponent implements OnInit, OnDestroy {
         const response = await this.formPromise;
         this.enforcedMasterPasswordOptions = MasterPasswordPolicyOptions.fromResponse(response);
         passwordValid = true;
-        const localKeyHash = await this.cryptoService.hashPassword(
+        const localKeyHash = await this.cryptoService.hashMasterKey(
           this.masterPassword,
-          key,
+          masterKey,
           HashPurpose.LocalAuthorization
         );
-        await this.cryptoService.setKeyHash(localKeyHash);
+        await this.cryptoService.setMasterKeyHash(localKeyHash);
       } catch (e) {
         this.logService.error(e);
+      } finally {
+        this.formPromise = null;
       }
     }
 
@@ -245,19 +294,18 @@ export class LockComponent implements OnInit, OnDestroy {
       return;
     }
 
-    if (this.pinSet[0]) {
-      const protectedPin = await this.stateService.getProtectedPin();
-      const encKey = await this.cryptoService.getEncKey(key);
-      const decPin = await this.cryptoService.decryptToUtf8(new EncString(protectedPin), encKey);
-      const pinKey = await this.cryptoService.makePinKey(decPin, this.email, kdf, kdfConfig);
-      await this.stateService.setDecryptedPinProtected(
-        await this.cryptoService.encrypt(key.key, pinKey)
-      );
-    }
-    await this.setKeyAndContinue(key, true);
+    const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+    await this.cryptoService.setMasterKey(masterKey);
+    await this.setUserKeyAndContinue(userKey, true);
   }
-  private async setKeyAndContinue(key: SymmetricCryptoKey, evaluatePasswordAfterUnlock = false) {
-    await this.cryptoService.setKey(key);
+
+  private async setUserKeyAndContinue(key: UserKey, evaluatePasswordAfterUnlock = false) {
+    await this.cryptoService.setUserKey(key);
+
+    // Now that we have a decrypted user key in memory, we can check if we
+    // need to establish trust on the current device
+    await this.deviceTrustCryptoService.trustDeviceIfRequired();
+
     await this.doContinue(evaluatePasswordAfterUnlock);
   }
 
@@ -295,24 +343,39 @@ export class LockComponent implements OnInit, OnDestroy {
   }
 
   private async load() {
-    this.pinSet = await this.vaultTimeoutSettingsService.isPinLockSet();
-    this.pinLock =
-      (this.pinSet[0] && (await this.stateService.getDecryptedPinProtected()) != null) ||
-      this.pinSet[1];
+    // TODO: Investigate PM-3515
+
+    // The loading of the lock component works as follows:
+    //   1. First, is locking a valid timeout action?  If not, we will log the user out.
+    //   2. If locking IS a valid timeout action, we proceed to show the user the lock screen.
+    //      The user will be able to unlock as follows:
+    //        - If they have a PIN set, they will be presented with the PIN input
+    //        - If they have a master password and no PIN, they will be presented with the master password input
+    //        - If they have biometrics enabled, they will be presented with the biometric prompt
+
+    const availableVaultTimeoutActions = await firstValueFrom(
+      this.vaultTimeoutSettingsService.availableVaultTimeoutActions$()
+    );
+    const supportsLock = availableVaultTimeoutActions.includes(VaultTimeoutAction.Lock);
+    if (!supportsLock) {
+      return await this.vaultTimeoutService.logOut();
+    }
+
+    this.pinStatus = await this.vaultTimeoutSettingsService.isPinLockSet();
+
+    let ephemeralPinSet = await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
+    ephemeralPinSet ||= await this.stateService.getDecryptedPinProtected();
+    this.pinEnabled =
+      (this.pinStatus === "TRANSIENT" && !!ephemeralPinSet) || this.pinStatus === "PERSISTANT";
+    this.masterPasswordEnabled = await this.userVerificationService.hasMasterPassword();
+
     this.supportsBiometric = await this.platformUtilsService.supportsBiometric();
     this.biometricLock =
       (await this.vaultTimeoutSettingsService.isBiometricLockSet()) &&
-      ((await this.cryptoService.hasKeyStored(KeySuffixOptions.Biometric)) ||
+      ((await this.cryptoService.hasUserKeyStored(KeySuffixOptions.Biometric)) ||
         !this.platformUtilsService.supportsSecureStorage());
     this.biometricText = await this.stateService.getBiometricText();
     this.email = await this.stateService.getEmail();
-    const usesKeyConnector = await this.keyConnectorService.getUsesKeyConnector();
-    this.hideInput = usesKeyConnector && !this.pinLock;
-
-    // Users with key connector and without biometric or pin has no MP to unlock using
-    if (usesKeyConnector && !(this.biometricLock || this.pinLock)) {
-      await this.vaultTimeoutService.logOut();
-    }
 
     const webVaultUrl = this.environmentService.getWebVaultUrl();
     const vaultUrl =
diff --git a/libs/angular/src/auth/components/login-with-device.component.ts b/libs/angular/src/auth/components/login-with-device.component.ts
index a991f0a8b1..84d904ec7b 100644
--- a/libs/angular/src/auth/components/login-with-device.component.ts
+++ b/libs/angular/src/auth/components/login-with-device.component.ts
@@ -1,16 +1,22 @@
 import { Directive, OnDestroy, OnInit } from "@angular/core";
-import { Router } from "@angular/router";
+import { IsActiveMatchOptions, Router } from "@angular/router";
 import { Subject, takeUntil } from "rxjs";
 
 import { AnonymousHubService } from "@bitwarden/common/abstractions/anonymousHub.service";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AuthRequestType } from "@bitwarden/common/auth/enums/auth-request-type";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { AdminAuthRequestStorable } from "@bitwarden/common/auth/models/domain/admin-auth-req-storable";
+import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
 import { PasswordlessLogInCredentials } from "@bitwarden/common/auth/models/domain/log-in-credentials";
 import { PasswordlessCreateAuthRequest } from "@bitwarden/common/auth/models/request/passwordless-create-auth.request";
 import { AuthRequestResponse } from "@bitwarden/common/auth/models/response/auth-request.response";
+import { HttpStatusCode } from "@bitwarden/common/enums/http-status-code.enum";
 import { ErrorResponse } from "@bitwarden/common/models/response/error.response";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
@@ -22,17 +28,24 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { ValidationService } from "@bitwarden/common/platform/abstractions/validation.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 
 import { CaptchaProtectedComponent } from "./captcha-protected.component";
 
+// TODO: consider renaming this component something like LoginViaAuthReqComponent
+
+enum State {
+  StandardAuthRequest,
+  AdminAuthRequest,
+}
+
 @Directive()
 export class LoginWithDeviceComponent
   extends CaptchaProtectedComponent
   implements OnInit, OnDestroy
 {
   private destroy$ = new Subject<void>();
+  userAuthNStatus: AuthenticationStatus;
   email: string;
   showResendNotification = false;
   passwordlessRequest: PasswordlessCreateAuthRequest;
@@ -42,12 +55,19 @@ export class LoginWithDeviceComponent
   onSuccessfulLoginNavigate: () => Promise<any>;
   onSuccessfulLoginForceResetNavigate: () => Promise<any>;
 
+  protected adminApprovalRoute = "admin-approval-requested";
+
+  protected StateEnum = State;
+  protected state = State.StandardAuthRequest;
+
   protected twoFactorRoute = "2fa";
   protected successRoute = "vault";
   protected forcePasswordResetRoute = "update-temp-password";
   private resendTimeout = 12000;
-  private authRequestKeyPair: [publicKey: Uint8Array, privateKey: Uint8Array];
 
+  private authRequestKeyPair: { publicKey: Uint8Array; privateKey: Uint8Array };
+
+  // TODO: in future, go to child components and remove child constructors and let deps fall through to the super class
   constructor(
     protected router: Router,
     private cryptoService: CryptoService,
@@ -63,10 +83,14 @@ export class LoginWithDeviceComponent
     private anonymousHubService: AnonymousHubService,
     private validationService: ValidationService,
     private stateService: StateService,
-    private loginService: LoginService
+    private loginService: LoginService,
+    private deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    private authReqCryptoService: AuthRequestCryptoServiceAbstraction
   ) {
     super(environmentService, i18nService, platformUtilsService);
 
+    // TODO: I don't know why this is necessary.
+    // Why would the existence of the email depend on the navigation?
     const navigation = this.router.getCurrentNavigation();
     if (navigation) {
       this.email = this.loginService.getEmail();
@@ -77,25 +101,167 @@ export class LoginWithDeviceComponent
       .getPushNotificationObs$()
       .pipe(takeUntil(this.destroy$))
       .subscribe((id) => {
-        this.confirmResponse(id);
+        // Only fires on approval currently
+        this.verifyAndHandleApprovedAuthReq(id);
       });
   }
 
   async ngOnInit() {
-    if (!this.email) {
-      this.router.navigate(["/login"]);
-      return;
+    this.userAuthNStatus = await this.authService.getAuthStatus();
+
+    const matchOptions: IsActiveMatchOptions = {
+      paths: "exact",
+      queryParams: "ignored",
+      fragment: "ignored",
+      matrixParams: "ignored",
+    };
+
+    if (this.router.isActive(this.adminApprovalRoute, matchOptions)) {
+      this.state = State.AdminAuthRequest;
     }
 
+    if (this.state === State.AdminAuthRequest) {
+      // Pull email from state for admin auth reqs b/c it is available
+      // This also prevents it from being lost on refresh as the
+      // login service email does not persist.
+      this.email = await this.stateService.getEmail();
+
+      if (!this.email) {
+        this.platformUtilsService.showToast("error", null, this.i18nService.t("userEmailMissing"));
+        this.router.navigate(["/login-initiated"]);
+        return;
+      }
+
+      // We only allow a single admin approval request to be active at a time
+      // so must check state to see if we have an existing one or not
+      const adminAuthReqStorable = await this.stateService.getAdminAuthRequest();
+
+      if (adminAuthReqStorable) {
+        await this.handleExistingAdminAuthRequest(adminAuthReqStorable);
+      } else {
+        // No existing admin auth request; so we need to create one
+        await this.startPasswordlessLogin();
+      }
+    } else {
+      // Standard auth request
+      // TODO: evaluate if we can remove the setting of this.email in the constructor
+      this.email = this.loginService.getEmail();
+
+      if (!this.email) {
+        this.platformUtilsService.showToast("error", null, this.i18nService.t("userEmailMissing"));
+        this.router.navigate(["/login"]);
+        return;
+      }
+
+      await this.startPasswordlessLogin();
+    }
+  }
+
+  ngOnDestroy(): void {
+    this.destroy$.next();
+    this.destroy$.complete();
+    this.anonymousHubService.stopHubConnection();
+  }
+
+  private async handleExistingAdminAuthRequest(adminAuthReqStorable: AdminAuthRequestStorable) {
+    // Note: on login, the SSOLoginStrategy will also call to see an existing admin auth req
+    // has been approved and handle it if so.
+
+    // Regardless, we always retrieve the auth request from the server verify and handle status changes here as well
+    let adminAuthReqResponse: AuthRequestResponse;
+    try {
+      adminAuthReqResponse = await this.apiService.getAuthRequest(adminAuthReqStorable.id);
+    } catch (error) {
+      if (error instanceof ErrorResponse && error.statusCode === HttpStatusCode.NotFound) {
+        return await this.handleExistingAdminAuthReqDeletedOrDenied();
+      }
+    }
+
+    // Request doesn't exist anymore
+    if (!adminAuthReqResponse) {
+      return await this.handleExistingAdminAuthReqDeletedOrDenied();
+    }
+
+    // Re-derive the user's fingerprint phrase
+    // It is important to not use the server's public key here as it could have been compromised via MITM
+    const derivedPublicKeyArrayBuffer = await this.cryptoFunctionService.rsaExtractPublicKey(
+      adminAuthReqStorable.privateKey
+    );
+    this.fingerprintPhrase = (
+      await this.cryptoService.getFingerprint(this.email, derivedPublicKeyArrayBuffer)
+    ).join("-");
+
+    // Request denied
+    if (adminAuthReqResponse.isAnswered && !adminAuthReqResponse.requestApproved) {
+      return await this.handleExistingAdminAuthReqDeletedOrDenied();
+    }
+
+    // Request approved
+    if (adminAuthReqResponse.requestApproved) {
+      return await this.handleApprovedAdminAuthRequest(
+        adminAuthReqResponse,
+        adminAuthReqStorable.privateKey
+      );
+    }
+
+    // Request still pending response from admin
+    // So, create hub connection so that any approvals will be received via push notification
+    this.anonymousHubService.createHubConnection(adminAuthReqStorable.id);
+  }
+
+  private async handleExistingAdminAuthReqDeletedOrDenied() {
+    // clear the admin auth request from state
+    await this.stateService.setAdminAuthRequest(null);
+
+    // start new auth request
     this.startPasswordlessLogin();
   }
 
+  private async buildAuthRequest(authRequestType: AuthRequestType) {
+    const authRequestKeyPairArray = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
+
+    this.authRequestKeyPair = {
+      publicKey: authRequestKeyPairArray[0],
+      privateKey: authRequestKeyPairArray[1],
+    };
+
+    const deviceIdentifier = await this.appIdService.getAppId();
+    const publicKey = Utils.fromBufferToB64(this.authRequestKeyPair.publicKey);
+    const accessCode = await this.passwordGenerationService.generatePassword({ length: 25 });
+
+    this.fingerprintPhrase = (
+      await this.cryptoService.getFingerprint(this.email, this.authRequestKeyPair.publicKey)
+    ).join("-");
+
+    this.passwordlessRequest = new PasswordlessCreateAuthRequest(
+      this.email,
+      deviceIdentifier,
+      publicKey,
+      authRequestType,
+      accessCode
+    );
+  }
+
   async startPasswordlessLogin() {
     this.showResendNotification = false;
 
     try {
-      await this.buildAuthRequest();
-      const reqResponse = await this.apiService.postAuthRequest(this.passwordlessRequest);
+      let reqResponse: AuthRequestResponse;
+
+      if (this.state === State.AdminAuthRequest) {
+        await this.buildAuthRequest(AuthRequestType.AdminApproval);
+        reqResponse = await this.apiService.postAdminAuthRequest(this.passwordlessRequest);
+
+        const adminAuthReqStorable = new AdminAuthRequestStorable({
+          id: reqResponse.id,
+          privateKey: this.authRequestKeyPair.privateKey,
+        });
+
+        await this.stateService.setAdminAuthRequest(adminAuthReqStorable);
+      } else {
+        await this.buildAuthRequest(AuthRequestType.AuthenticateAndUnlock);
+        reqResponse = await this.apiService.postAuthRequest(this.passwordlessRequest);
+      }
 
       if (reqResponse.id) {
         this.anonymousHubService.createHubConnection(reqResponse.id);
@@ -109,52 +275,69 @@ export class LoginWithDeviceComponent
     }, this.resendTimeout);
   }
 
-  ngOnDestroy(): void {
-    this.destroy$.next();
-    this.destroy$.complete();
-    this.anonymousHubService.stopHubConnection();
-  }
-
-  private async confirmResponse(requestId: string) {
+  private async verifyAndHandleApprovedAuthReq(requestId: string) {
     try {
-      const response = await this.apiService.getAuthResponse(
-        requestId,
-        this.passwordlessRequest.accessCode
-      );
+      // Retrieve the auth request from server and verify it's approved
+      let authReqResponse: AuthRequestResponse;
 
-      if (!response.requestApproved) {
+      switch (this.state) {
+        case State.StandardAuthRequest:
+          // Unauthed - access code required for user verification
+          authReqResponse = await this.apiService.getAuthResponse(
+            requestId,
+            this.passwordlessRequest.accessCode
+          );
+          break;
+
+        case State.AdminAuthRequest:
+          // Authed - no access code required
+          authReqResponse = await this.apiService.getAuthRequest(requestId);
+          break;
+
+        default:
+          break;
+      }
+
+      if (!authReqResponse.requestApproved) {
         return;
       }
 
-      const credentials = await this.buildLoginCredentials(requestId, response);
-      const loginResponse = await this.authService.logIn(credentials);
+      // Approved so proceed:
 
-      if (loginResponse.requiresTwoFactor) {
-        if (this.onSuccessfulLoginTwoFactorNavigate != null) {
-          this.onSuccessfulLoginTwoFactorNavigate();
-        } else {
-          this.router.navigate([this.twoFactorRoute]);
-        }
-      } else if (loginResponse.forcePasswordReset != ForceResetPasswordReason.None) {
-        if (this.onSuccessfulLoginForceResetNavigate != null) {
-          this.onSuccessfulLoginForceResetNavigate();
-        } else {
-          this.router.navigate([this.forcePasswordResetRoute]);
-        }
-      } else {
-        await this.setRememberEmailValues();
-        if (this.onSuccessfulLogin != null) {
-          this.onSuccessfulLogin();
-        }
-        if (this.onSuccessfulLoginNavigate != null) {
-          this.onSuccessfulLoginNavigate();
-        } else {
-          this.router.navigate([this.successRoute]);
-        }
+      // 4 Scenarios to handle for approved auth requests:
+      // Existing flow 1:
+      //  - Anon Login with Device > User is not AuthN > receives approval from device with pubKey(masterKey)
+      //    > decrypt masterKey > must authenticate > gets masterKey(userKey) > decrypt userKey and proceed to vault
+
+      // 3 new flows from TDE:
+      // Flow 2:
+      //  - Post SSO > User is AuthN > SSO login strategy success sets masterKey(userKey) > receives approval from device with pubKey(masterKey)
+      //    > decrypt masterKey > decrypt userKey > establish trust if required > proceed to vault
+      // Flow 3:
+      //  - Post SSO > User is AuthN > Receives approval from device with pubKey(userKey) > decrypt userKey > establish trust if required > proceed to vault
+      // Flow 4:
+      //  - Anon Login with Device > User is not AuthN > receives approval from device with pubKey(userKey)
+      //    > decrypt userKey > must authenticate > set userKey > proceed to vault
+
+      // if user has authenticated via SSO
+      if (this.userAuthNStatus === AuthenticationStatus.Locked) {
+        return await this.handleApprovedAdminAuthRequest(
+          authReqResponse,
+          this.authRequestKeyPair.privateKey
+        );
       }
+
+      // Flow 1 and 4:
+      const loginAuthResult = await this.loginViaPasswordlessStrategy(requestId, authReqResponse);
+      await this.handlePostLoginNavigation(loginAuthResult);
     } catch (error) {
       if (error instanceof ErrorResponse) {
-        this.router.navigate(["/login"]);
+        let errorRoute = "/login";
+        if (this.state === State.AdminAuthRequest) {
+          errorRoute = "/login-initiated";
+        }
+
+        this.router.navigate([errorRoute]);
         this.validationService.showError(error);
         return;
       }
@@ -163,6 +346,112 @@ export class LoginWithDeviceComponent
     }
   }
 
+  async handleApprovedAdminAuthRequest(
+    adminAuthReqResponse: AuthRequestResponse,
+    privateKey: ArrayBuffer
+  ) {
+    // See verifyAndHandleApprovedAuthReq(...) for flow details
+    // it's flow 2 or 3 based on presence of masterPasswordHash
+    if (adminAuthReqResponse.masterPasswordHash) {
+      // Flow 2: masterPasswordHash is not null
+      // key is authRequestPublicKey(masterKey) + we have authRequestPublicKey(masterPasswordHash)
+      await this.authReqCryptoService.setKeysAfterDecryptingSharedMasterKeyAndHash(
+        adminAuthReqResponse,
+        privateKey
+      );
+    } else {
+      // Flow 3: masterPasswordHash is null
+      // we can assume key is authRequestPublicKey(userKey) and we can just decrypt with userKey and proceed to vault
+      await this.authReqCryptoService.setUserKeyAfterDecryptingSharedUserKey(
+        adminAuthReqResponse,
+        privateKey
+      );
+    }
+
+    // clear the admin auth request from state so it cannot be used again (it's a one time use)
+    // TODO: this should eventually be enforced via deleting this on the server once it is used
+    await this.stateService.setAdminAuthRequest(null);
+
+    this.platformUtilsService.showToast("success", null, this.i18nService.t("loginApproved"));
+
+    // Now that we have a decrypted user key in memory, we can check if we
+    // need to establish trust on the current device
+    await this.deviceTrustCryptoService.trustDeviceIfRequired();
+
+    // TODO: don't forget to use auto enrollment service everywhere we trust device
+
+    await this.handleSuccessfulLoginNavigation();
+  }
+
+  // Authentication helper
+  private async buildPasswordlessLoginCredentials(
+    requestId: string,
+    response: AuthRequestResponse
+  ): Promise<PasswordlessLogInCredentials> {
+    // if masterPasswordHash has a value, we will always receive key as authRequestPublicKey(masterKey) + authRequestPublicKey(masterPasswordHash)
+    // if masterPasswordHash is null, we will always receive key as authRequestPublicKey(userKey)
+    if (response.masterPasswordHash) {
+      const { masterKey, masterKeyHash } =
+        await this.authReqCryptoService.decryptPubKeyEncryptedMasterKeyAndHash(
+          response.key,
+          response.masterPasswordHash,
+          this.authRequestKeyPair.privateKey
+        );
+
+      return new PasswordlessLogInCredentials(
+        this.email,
+        this.passwordlessRequest.accessCode,
+        requestId,
+        null, // no userKey
+        masterKey,
+        masterKeyHash
+      );
+    } else {
+      const userKey = await this.authReqCryptoService.decryptPubKeyEncryptedUserKey(
+        response.key,
+        this.authRequestKeyPair.privateKey
+      );
+      return new PasswordlessLogInCredentials(
+        this.email,
+        this.passwordlessRequest.accessCode,
+        requestId,
+        userKey,
+        null, // no masterKey
+        null // no masterKeyHash
+      );
+    }
+  }
+
+  private async loginViaPasswordlessStrategy(
+    requestId: string,
+    authReqResponse: AuthRequestResponse
+  ): Promise<AuthResult> {
+    // Note: credentials change based on if the authReqResponse.key is a encryptedMasterKey or UserKey
+    const credentials = await this.buildPasswordlessLoginCredentials(requestId, authReqResponse);
+
+    // Note: keys are set by PasswordlessLogInStrategy success handling
+    return await this.authService.logIn(credentials);
+  }
+
+  // Routing logic
+  private async handlePostLoginNavigation(loginResponse: AuthResult) {
+    if (loginResponse.requiresTwoFactor) {
+      if (this.onSuccessfulLoginTwoFactorNavigate != null) {
+        this.onSuccessfulLoginTwoFactorNavigate();
+      } else {
+        this.router.navigate([this.twoFactorRoute]);
+      }
+    } else if (loginResponse.forcePasswordReset != ForceResetPasswordReason.None) {
+      if (this.onSuccessfulLoginForceResetNavigate != null) {
+        this.onSuccessfulLoginForceResetNavigate();
+      } else {
+        this.router.navigate([this.forcePasswordResetRoute]);
+      }
+    } else {
+      await this.handleSuccessfulLoginNavigation();
+    }
+  }
+
   async setRememberEmailValues() {
     const rememberEmail = this.loginService.getRememberEmail();
     const rememberedEmail = this.loginService.getEmail();
@@ -170,43 +459,19 @@ export class LoginWithDeviceComponent
     this.loginService.clearValues();
   }
 
-  private async buildAuthRequest() {
-    this.authRequestKeyPair = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
-    const deviceIdentifier = await this.appIdService.getAppId();
-    const publicKey = Utils.fromBufferToB64(this.authRequestKeyPair[0]);
-    const accessCode = await this.passwordGenerationService.generatePassword({ length: 25 });
+  private async handleSuccessfulLoginNavigation() {
+    if (this.state === State.StandardAuthRequest) {
+      // Only need to set remembered email on standard login with auth req flow
+      await this.setRememberEmailValues();
+    }
 
-    this.fingerprintPhrase = (
-      await this.cryptoService.getFingerprint(this.email, this.authRequestKeyPair[0])
-    ).join("-");
-
-    this.passwordlessRequest = new PasswordlessCreateAuthRequest(
-      this.email,
-      deviceIdentifier,
-      publicKey,
-      AuthRequestType.AuthenticateAndUnlock,
-      accessCode
-    );
-  }
-
-  private async buildLoginCredentials(
-    requestId: string,
-    response: AuthRequestResponse
-  ): Promise<PasswordlessLogInCredentials> {
-    const decKey = await this.cryptoService.rsaDecrypt(response.key, this.authRequestKeyPair[1]);
-    const decMasterPasswordHash = await this.cryptoService.rsaDecrypt(
-      response.masterPasswordHash,
-      this.authRequestKeyPair[1]
-    );
-    const key = new SymmetricCryptoKey(decKey);
-    const localHashedPassword = Utils.fromBufferToUtf8(decMasterPasswordHash);
-
-    return new PasswordlessLogInCredentials(
-      this.email,
-      this.passwordlessRequest.accessCode,
-      requestId,
-      key,
-      localHashedPassword
-    );
+    if (this.onSuccessfulLogin != null) {
+      this.onSuccessfulLogin();
+    }
+    if (this.onSuccessfulLoginNavigate != null) {
+      this.onSuccessfulLoginNavigate();
+    } else {
+      this.router.navigate([this.successRoute]);
+    }
   }
 }
diff --git a/libs/angular/src/auth/components/login.component.ts b/libs/angular/src/auth/components/login.component.ts
index f5a7a27af4..33b3dc2364 100644
--- a/libs/angular/src/auth/components/login.component.ts
+++ b/libs/angular/src/auth/components/login.component.ts
@@ -3,8 +3,8 @@ import { FormBuilder, Validators } from "@angular/forms";
 import { ActivatedRoute, Router } from "@angular/router";
 import { take } from "rxjs/operators";
 
-import { DevicesApiServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices-api.service.abstraction";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
diff --git a/libs/angular/src/auth/components/sso.component.spec.ts b/libs/angular/src/auth/components/sso.component.spec.ts
new file mode 100644
index 0000000000..68c41b6611
--- /dev/null
+++ b/libs/angular/src/auth/components/sso.component.spec.ts
@@ -0,0 +1,567 @@
+import { Component } from "@angular/core";
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { ActivatedRoute, Router } from "@angular/router";
+import { MockProxy, mock } from "jest-mock-extended";
+import { Observable, of } from "rxjs";
+
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
+import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
+import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
+import { KeyConnectorUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/key-connector-user-decryption-option";
+import { TrustedDeviceUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
+import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
+import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { AccountDecryptionOptions } from "@bitwarden/common/platform/models/domain/account";
+import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
+
+import { SsoComponent } from "./sso.component";
+// test component that extends the SsoComponent
+@Component({})
+class TestSsoComponent extends SsoComponent {}
+
+interface SsoComponentProtected {
+  twoFactorRoute: string;
+  successRoute: string;
+  trustedDeviceEncRoute: string;
+  changePasswordRoute: string;
+  forcePasswordResetRoute: string;
+  logIn(code: string, codeVerifier: string, orgIdFromState: string): Promise<AuthResult>;
+  handleLoginError(e: any): Promise<void>;
+}
+
+// The ideal scenario would be to not have to test the protected / private methods of the SsoComponent
+// but that will require a refactor of the SsoComponent class which is out of scope for now.
+// This test suite allows us to be sure that the new Trusted Device encryption flows + mild refactors
+// of the SsoComponent don't break the existing post login flows.
+describe("SsoComponent", () => {
+  let component: TestSsoComponent;
+  let _component: SsoComponentProtected;
+  let fixture: ComponentFixture<TestSsoComponent>;
+
+  // Mock Services
+  let mockAuthService: MockProxy<AuthService>;
+  let mockRouter: MockProxy<Router>;
+  let mockI18nService: MockProxy<I18nService>;
+
+  let mockQueryParams: Observable<any>;
+  let mockActivatedRoute: ActivatedRoute;
+
+  let mockStateService: MockProxy<StateService>;
+  let mockPlatformUtilsService: MockProxy<PlatformUtilsService>;
+  let mockApiService: MockProxy<ApiService>;
+  let mockCryptoFunctionService: MockProxy<CryptoFunctionService>;
+  let mockEnvironmentService: MockProxy<EnvironmentService>;
+  let mockPasswordGenerationService: MockProxy<PasswordGenerationServiceAbstraction>;
+  let mockLogService: MockProxy<LogService>;
+  let mockConfigService: MockProxy<ConfigServiceAbstraction>;
+
+  // Mock authService.logIn params
+  let code: string;
+  let codeVerifier: string;
+  let orgIdFromState: string;
+
+  // Mock component callbacks
+  let mockOnSuccessfulLogin: jest.Mock;
+  let mockOnSuccessfulLoginNavigate: jest.Mock;
+  let mockOnSuccessfulLoginTwoFactorNavigate: jest.Mock;
+  let mockOnSuccessfulLoginChangePasswordNavigate: jest.Mock;
+  let mockOnSuccessfulLoginForceResetNavigate: jest.Mock;
+  let mockOnSuccessfulLoginTdeNavigate: jest.Mock;
+
+  let mockAcctDecryptionOpts: {
+    noMasterPassword: AccountDecryptionOptions;
+    withMasterPassword: AccountDecryptionOptions;
+    withMasterPasswordAndTrustedDevice: AccountDecryptionOptions;
+    withMasterPasswordAndTrustedDeviceWithManageResetPassword: AccountDecryptionOptions;
+    withMasterPasswordAndKeyConnector: AccountDecryptionOptions;
+    noMasterPasswordWithTrustedDevice: AccountDecryptionOptions;
+    noMasterPasswordWithTrustedDeviceWithManageResetPassword: AccountDecryptionOptions;
+    noMasterPasswordWithKeyConnector: AccountDecryptionOptions;
+  };
+
+  beforeEach(() => {
+    // Mock Services
+    mockAuthService = mock<AuthService>();
+    mockRouter = mock<Router>();
+    mockI18nService = mock<I18nService>();
+
+    // Default mockQueryParams
+    mockQueryParams = of({ code: "code", state: "state" });
+    // Create a custom mock for ActivatedRoute with mock queryParams
+    mockActivatedRoute = {
+      queryParams: mockQueryParams,
+    } as any as ActivatedRoute;
+
+    mockStateService = mock<StateService>();
+    mockPlatformUtilsService = mock<PlatformUtilsService>();
+    mockApiService = mock<ApiService>();
+    mockCryptoFunctionService = mock<CryptoFunctionService>();
+    mockEnvironmentService = mock<EnvironmentService>();
+    mockPasswordGenerationService = mock<PasswordGenerationServiceAbstraction>();
+    mockLogService = mock<LogService>();
+    mockConfigService = mock<ConfigServiceAbstraction>();
+
+    // Mock authService.logIn params
+    code = "code";
+    codeVerifier = "codeVerifier";
+    orgIdFromState = "orgIdFromState";
+
+    // Mock component callbacks
+    mockOnSuccessfulLogin = jest.fn();
+    mockOnSuccessfulLoginNavigate = jest.fn();
+    mockOnSuccessfulLoginTwoFactorNavigate = jest.fn();
+    mockOnSuccessfulLoginChangePasswordNavigate = jest.fn();
+    mockOnSuccessfulLoginForceResetNavigate = jest.fn();
+    mockOnSuccessfulLoginTdeNavigate = jest.fn();
+
+    mockAcctDecryptionOpts = {
+      noMasterPassword: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: undefined,
+      }),
+      withMasterPassword: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndTrustedDevice: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndTrustedDeviceWithManageResetPassword: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndKeyConnector: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
+      }),
+      noMasterPasswordWithTrustedDevice: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        keyConnectorOption: undefined,
+      }),
+      noMasterPasswordWithTrustedDeviceWithManageResetPassword: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        keyConnectorOption: undefined,
+      }),
+      noMasterPasswordWithKeyConnector: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
+      }),
+    };
+
+    TestBed.configureTestingModule({
+      declarations: [TestSsoComponent],
+      providers: [
+        { provide: AuthService, useValue: mockAuthService },
+        { provide: Router, useValue: mockRouter },
+        { provide: I18nService, useValue: mockI18nService },
+        { provide: ActivatedRoute, useValue: mockActivatedRoute },
+        { provide: StateService, useValue: mockStateService },
+        { provide: PlatformUtilsService, useValue: mockPlatformUtilsService },
+
+        { provide: ApiService, useValue: mockApiService },
+        { provide: CryptoFunctionService, useValue: mockCryptoFunctionService },
+        { provide: EnvironmentService, useValue: mockEnvironmentService },
+        { provide: PasswordGenerationServiceAbstraction, useValue: mockPasswordGenerationService },
+
+        { provide: LogService, useValue: mockLogService },
+        { provide: ConfigServiceAbstraction, useValue: mockConfigService },
+      ],
+    });
+
+    fixture = TestBed.createComponent(TestSsoComponent);
+    component = fixture.componentInstance;
+    _component = component as any;
+  });
+
+  afterEach(() => {
+    // Reset all mocks after each test
+    jest.resetAllMocks();
+  });
+
+  it("should create", () => {
+    expect(component).toBeTruthy();
+  });
+
+  describe("navigateViaCallbackOrRoute(...)", () => {
+    it("calls the provided callback when callback is defined", async () => {
+      const callback = jest.fn().mockResolvedValue(null);
+      const commands = ["some", "route"];
+
+      await (component as any).navigateViaCallbackOrRoute(callback, commands);
+
+      expect(callback).toHaveBeenCalledTimes(1);
+      expect(mockRouter.navigate).not.toHaveBeenCalled();
+    });
+
+    it("calls router.navigate when callback is not defined", async () => {
+      const commands = ["some", "route"];
+
+      await (component as any).navigateViaCallbackOrRoute(undefined, commands);
+
+      expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+      expect(mockRouter.navigate).toHaveBeenCalledWith(commands, undefined);
+    });
+  });
+
+  describe("logIn(...)", () => {
+    describe("2FA scenarios", () => {
+      beforeEach(() => {
+        const authResult = new AuthResult();
+        authResult.twoFactorProviders = new Map([[TwoFactorProviderType.Authenticator, {}]]);
+
+        // use standard user with MP because this test is not concerned with password reset.
+        mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+          mockAcctDecryptionOpts.withMasterPassword
+        );
+
+        mockAuthService.logIn.mockResolvedValue(authResult);
+      });
+
+      it("calls authService.logIn and navigates to the component's defined 2FA route when the auth result requires 2FA and onSuccessfulLoginTwoFactorNavigate is not defined", async () => {
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+        expect(mockOnSuccessfulLoginTwoFactorNavigate).not.toHaveBeenCalled();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.twoFactorRoute], {
+          queryParams: {
+            identifier: orgIdFromState,
+            sso: "true",
+          },
+        });
+
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+
+      it("calls onSuccessfulLoginTwoFactorNavigate instead of router.navigate when response.requiresTwoFactor is true and the callback is defined", async () => {
+        mockOnSuccessfulLoginTwoFactorNavigate = jest.fn().mockResolvedValue(null);
+        component.onSuccessfulLoginTwoFactorNavigate = mockOnSuccessfulLoginTwoFactorNavigate;
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+        expect(mockOnSuccessfulLoginTwoFactorNavigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).not.toHaveBeenCalled();
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    });
+
+    // Shared test helpers
+    const testChangePasswordOnSuccessfulLogin = () => {
+      it("navigates to the component's defined change password route when onSuccessfulLoginChangePasswordNavigate callback is undefined", async () => {
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+        expect(mockOnSuccessfulLoginChangePasswordNavigate).not.toHaveBeenCalled();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.changePasswordRoute], {
+          queryParams: {
+            identifier: orgIdFromState,
+          },
+        });
+
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    };
+
+    const testOnSuccessfulLoginChangePasswordNavigate = () => {
+      it("calls onSuccessfulLoginChangePasswordNavigate instead of router.navigate when the callback is defined", async () => {
+        mockOnSuccessfulLoginChangePasswordNavigate = jest.fn().mockResolvedValue(null);
+        component.onSuccessfulLoginChangePasswordNavigate =
+          mockOnSuccessfulLoginChangePasswordNavigate;
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+        expect(mockOnSuccessfulLoginChangePasswordNavigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).not.toHaveBeenCalled();
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    };
+
+    const testForceResetOnSuccessfulLogin = (reasonString: string) => {
+      it(`navigates to the component's defined forcePasswordResetRoute when response.forcePasswordReset is ${reasonString}`, async () => {
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+        expect(mockOnSuccessfulLoginForceResetNavigate).not.toHaveBeenCalled();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.forcePasswordResetRoute], {
+          queryParams: {
+            identifier: orgIdFromState,
+          },
+        });
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    };
+
+    const testOnSuccessfulLoginForceResetNavigate = (reasonString: string) => {
+      it(`calls onSuccessfulLoginForceResetNavigate instead of router.navigate when response.forcePasswordReset is ${reasonString} and the callback is defined`, async () => {
+        mockOnSuccessfulLoginForceResetNavigate = jest.fn().mockResolvedValue(null);
+        component.onSuccessfulLoginForceResetNavigate = mockOnSuccessfulLoginForceResetNavigate;
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+        expect(mockOnSuccessfulLoginForceResetNavigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).not.toHaveBeenCalled();
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    };
+
+    describe("Trusted Device Encryption scenarios", () => {
+      beforeEach(() => {
+        mockConfigService.getFeatureFlagBool.mockResolvedValue(true); // TDE enabled
+      });
+
+      describe("Given Trusted Device Encryption is enabled and user needs to set a master password", () => {
+        let authResult;
+        beforeEach(() => {
+          mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+            mockAcctDecryptionOpts.noMasterPasswordWithTrustedDeviceWithManageResetPassword
+          );
+
+          authResult = new AuthResult();
+          mockAuthService.logIn.mockResolvedValue(authResult);
+        });
+
+        testChangePasswordOnSuccessfulLogin();
+        testOnSuccessfulLoginChangePasswordNavigate();
+      });
+
+      describe("Given Trusted Device Encryption is enabled, user doesn't need to set a MP, and forcePasswordReset is required", () => {
+        [
+          ForceResetPasswordReason.AdminForcePasswordReset,
+          ForceResetPasswordReason.WeakMasterPassword,
+        ].forEach((forceResetPasswordReason) => {
+          const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
+          let authResult;
+          beforeEach(() => {
+            mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+              mockAcctDecryptionOpts.withMasterPasswordAndTrustedDevice
+            );
+
+            authResult = new AuthResult();
+            authResult.forcePasswordReset = ForceResetPasswordReason.AdminForcePasswordReset;
+            mockAuthService.logIn.mockResolvedValue(authResult);
+          });
+
+          testForceResetOnSuccessfulLogin(reasonString);
+          testOnSuccessfulLoginForceResetNavigate(reasonString);
+        });
+      });
+
+      describe("Given Trusted Device Encryption is enabled, user doesn't need to set a MP, and forcePasswordReset is not required", () => {
+        let authResult;
+        beforeEach(() => {
+          mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+            mockAcctDecryptionOpts.withMasterPasswordAndTrustedDevice
+          );
+
+          authResult = new AuthResult();
+          authResult.forcePasswordReset = ForceResetPasswordReason.None;
+          mockAuthService.logIn.mockResolvedValue(authResult);
+        });
+
+        it("navigates to the component's defined trusted device encryption route when login is successful and no callback is defined", async () => {
+          await _component.logIn(code, codeVerifier, orgIdFromState);
+
+          expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+          expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+          expect(mockRouter.navigate).toHaveBeenCalledWith(
+            [_component.trustedDeviceEncRoute],
+            undefined
+          );
+          expect(mockLogService.error).not.toHaveBeenCalled();
+        });
+
+        it("calls onSuccessfulLoginTdeNavigate instead of router.navigate when the callback is defined", async () => {
+          mockOnSuccessfulLoginTdeNavigate = jest.fn().mockResolvedValue(null);
+          component.onSuccessfulLoginTdeNavigate = mockOnSuccessfulLoginTdeNavigate;
+
+          await _component.logIn(code, codeVerifier, orgIdFromState);
+
+          expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+          expect(mockOnSuccessfulLoginTdeNavigate).toHaveBeenCalledTimes(1);
+
+          expect(mockRouter.navigate).not.toHaveBeenCalled();
+          expect(mockLogService.error).not.toHaveBeenCalled();
+        });
+      });
+    });
+
+    describe("Set Master Password scenarios", () => {
+      beforeEach(() => {
+        const authResult = new AuthResult();
+        mockAuthService.logIn.mockResolvedValue(authResult);
+      });
+
+      describe("Given user needs to set a master password", () => {
+        beforeEach(() => {
+          // Only need to test the case where the user has no master password to test the primary change mp flow here
+          mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+            mockAcctDecryptionOpts.noMasterPassword
+          );
+        });
+
+        testChangePasswordOnSuccessfulLogin();
+        testOnSuccessfulLoginChangePasswordNavigate();
+      });
+
+      it("does not navigate to the change password route when the user has key connector even if user has no master password", async () => {
+        mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+          mockAcctDecryptionOpts.noMasterPasswordWithKeyConnector
+        );
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+        expect(mockAuthService.logIn).toHaveBeenCalledTimes(1);
+
+        expect(mockOnSuccessfulLoginChangePasswordNavigate).not.toHaveBeenCalled();
+        expect(mockRouter.navigate).not.toHaveBeenCalledWith([_component.changePasswordRoute], {
+          queryParams: {
+            identifier: orgIdFromState,
+          },
+        });
+      });
+    });
+
+    describe("Force Master Password Reset scenarios", () => {
+      [
+        ForceResetPasswordReason.AdminForcePasswordReset,
+        ForceResetPasswordReason.WeakMasterPassword,
+      ].forEach((forceResetPasswordReason) => {
+        const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
+
+        beforeEach(() => {
+          // use standard user with MP because this test is not concerned with password reset.
+          mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+            mockAcctDecryptionOpts.withMasterPassword
+          );
+
+          const authResult = new AuthResult();
+          authResult.forcePasswordReset = forceResetPasswordReason;
+          mockAuthService.logIn.mockResolvedValue(authResult);
+        });
+
+        testForceResetOnSuccessfulLogin(reasonString);
+        testOnSuccessfulLoginForceResetNavigate(reasonString);
+      });
+    });
+
+    describe("Success scenarios", () => {
+      beforeEach(() => {
+        const authResult = new AuthResult();
+        authResult.twoFactorProviders = null;
+        // use standard user with MP because this test is not concerned with password reset.
+        mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+          mockAcctDecryptionOpts.withMasterPassword
+        );
+        authResult.forcePasswordReset = ForceResetPasswordReason.None;
+        mockAuthService.logIn.mockResolvedValue(authResult);
+      });
+
+      it("calls authService.logIn and navigates to the component's defined success route when the login is successful", async () => {
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalled();
+
+        expect(mockOnSuccessfulLoginNavigate).not.toHaveBeenCalled();
+        expect(mockOnSuccessfulLogin).not.toHaveBeenCalled();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.successRoute], undefined);
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+
+      it("calls onSuccessfulLogin if defined when login is successful", async () => {
+        mockOnSuccessfulLogin = jest.fn().mockResolvedValue(null);
+        component.onSuccessfulLogin = mockOnSuccessfulLogin;
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalled();
+        expect(mockOnSuccessfulLogin).toHaveBeenCalledTimes(1);
+
+        expect(mockOnSuccessfulLoginNavigate).not.toHaveBeenCalled();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.successRoute], undefined);
+
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+
+      it("calls onSuccessfulLoginNavigate instead of router.navigate when login is successful and the callback is defined", async () => {
+        mockOnSuccessfulLoginNavigate = jest.fn().mockResolvedValue(null);
+        component.onSuccessfulLoginNavigate = mockOnSuccessfulLoginNavigate;
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(mockAuthService.logIn).toHaveBeenCalled();
+
+        expect(mockOnSuccessfulLoginNavigate).toHaveBeenCalledTimes(1);
+
+        expect(mockRouter.navigate).not.toHaveBeenCalled();
+
+        expect(mockLogService.error).not.toHaveBeenCalled();
+      });
+    });
+
+    describe("Error scenarios", () => {
+      it("calls handleLoginError when an error is thrown during logIn", async () => {
+        const errorMessage = "Key Connector error";
+        const error = new Error(errorMessage);
+        mockAuthService.logIn.mockRejectedValue(error);
+
+        const handleLoginErrorSpy = jest.spyOn(_component, "handleLoginError");
+
+        await _component.logIn(code, codeVerifier, orgIdFromState);
+
+        expect(handleLoginErrorSpy).toHaveBeenCalledWith(error);
+      });
+    });
+  });
+
+  describe("handleLoginError(e)", () => {
+    it("logs the error and shows a toast when the error message is 'Key Connector error'", async () => {
+      const errorMessage = "Key Connector error";
+      const error = new Error(errorMessage);
+
+      mockI18nService.t.mockReturnValueOnce("ssoKeyConnectorError");
+
+      await _component.handleLoginError(error);
+
+      expect(mockLogService.error).toHaveBeenCalledTimes(1);
+      expect(mockLogService.error).toHaveBeenCalledWith(error);
+
+      expect(mockPlatformUtilsService.showToast).toHaveBeenCalledTimes(1);
+      expect(mockPlatformUtilsService.showToast).toHaveBeenCalledWith(
+        "error",
+        null,
+        "ssoKeyConnectorError"
+      );
+
+      expect(mockRouter.navigate).not.toHaveBeenCalled();
+    });
+  });
+});
diff --git a/libs/angular/src/auth/components/sso.component.ts b/libs/angular/src/auth/components/sso.component.ts
index 93f40d861d..8030e880a5 100644
--- a/libs/angular/src/auth/components/sso.component.ts
+++ b/libs/angular/src/auth/components/sso.component.ts
@@ -1,5 +1,5 @@
 import { Directive } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { ActivatedRoute, NavigationExtras, Router } from "@angular/router";
 import { first } from "rxjs/operators";
 
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
@@ -7,7 +7,10 @@ import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
 import { SsoLogInCredentials } from "@bitwarden/common/auth/models/domain/log-in-credentials";
+import { TrustedDeviceUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option";
 import { SsoPreValidateResponse } from "@bitwarden/common/auth/models/response/sso-pre-validate.response";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
@@ -15,6 +18,7 @@ import { LogService } from "@bitwarden/common/platform/abstractions/log.service"
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
+import { AccountDecryptionOptions } from "@bitwarden/common/platform/models/domain/account";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 
 @Directive()
@@ -24,14 +28,18 @@ export class SsoComponent {
 
   formPromise: Promise<AuthResult>;
   initiateSsoFormPromise: Promise<SsoPreValidateResponse>;
-  onSuccessfulLogin: () => Promise<any>;
-  onSuccessfulLoginNavigate: () => Promise<any>;
-  onSuccessfulLoginTwoFactorNavigate: () => Promise<any>;
-  onSuccessfulLoginChangePasswordNavigate: () => Promise<any>;
-  onSuccessfulLoginForceResetNavigate: () => Promise<any>;
+  onSuccessfulLogin: () => Promise<void>;
+  onSuccessfulLoginNavigate: () => Promise<void>;
+  onSuccessfulLoginTwoFactorNavigate: () => Promise<void>;
+  onSuccessfulLoginChangePasswordNavigate: () => Promise<void>;
+  onSuccessfulLoginForceResetNavigate: () => Promise<void>;
+
+  onSuccessfulLoginTde: () => Promise<void>;
+  onSuccessfulLoginTdeNavigate: () => Promise<void>;
 
   protected twoFactorRoute = "2fa";
   protected successRoute = "lock";
+  protected trustedDeviceEncRoute = "login-initiated";
   protected changePasswordRoute = "set-password";
   protected forcePasswordResetRoute = "update-temp-password";
   protected clientId: string;
@@ -50,7 +58,8 @@ export class SsoComponent {
     protected cryptoFunctionService: CryptoFunctionService,
     protected environmentService: EnvironmentService,
     protected passwordGenerationService: PasswordGenerationServiceAbstraction,
-    protected logService: LogService
+    protected logService: LogService,
+    protected configService: ConfigServiceAbstraction
   ) {}
 
   async ngOnInit() {
@@ -67,11 +76,12 @@ export class SsoComponent {
           state != null &&
           this.checkState(state, qParams.state)
         ) {
-          await this.logIn(
-            qParams.code,
-            codeVerifier,
-            this.getOrgIdentifierFromState(qParams.state)
-          );
+          // We are not using a query param to pass org identifier around specifically
+          // for the browser SSO case when it needs it on extension open after SSO success
+          // on the TDE login decryption options component
+          const ssoOrganizationIdentifier = this.getOrgIdentifierFromState(qParams.state);
+          await this.logIn(qParams.code, codeVerifier, ssoOrganizationIdentifier);
+          await this.stateService.setUserSsoOrganizationIdentifier(ssoOrganizationIdentifier);
         }
       } else if (
         qParams.clientId != null &&
@@ -173,67 +183,172 @@ export class SsoComponent {
     return authorizeUrl;
   }
 
-  private async logIn(code: string, codeVerifier: string, orgIdFromState: string) {
+  private async logIn(code: string, codeVerifier: string, orgIdentifier: string) {
     this.loggingIn = true;
     try {
       const credentials = new SsoLogInCredentials(
         code,
         codeVerifier,
         this.redirectUri,
-        orgIdFromState
+        orgIdentifier
       );
       this.formPromise = this.authService.logIn(credentials);
-      const response = await this.formPromise;
-      if (response.requiresTwoFactor) {
-        if (this.onSuccessfulLoginTwoFactorNavigate != null) {
-          await this.onSuccessfulLoginTwoFactorNavigate();
-        } else {
-          this.router.navigate([this.twoFactorRoute], {
-            queryParams: {
-              identifier: orgIdFromState,
-              sso: "true",
-            },
-          });
-        }
-      } else if (response.resetMasterPassword) {
-        if (this.onSuccessfulLoginChangePasswordNavigate != null) {
-          await this.onSuccessfulLoginChangePasswordNavigate();
-        } else {
-          this.router.navigate([this.changePasswordRoute], {
-            queryParams: {
-              identifier: orgIdFromState,
-            },
-          });
-        }
-      } else if (response.forcePasswordReset !== ForceResetPasswordReason.None) {
-        if (this.onSuccessfulLoginForceResetNavigate != null) {
-          await this.onSuccessfulLoginForceResetNavigate();
-        } else {
-          this.router.navigate([this.forcePasswordResetRoute]);
-        }
-      } else {
-        if (this.onSuccessfulLogin != null) {
-          await this.onSuccessfulLogin();
-        }
-        if (this.onSuccessfulLoginNavigate != null) {
-          await this.onSuccessfulLoginNavigate();
-        } else {
-          this.router.navigate([this.successRoute]);
-        }
-      }
-    } catch (e) {
-      this.logService.error(e);
+      const authResult = await this.formPromise;
 
-      // TODO: Key Connector Service should pass this error message to the logout callback instead of displaying here
-      if (e.message === "Key Connector error") {
-        this.platformUtilsService.showToast(
-          "error",
-          null,
-          this.i18nService.t("ssoKeyConnectorError")
+      const acctDecryptionOpts: AccountDecryptionOptions =
+        await this.stateService.getAccountDecryptionOptions();
+
+      if (authResult.requiresTwoFactor) {
+        return await this.handleTwoFactorRequired(orgIdentifier);
+      }
+
+      const tdeEnabled = await this.isTrustedDeviceEncEnabled(
+        acctDecryptionOpts.trustedDeviceOption
+      );
+
+      if (tdeEnabled) {
+        return await this.handleTrustedDeviceEncryptionEnabled(
+          authResult,
+          orgIdentifier,
+          acctDecryptionOpts
         );
       }
+
+      // In the standard, non TDE case, a user must set password if they don't
+      // have one and they aren't using key connector.
+      // Note: TDE & Key connector are mutually exclusive org config options.
+      const requireSetPassword =
+        !acctDecryptionOpts.hasMasterPassword &&
+        acctDecryptionOpts.keyConnectorOption === undefined;
+
+      if (requireSetPassword || authResult.resetMasterPassword) {
+        // Change implies going no password -> password in this case
+        return await this.handleChangePasswordRequired(orgIdentifier);
+      }
+
+      // Users can be forced to reset their password via an admin or org policy
+      // disallowing weak passwords
+      if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
+        return await this.handleForcePasswordReset(orgIdentifier);
+      }
+
+      // Standard SSO login success case
+      return await this.handleSuccessfulLogin();
+    } catch (e) {
+      await this.handleLoginError(e);
+    }
+  }
+
+  private async isTrustedDeviceEncEnabled(
+    trustedDeviceOption: TrustedDeviceUserDecryptionOption
+  ): Promise<boolean> {
+    const trustedDeviceEncryptionFeatureActive = await this.configService.getFeatureFlagBool(
+      FeatureFlag.TrustedDeviceEncryption
+    );
+
+    return trustedDeviceEncryptionFeatureActive && trustedDeviceOption !== undefined;
+  }
+
+  private async handleTwoFactorRequired(orgIdentifier: string) {
+    await this.navigateViaCallbackOrRoute(
+      this.onSuccessfulLoginTwoFactorNavigate,
+      [this.twoFactorRoute],
+      {
+        queryParams: {
+          identifier: orgIdentifier,
+          sso: "true",
+        },
+      }
+    );
+  }
+
+  private async handleTrustedDeviceEncryptionEnabled(
+    authResult: AuthResult,
+    orgIdentifier: string,
+    acctDecryptionOpts: AccountDecryptionOptions
+  ): Promise<void> {
+    // If user doesn't have a MP, but has reset password permission, they must set a MP
+    if (
+      !acctDecryptionOpts.hasMasterPassword &&
+      acctDecryptionOpts.trustedDeviceOption.hasManageResetPasswordPermission
+    ) {
+      // Change implies going no password -> password in this case
+      return await this.handleChangePasswordRequired(orgIdentifier);
+    }
+
+    if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
+      return await this.handleForcePasswordReset(orgIdentifier);
+    }
+
+    if (this.onSuccessfulLoginTde != null) {
+      // Don't await b/c causes hang on desktop & browser
+      this.onSuccessfulLoginTde();
+    }
+
+    this.navigateViaCallbackOrRoute(
+      this.onSuccessfulLoginTdeNavigate,
+      // Navigate to TDE page (if user was on trusted device and TDE has decrypted
+      //  their user key, the login-initiated guard will redirect them to the vault)
+      [this.trustedDeviceEncRoute]
+    );
+  }
+
+  private async handleChangePasswordRequired(orgIdentifier: string) {
+    await this.navigateViaCallbackOrRoute(
+      this.onSuccessfulLoginChangePasswordNavigate,
+      [this.changePasswordRoute],
+      {
+        queryParams: {
+          identifier: orgIdentifier,
+        },
+      }
+    );
+  }
+
+  private async handleForcePasswordReset(orgIdentifier: string) {
+    await this.navigateViaCallbackOrRoute(
+      this.onSuccessfulLoginForceResetNavigate,
+      [this.forcePasswordResetRoute],
+      {
+        queryParams: {
+          identifier: orgIdentifier,
+        },
+      }
+    );
+  }
+
+  private async handleSuccessfulLogin() {
+    if (this.onSuccessfulLogin != null) {
+      // Don't await b/c causes hang on desktop & browser
+      this.onSuccessfulLogin();
+    }
+
+    await this.navigateViaCallbackOrRoute(this.onSuccessfulLoginNavigate, [this.successRoute]);
+  }
+
+  private async handleLoginError(e: any) {
+    this.logService.error(e);
+
+    // TODO: Key Connector Service should pass this error message to the logout callback instead of displaying here
+    if (e.message === "Key Connector error") {
+      this.platformUtilsService.showToast(
+        "error",
+        null,
+        this.i18nService.t("ssoKeyConnectorError")
+      );
+    }
+  }
+
+  private async navigateViaCallbackOrRoute(
+    callback: () => Promise<unknown>,
+    commands: unknown[],
+    extras?: NavigationExtras
+  ): Promise<void> {
+    if (callback) {
+      await callback();
+    } else {
+      await this.router.navigate(commands, extras);
     }
-    this.loggingIn = false;
   }
 
   private getOrgIdentifierFromState(state: string): string {
diff --git a/libs/angular/src/auth/components/two-factor.component.spec.ts b/libs/angular/src/auth/components/two-factor.component.spec.ts
new file mode 100644
index 0000000000..470c9d4eb7
--- /dev/null
+++ b/libs/angular/src/auth/components/two-factor.component.spec.ts
@@ -0,0 +1,451 @@
+import { Component } from "@angular/core";
+import { ComponentFixture, TestBed } from "@angular/core/testing";
+import { ActivatedRoute, Router, convertToParamMap } from "@angular/router";
+import { MockProxy, mock } from "jest-mock-extended";
+
+// eslint-disable-next-line no-restricted-imports
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
+import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor.service";
+import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
+import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
+import { KeyConnectorUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/key-connector-user-decryption-option";
+import { TrustedDeviceUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option";
+import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
+import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
+import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
+import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
+import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
+import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
+import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { AccountDecryptionOptions } from "@bitwarden/common/platform/models/domain/account";
+
+import { TwoFactorComponent } from "./two-factor.component";
+
+// test component that extends the TwoFactorComponent
+@Component({})
+class TestTwoFactorComponent extends TwoFactorComponent {}
+
+interface TwoFactorComponentProtected {
+  trustedDeviceEncRoute: string;
+  changePasswordRoute: string;
+  forcePasswordResetRoute: string;
+  successRoute: string;
+}
+
+describe("TwoFactorComponent", () => {
+  let component: TestTwoFactorComponent;
+  let _component: TwoFactorComponentProtected;
+
+  let fixture: ComponentFixture<TestTwoFactorComponent>;
+
+  // Mock Services
+  let mockAuthService: MockProxy<AuthService>;
+  let mockRouter: MockProxy<Router>;
+  let mockI18nService: MockProxy<I18nService>;
+  let mockApiService: MockProxy<ApiService>;
+  let mockPlatformUtilsService: MockProxy<PlatformUtilsService>;
+  let mockWin: MockProxy<Window>;
+  let mockEnvironmentService: MockProxy<EnvironmentService>;
+  let mockStateService: MockProxy<StateService>;
+  let mockLogService: MockProxy<LogService>;
+  let mockTwoFactorService: MockProxy<TwoFactorService>;
+  let mockAppIdService: MockProxy<AppIdService>;
+  let mockLoginService: MockProxy<LoginService>;
+  let mockConfigService: MockProxy<ConfigServiceAbstraction>;
+
+  let mockAcctDecryptionOpts: {
+    noMasterPassword: AccountDecryptionOptions;
+    withMasterPassword: AccountDecryptionOptions;
+    withMasterPasswordAndTrustedDevice: AccountDecryptionOptions;
+    withMasterPasswordAndTrustedDeviceWithManageResetPassword: AccountDecryptionOptions;
+    withMasterPasswordAndKeyConnector: AccountDecryptionOptions;
+    noMasterPasswordWithTrustedDevice: AccountDecryptionOptions;
+    noMasterPasswordWithTrustedDeviceWithManageResetPassword: AccountDecryptionOptions;
+    noMasterPasswordWithKeyConnector: AccountDecryptionOptions;
+  };
+
+  beforeEach(() => {
+    mockAuthService = mock<AuthService>();
+    mockRouter = mock<Router>();
+    mockI18nService = mock<I18nService>();
+    mockApiService = mock<ApiService>();
+    mockPlatformUtilsService = mock<PlatformUtilsService>();
+    mockWin = mock<Window>();
+    mockEnvironmentService = mock<EnvironmentService>();
+    mockStateService = mock<StateService>();
+    mockLogService = mock<LogService>();
+    mockTwoFactorService = mock<TwoFactorService>();
+    mockAppIdService = mock<AppIdService>();
+    mockLoginService = mock<LoginService>();
+    mockConfigService = mock<ConfigServiceAbstraction>();
+
+    mockAcctDecryptionOpts = {
+      noMasterPassword: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: undefined,
+      }),
+      withMasterPassword: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndTrustedDevice: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndTrustedDeviceWithManageResetPassword: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        keyConnectorOption: undefined,
+      }),
+      withMasterPasswordAndKeyConnector: new AccountDecryptionOptions({
+        hasMasterPassword: true,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
+      }),
+      noMasterPasswordWithTrustedDevice: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, false),
+        keyConnectorOption: undefined,
+      }),
+      noMasterPasswordWithTrustedDeviceWithManageResetPassword: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: new TrustedDeviceUserDecryptionOption(true, false, true),
+        keyConnectorOption: undefined,
+      }),
+      noMasterPasswordWithKeyConnector: new AccountDecryptionOptions({
+        hasMasterPassword: false,
+        trustedDeviceOption: undefined,
+        keyConnectorOption: new KeyConnectorUserDecryptionOption("http://example.com"),
+      }),
+    };
+
+    TestBed.configureTestingModule({
+      declarations: [TestTwoFactorComponent],
+      providers: [
+        { provide: AuthService, useValue: mockAuthService },
+        { provide: Router, useValue: mockRouter },
+        { provide: I18nService, useValue: mockI18nService },
+        { provide: ApiService, useValue: mockApiService },
+        { provide: PlatformUtilsService, useValue: mockPlatformUtilsService },
+        { provide: WINDOW, useValue: mockWin },
+        { provide: EnvironmentService, useValue: mockEnvironmentService },
+        { provide: StateService, useValue: mockStateService },
+        {
+          provide: ActivatedRoute,
+          useValue: {
+            snapshot: {
+              // Default to standard 2FA flow - not SSO + 2FA
+              queryParamMap: convertToParamMap({ sso: "false" }),
+            },
+          },
+        },
+        { provide: LogService, useValue: mockLogService },
+        { provide: TwoFactorService, useValue: mockTwoFactorService },
+        { provide: AppIdService, useValue: mockAppIdService },
+        { provide: LoginService, useValue: mockLoginService },
+        { provide: ConfigServiceAbstraction, useValue: mockConfigService },
+      ],
+    });
+
+    fixture = TestBed.createComponent(TestTwoFactorComponent);
+    component = fixture.componentInstance;
+    _component = component as any;
+  });
+
+  afterEach(() => {
+    // Reset all mocks after each test
+    jest.resetAllMocks();
+  });
+
+  it("should create", () => {
+    expect(component).toBeTruthy();
+  });
+
+  // Shared tests
+  const testChangePasswordOnSuccessfulLogin = () => {
+    it("navigates to the component's defined change password route when user doesn't have a MP and key connector isn't enabled", async () => {
+      // Act
+      await component.doSubmit();
+
+      // Assert
+      expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+      expect(mockRouter.navigate).toHaveBeenCalledWith([_component.changePasswordRoute], {
+        queryParams: {
+          identifier: component.orgIdentifier,
+        },
+      });
+    });
+  };
+
+  const testForceResetOnSuccessfulLogin = (reasonString: string) => {
+    it(`navigates to the component's defined forcePasswordResetRoute route when response.forcePasswordReset is ${reasonString}`, async () => {
+      // Act
+      await component.doSubmit();
+
+      // expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+      expect(mockRouter.navigate).toHaveBeenCalledWith([_component.forcePasswordResetRoute], {
+        queryParams: {
+          identifier: component.orgIdentifier,
+        },
+      });
+    });
+  };
+
+  describe("Standard 2FA scenarios", () => {
+    describe("doSubmit", () => {
+      const token = "testToken";
+      const remember = false;
+      const captchaToken = "testCaptchaToken";
+
+      beforeEach(() => {
+        component.token = token;
+        component.remember = remember;
+        component.captchaToken = captchaToken;
+
+        mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+          mockAcctDecryptionOpts.withMasterPassword
+        );
+      });
+
+      it("calls authService.logInTwoFactor with correct parameters when form is submitted", async () => {
+        // Arrange
+        mockAuthService.logInTwoFactor.mockResolvedValue(new AuthResult());
+
+        // Act
+        await component.doSubmit();
+
+        // Assert
+        expect(mockAuthService.logInTwoFactor).toHaveBeenCalledWith(
+          new TokenTwoFactorRequest(component.selectedProviderType, token, remember),
+          captchaToken
+        );
+      });
+
+      it("should return when handleCaptchaRequired returns true", async () => {
+        // Arrange
+        const captchaSiteKey = "testCaptchaSiteKey";
+        const authResult = new AuthResult();
+        authResult.captchaSiteKey = captchaSiteKey;
+
+        mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+
+        // Note: the any casts are required b/c typescript cant recognize that
+        // handleCaptureRequired is a method on TwoFactorComponent b/c it is inherited
+        // from the CaptchaProtectedComponent
+        const handleCaptchaRequiredSpy = jest
+          .spyOn<any, any>(component, "handleCaptchaRequired")
+          .mockReturnValue(true);
+
+        // Act
+        const result = await component.doSubmit();
+
+        // Assert
+        expect(handleCaptchaRequiredSpy).toHaveBeenCalled();
+        expect(result).toBeUndefined();
+      });
+
+      it("calls onSuccessfulLogin when defined", async () => {
+        // Arrange
+        component.onSuccessfulLogin = jest.fn().mockResolvedValue(undefined);
+        mockAuthService.logInTwoFactor.mockResolvedValue(new AuthResult());
+
+        // Act
+        await component.doSubmit();
+
+        // Assert
+        expect(component.onSuccessfulLogin).toHaveBeenCalled();
+      });
+
+      it("calls loginService.clearValues() when login is successful", async () => {
+        // Arrange
+        mockAuthService.logInTwoFactor.mockResolvedValue(new AuthResult());
+        // spy on loginService.clearValues
+        const clearValuesSpy = jest.spyOn(mockLoginService, "clearValues");
+
+        // Act
+        await component.doSubmit();
+
+        // Assert
+        expect(clearValuesSpy).toHaveBeenCalled();
+      });
+
+      describe("Set Master Password scenarios", () => {
+        beforeEach(() => {
+          const authResult = new AuthResult();
+          mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+        });
+
+        describe("Given user needs to set a master password", () => {
+          beforeEach(() => {
+            // Only need to test the case where the user has no master password to test the primary change mp flow here
+            mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+              mockAcctDecryptionOpts.noMasterPassword
+            );
+          });
+
+          testChangePasswordOnSuccessfulLogin();
+        });
+
+        it("does not navigate to the change password route when the user has key connector even if user has no master password", async () => {
+          mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+            mockAcctDecryptionOpts.noMasterPasswordWithKeyConnector
+          );
+
+          await component.doSubmit();
+
+          expect(mockRouter.navigate).not.toHaveBeenCalledWith([_component.changePasswordRoute], {
+            queryParams: {
+              identifier: component.orgIdentifier,
+            },
+          });
+        });
+      });
+
+      describe("Force Master Password Reset scenarios", () => {
+        [
+          ForceResetPasswordReason.AdminForcePasswordReset,
+          ForceResetPasswordReason.WeakMasterPassword,
+        ].forEach((forceResetPasswordReason) => {
+          const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
+
+          beforeEach(() => {
+            // use standard user with MP because this test is not concerned with password reset.
+            mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+              mockAcctDecryptionOpts.withMasterPassword
+            );
+
+            const authResult = new AuthResult();
+            authResult.forcePasswordReset = forceResetPasswordReason;
+            mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+          });
+
+          testForceResetOnSuccessfulLogin(reasonString);
+        });
+      });
+
+      it("calls onSuccessfulLoginNavigate when the callback is defined", async () => {
+        // Arrange
+        component.onSuccessfulLoginNavigate = jest.fn().mockResolvedValue(undefined);
+        mockAuthService.logInTwoFactor.mockResolvedValue(new AuthResult());
+
+        // Act
+        await component.doSubmit();
+
+        // Assert
+        expect(component.onSuccessfulLoginNavigate).toHaveBeenCalled();
+      });
+
+      it("navigates to the component's defined success route when the login is successful and onSuccessfulLoginNavigate is undefined", async () => {
+        mockAuthService.logInTwoFactor.mockResolvedValue(new AuthResult());
+
+        // Act
+        await component.doSubmit();
+
+        // Assert
+        expect(component.onSuccessfulLoginNavigate).not.toBeDefined();
+
+        expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+        expect(mockRouter.navigate).toHaveBeenCalledWith([_component.successRoute], undefined);
+      });
+    });
+  });
+
+  describe("SSO > 2FA scenarios", () => {
+    beforeEach(() => {
+      const mockActivatedRoute = TestBed.inject(ActivatedRoute);
+      mockActivatedRoute.snapshot.queryParamMap.get = jest.fn().mockReturnValue("true");
+    });
+
+    describe("doSubmit", () => {
+      const token = "testToken";
+      const remember = false;
+      const captchaToken = "testCaptchaToken";
+
+      beforeEach(() => {
+        component.token = token;
+        component.remember = remember;
+        component.captchaToken = captchaToken;
+      });
+
+      describe("Trusted Device Encryption scenarios", () => {
+        beforeEach(() => {
+          mockConfigService.getFeatureFlagBool.mockResolvedValue(true);
+        });
+
+        describe("Given Trusted Device Encryption is enabled and user needs to set a master password", () => {
+          beforeEach(() => {
+            mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+              mockAcctDecryptionOpts.noMasterPasswordWithTrustedDeviceWithManageResetPassword
+            );
+
+            const authResult = new AuthResult();
+            mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+          });
+
+          testChangePasswordOnSuccessfulLogin();
+        });
+
+        describe("Given Trusted Device Encryption is enabled, user doesn't need to set a MP, and forcePasswordReset is required", () => {
+          [
+            ForceResetPasswordReason.AdminForcePasswordReset,
+            ForceResetPasswordReason.WeakMasterPassword,
+          ].forEach((forceResetPasswordReason) => {
+            const reasonString = ForceResetPasswordReason[forceResetPasswordReason];
+
+            beforeEach(() => {
+              // use standard user with MP because this test is not concerned with password reset.
+              mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+                mockAcctDecryptionOpts.withMasterPasswordAndTrustedDevice
+              );
+
+              const authResult = new AuthResult();
+              authResult.forcePasswordReset = forceResetPasswordReason;
+              mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+            });
+
+            testForceResetOnSuccessfulLogin(reasonString);
+          });
+        });
+
+        describe("Given Trusted Device Encryption is enabled, user doesn't need to set a MP, and forcePasswordReset is not required", () => {
+          let authResult;
+          beforeEach(() => {
+            mockStateService.getAccountDecryptionOptions.mockResolvedValue(
+              mockAcctDecryptionOpts.withMasterPasswordAndTrustedDevice
+            );
+
+            authResult = new AuthResult();
+            authResult.forcePasswordReset = ForceResetPasswordReason.None;
+            mockAuthService.logInTwoFactor.mockResolvedValue(authResult);
+          });
+
+          it("navigates to the component's defined trusted device encryption route when login is successful and onSuccessfulLoginTdeNavigate is undefined", async () => {
+            await component.doSubmit();
+
+            expect(mockRouter.navigate).toHaveBeenCalledTimes(1);
+            expect(mockRouter.navigate).toHaveBeenCalledWith(
+              [_component.trustedDeviceEncRoute],
+              undefined
+            );
+          });
+
+          it("calls onSuccessfulLoginTdeNavigate instead of router.navigate when the callback is defined", async () => {
+            component.onSuccessfulLoginTdeNavigate = jest.fn().mockResolvedValue(undefined);
+
+            await component.doSubmit();
+
+            expect(mockRouter.navigate).not.toHaveBeenCalled();
+            expect(component.onSuccessfulLoginTdeNavigate).toHaveBeenCalled();
+          });
+        });
+      });
+    });
+  });
+});
diff --git a/libs/angular/src/auth/components/two-factor.component.ts b/libs/angular/src/auth/components/two-factor.component.ts
index fa7aa66f9f..0a06d39315 100644
--- a/libs/angular/src/auth/components/two-factor.component.ts
+++ b/libs/angular/src/auth/components/two-factor.component.ts
@@ -1,8 +1,10 @@
-import { Directive, OnDestroy, OnInit } from "@angular/core";
-import { ActivatedRoute, Router } from "@angular/router";
+import { Directive, Inject, OnDestroy, OnInit } from "@angular/core";
+import { ActivatedRoute, NavigationExtras, Router } from "@angular/router";
 import * as DuoWebSDK from "duo_web_sdk";
 import { first } from "rxjs/operators";
 
+// eslint-disable-next-line no-restricted-imports
+import { WINDOW } from "@bitwarden/angular/services/injection-tokens";
 import { ApiService } from "@bitwarden/common/abstractions/api.service";
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
 import { LoginService } from "@bitwarden/common/auth/abstractions/login.service";
@@ -10,16 +12,20 @@ import { TwoFactorService } from "@bitwarden/common/auth/abstractions/two-factor
 import { TwoFactorProviderType } from "@bitwarden/common/auth/enums/two-factor-provider-type";
 import { AuthResult } from "@bitwarden/common/auth/models/domain/auth-result";
 import { ForceResetPasswordReason } from "@bitwarden/common/auth/models/domain/force-reset-password-reason";
+import { TrustedDeviceUserDecryptionOption } from "@bitwarden/common/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option";
 import { TokenTwoFactorRequest } from "@bitwarden/common/auth/models/request/identity-token/token-two-factor.request";
 import { TwoFactorEmailRequest } from "@bitwarden/common/auth/models/request/two-factor-email.request";
 import { TwoFactorProviders } from "@bitwarden/common/auth/services/two-factor.service";
 import { WebAuthnIFrame } from "@bitwarden/common/auth/webauthn-iframe";
+import { FeatureFlag } from "@bitwarden/common/enums/feature-flag.enum";
 import { AppIdService } from "@bitwarden/common/platform/abstractions/app-id.service";
+import { ConfigServiceAbstraction } from "@bitwarden/common/platform/abstractions/config/config.service.abstraction";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { LogService } from "@bitwarden/common/platform/abstractions/log.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
+import { AccountDecryptionOptions } from "@bitwarden/common/platform/models/domain/account";
 
 import { CaptchaProtectedComponent } from "./captcha-protected.component";
 
@@ -38,11 +44,18 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
   twoFactorEmail: string = null;
   formPromise: Promise<any>;
   emailPromise: Promise<any>;
-  identifier: string = null;
-  onSuccessfulLogin: () => Promise<any>;
-  onSuccessfulLoginNavigate: () => Promise<any>;
+  orgIdentifier: string = null;
+  onSuccessfulLogin: () => Promise<void>;
+  onSuccessfulLoginNavigate: () => Promise<void>;
+
+  onSuccessfulLoginTde: () => Promise<void>;
+  onSuccessfulLoginTdeNavigate: () => Promise<void>;
 
   protected loginRoute = "login";
+
+  protected trustedDeviceEncRoute = "login-initiated";
+  protected changePasswordRoute = "set-password";
+  protected forcePasswordResetRoute = "update-temp-password";
   protected successRoute = "vault";
 
   constructor(
@@ -51,14 +64,15 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
     protected i18nService: I18nService,
     protected apiService: ApiService,
     protected platformUtilsService: PlatformUtilsService,
-    protected win: Window,
+    @Inject(WINDOW) protected win: Window,
     protected environmentService: EnvironmentService,
     protected stateService: StateService,
     protected route: ActivatedRoute,
     protected logService: LogService,
     protected twoFactorService: TwoFactorService,
     protected appIdService: AppIdService,
-    protected loginService: LoginService
+    protected loginService: LoginService,
+    protected configService: ConfigServiceAbstraction
   ) {
     super(environmentService, i18nService, platformUtilsService);
     this.webAuthnSupported = this.platformUtilsService.supportsWebAuthn(win);
@@ -72,7 +86,7 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
 
     this.route.queryParams.pipe(first()).subscribe((qParams) => {
       if (qParams.identifier != null) {
-        this.identifier = qParams.identifier;
+        this.orgIdentifier = qParams.identifier;
       }
     });
 
@@ -196,32 +210,132 @@ export class TwoFactorComponent extends CaptchaProtectedComponent implements OnI
       new TokenTwoFactorRequest(this.selectedProviderType, this.token, this.remember),
       this.captchaToken
     );
-    const response: AuthResult = await this.formPromise;
-    if (this.handleCaptchaRequired(response)) {
+    const authResult: AuthResult = await this.formPromise;
+
+    await this.handleLoginResponse(authResult);
+  }
+
+  private async handleLoginResponse(authResult: AuthResult) {
+    if (this.handleCaptchaRequired(authResult)) {
       return;
     }
-    if (this.onSuccessfulLogin != null) {
-      this.loginService.clearValues();
+
+    this.loginService.clearValues();
+
+    const acctDecryptionOpts: AccountDecryptionOptions =
+      await this.stateService.getAccountDecryptionOptions();
+
+    const tdeEnabled = await this.isTrustedDeviceEncEnabled(acctDecryptionOpts.trustedDeviceOption);
+
+    if (tdeEnabled) {
+      return await this.handleTrustedDeviceEncryptionEnabled(
+        authResult,
+        this.orgIdentifier,
+        acctDecryptionOpts
+      );
+    }
+
+    // User must set password if they don't have one and they aren't using either TDE or key connector.
+    const requireSetPassword =
+      !acctDecryptionOpts.hasMasterPassword && acctDecryptionOpts.keyConnectorOption === undefined;
+
+    if (requireSetPassword || authResult.resetMasterPassword) {
+      // Change implies going no password -> password in this case
+      return await this.handleChangePasswordRequired(this.orgIdentifier);
+    }
+
+    // Users can be forced to reset their password via an admin or org policy
+    // disallowing weak passwords
+    if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
+      return await this.handleForcePasswordReset(this.orgIdentifier);
+    }
+
+    return await this.handleSuccessfulLogin();
+  }
+
+  private async isTrustedDeviceEncEnabled(
+    trustedDeviceOption: TrustedDeviceUserDecryptionOption
+  ): Promise<boolean> {
+    const ssoTo2faFlowActive = this.route.snapshot.queryParamMap.get("sso") === "true";
+    const trustedDeviceEncryptionFeatureActive = await this.configService.getFeatureFlagBool(
+      FeatureFlag.TrustedDeviceEncryption
+    );
+
+    return (
+      ssoTo2faFlowActive &&
+      trustedDeviceEncryptionFeatureActive &&
+      trustedDeviceOption !== undefined
+    );
+  }
+
+  private async handleTrustedDeviceEncryptionEnabled(
+    authResult: AuthResult,
+    orgIdentifier: string,
+    acctDecryptionOpts: AccountDecryptionOptions
+  ): Promise<void> {
+    // If user doesn't have a MP, but has reset password permission, they must set a MP
+    if (
+      !acctDecryptionOpts.hasMasterPassword &&
+      acctDecryptionOpts.trustedDeviceOption.hasManageResetPasswordPermission
+    ) {
+      // Change implies going no password -> password in this case
+      return await this.handleChangePasswordRequired(orgIdentifier);
+    }
+
+    // Users can be forced to reset their password via an admin or org policy
+    // disallowing weak passwords
+    if (authResult.forcePasswordReset !== ForceResetPasswordReason.None) {
+      return await this.handleForcePasswordReset(orgIdentifier);
+    }
+
+    if (this.onSuccessfulLoginTde != null) {
       // Note: awaiting this will currently cause a hang on desktop & browser as they will wait for a full sync to complete
-      // before nagivating to the success route.
+      // before navigating to the success route.
+      this.onSuccessfulLoginTde();
+    }
+
+    this.navigateViaCallbackOrRoute(
+      this.onSuccessfulLoginTdeNavigate,
+      // Navigate to TDE page (if user was on trusted device and TDE has decrypted
+      //  their user key, the login-initiated guard will redirect them to the vault)
+      [this.trustedDeviceEncRoute]
+    );
+  }
+
+  private async handleChangePasswordRequired(orgIdentifier: string) {
+    await this.router.navigate([this.changePasswordRoute], {
+      queryParams: {
+        identifier: orgIdentifier,
+      },
+    });
+  }
+
+  private async handleForcePasswordReset(orgIdentifier: string) {
+    this.router.navigate([this.forcePasswordResetRoute], {
+      queryParams: {
+        identifier: orgIdentifier,
+      },
+    });
+  }
+
+  private async handleSuccessfulLogin() {
+    if (this.onSuccessfulLogin != null) {
+      // Note: awaiting this will currently cause a hang on desktop & browser as they will wait for a full sync to complete
+      // before navigating to the success route.
       this.onSuccessfulLogin();
     }
-    if (response.resetMasterPassword) {
-      this.successRoute = "set-password";
-    }
-    if (response.forcePasswordReset !== ForceResetPasswordReason.None) {
-      this.successRoute = "update-temp-password";
-    }
-    if (this.onSuccessfulLoginNavigate != null) {
-      this.loginService.clearValues();
-      await this.onSuccessfulLoginNavigate();
+    await this.navigateViaCallbackOrRoute(this.onSuccessfulLoginNavigate, [this.successRoute]);
+  }
+
+  private async navigateViaCallbackOrRoute(
+    callback: () => Promise<unknown>,
+    commands: unknown[],
+    extras?: NavigationExtras
+  ): Promise<void> {
+    if (callback) {
+      await callback();
     } else {
-      this.loginService.clearValues();
-      this.router.navigate([this.successRoute], {
-        queryParams: {
-          identifier: this.identifier,
-        },
-      });
+      await this.router.navigate(commands, extras);
     }
   }
 
diff --git a/libs/angular/src/auth/components/update-password.component.ts b/libs/angular/src/auth/components/update-password.component.ts
index 06b7f48b57..81bdbb31cb 100644
--- a/libs/angular/src/auth/components/update-password.component.ts
+++ b/libs/angular/src/auth/components/update-password.component.ts
@@ -14,7 +14,7 @@ import { MessagingService } from "@bitwarden/common/platform/abstractions/messag
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { MasterKey, UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { Verification } from "@bitwarden/common/types/verification";
 import { DialogService } from "@bitwarden/components";
@@ -94,19 +94,19 @@ export class UpdatePasswordComponent extends BaseChangePasswordComponent {
   }
 
   async performSubmitActions(
-    masterPasswordHash: string,
-    key: SymmetricCryptoKey,
-    encKey: [SymmetricCryptoKey, EncString]
+    newMasterKeyHash: string,
+    newMasterKey: MasterKey,
+    newUserKey: [UserKey, EncString]
   ) {
     try {
       // Create Request
       const request = new PasswordRequest();
-      request.masterPasswordHash = await this.cryptoService.hashPassword(
+      request.masterPasswordHash = await this.cryptoService.hashMasterKey(
         this.currentMasterPassword,
-        null
+        await this.cryptoService.getOrDeriveMasterKey(this.currentMasterPassword)
       );
-      request.newMasterPasswordHash = masterPasswordHash;
-      request.key = encKey[1].encryptedString;
+      request.newMasterPasswordHash = newMasterKeyHash;
+      request.key = newUserKey[1].encryptedString;
 
       // Update user's password
       this.apiService.postPassword(request);
diff --git a/libs/angular/src/auth/components/update-temp-password.component.ts b/libs/angular/src/auth/components/update-temp-password.component.ts
index 57256a579f..7bb65ab68d 100644
--- a/libs/angular/src/auth/components/update-temp-password.component.ts
+++ b/libs/angular/src/auth/components/update-temp-password.component.ts
@@ -16,7 +16,7 @@ import { MessagingService } from "@bitwarden/common/platform/abstractions/messag
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { MasterKey, UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { Verification } from "@bitwarden/common/types/verification";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
@@ -113,21 +113,27 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
 
     try {
       // Create new key and hash new password
-      const newKey = await this.cryptoService.makeKey(
+      const newMasterKey = await this.cryptoService.makeMasterKey(
         this.masterPassword,
         this.email.trim().toLowerCase(),
         this.kdf,
         this.kdfConfig
       );
-      const newPasswordHash = await this.cryptoService.hashPassword(this.masterPassword, newKey);
+      const newPasswordHash = await this.cryptoService.hashMasterKey(
+        this.masterPassword,
+        newMasterKey
+      );
 
-      // Grab user's current enc key
-      const userEncKey = await this.cryptoService.getEncKey();
+      // Grab user key
+      const userKey = await this.cryptoService.getUserKey();
 
-      // Create new encKey for the User
-      const newEncKey = await this.cryptoService.remakeEncKey(newKey, userEncKey);
+      // Encrypt user key with new master key
+      const newProtectedUserKey = await this.cryptoService.encryptUserKeyWithMasterKey(
+        newMasterKey,
+        userKey
+      );
 
-      await this.performSubmitActions(newPasswordHash, newKey, newEncKey);
+      await this.performSubmitActions(newPasswordHash, newMasterKey, newProtectedUserKey);
     } catch (e) {
       this.logService.error(e);
     }
@@ -135,16 +141,16 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
 
   async performSubmitActions(
     masterPasswordHash: string,
-    key: SymmetricCryptoKey,
-    encKey: [SymmetricCryptoKey, EncString]
+    masterKey: MasterKey,
+    userKey: [UserKey, EncString]
   ) {
     try {
       switch (this.reason) {
         case ForceResetPasswordReason.AdminForcePasswordReset:
-          this.formPromise = this.updateTempPassword(masterPasswordHash, encKey);
+          this.formPromise = this.updateTempPassword(masterPasswordHash, userKey);
           break;
         case ForceResetPasswordReason.WeakMasterPassword:
-          this.formPromise = this.updatePassword(masterPasswordHash, encKey);
+          this.formPromise = this.updatePassword(masterPasswordHash, userKey);
           break;
       }
 
@@ -166,29 +172,23 @@ export class UpdateTempPasswordComponent extends BaseChangePasswordComponent {
       this.logService.error(e);
     }
   }
-  private async updateTempPassword(
-    masterPasswordHash: string,
-    encKey: [SymmetricCryptoKey, EncString]
-  ) {
+  private async updateTempPassword(masterPasswordHash: string, userKey: [UserKey, EncString]) {
     const request = new UpdateTempPasswordRequest();
-    request.key = encKey[1].encryptedString;
+    request.key = userKey[1].encryptedString;
     request.newMasterPasswordHash = masterPasswordHash;
     request.masterPasswordHint = this.hint;
 
     return this.apiService.putUpdateTempPassword(request);
   }
 
-  private async updatePassword(
-    newMasterPasswordHash: string,
-    encKey: [SymmetricCryptoKey, EncString]
-  ) {
+  private async updatePassword(newMasterPasswordHash: string, userKey: [UserKey, EncString]) {
     const request = await this.userVerificationService.buildRequest(
       this.verification,
       PasswordRequest
     );
     request.masterPasswordHint = this.hint;
     request.newMasterPasswordHash = newMasterPasswordHash;
-    request.key = encKey[1].encryptedString;
+    request.key = userKey[1].encryptedString;
 
     return this.apiService.postPassword(request);
   }
diff --git a/libs/angular/src/auth/components/user-verification.component.ts b/libs/angular/src/auth/components/user-verification.component.ts
index 9dfed5b924..b2d4d8a4c3 100644
--- a/libs/angular/src/auth/components/user-verification.component.ts
+++ b/libs/angular/src/auth/components/user-verification.component.ts
@@ -2,16 +2,16 @@ import { Directive, EventEmitter, Input, OnDestroy, OnInit, Output } from "@angu
 import { ControlValueAccessor, FormControl, Validators } from "@angular/forms";
 import { Subject, takeUntil } from "rxjs";
 
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { VerificationType } from "@bitwarden/common/auth/enums/verification-type";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { Verification } from "@bitwarden/common/types/verification";
 
 /**
  * Used for general-purpose user verification throughout the app.
- * Collects the user's master password, or if they are using Key Connector, prompts for an OTP via email.
+ * Collects the user's master password, or if they are not using a password, prompts for an OTP via email.
  * This is exposed to the parent component via the ControlValueAccessor interface (e.g. bind it to a FormControl).
  * Use UserVerificationService to verify the user's input.
  */
@@ -40,7 +40,7 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
   }
   @Output() invalidSecretChange = new EventEmitter<boolean>();
 
-  usesKeyConnector = true;
+  hasMasterPassword = true;
   disableRequestOTP = false;
   sentCode = false;
 
@@ -50,7 +50,7 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
       if (this.invalidSecret) {
         return {
           invalidSecret: {
-            message: this.usesKeyConnector
+            message: this.hasMasterPassword
               ? this.i18nService.t("incorrectCode")
               : this.i18nService.t("incorrectPassword"),
           },
@@ -63,13 +63,13 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
   private destroy$ = new Subject<void>();
 
   constructor(
-    private keyConnectorService: KeyConnectorService,
+    private cryptoService: CryptoService,
     private userVerificationService: UserVerificationService,
     private i18nService: I18nService
   ) {}
 
   async ngOnInit() {
-    this.usesKeyConnector = await this.keyConnectorService.getUsesKeyConnector();
+    this.hasMasterPassword = await this.userVerificationService.hasMasterPasswordAndMasterKeyHash();
     this.processChanges(this.secret.value);
 
     this.secret.valueChanges
@@ -78,7 +78,7 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
   }
 
   requestOTP = async () => {
-    if (this.usesKeyConnector) {
+    if (!this.hasMasterPassword) {
       this.disableRequestOTP = true;
       try {
         await this.userVerificationService.requestOTP();
@@ -123,7 +123,7 @@ export class UserVerificationComponent implements ControlValueAccessor, OnInit,
     }
 
     this.onChange({
-      type: this.usesKeyConnector ? VerificationType.OTP : VerificationType.MasterPassword,
+      type: this.hasMasterPassword ? VerificationType.MasterPassword : VerificationType.OTP,
       secret: Utils.isNullOrWhitespace(secret) ? null : secret,
     });
   }
diff --git a/libs/angular/src/auth/guards/index.ts b/libs/angular/src/auth/guards/index.ts
new file mode 100644
index 0000000000..1760a870b3
--- /dev/null
+++ b/libs/angular/src/auth/guards/index.ts
@@ -0,0 +1,5 @@
+export * from "./auth.guard";
+export * from "./lock.guard";
+export * from "./redirect.guard";
+export * from "./tde-decryption-required.guard";
+export * from "./unauth.guard";
diff --git a/libs/angular/src/auth/guards/lock.guard.ts b/libs/angular/src/auth/guards/lock.guard.ts
index b4cc01dc16..ea0f38d774 100644
--- a/libs/angular/src/auth/guards/lock.guard.ts
+++ b/libs/angular/src/auth/guards/lock.guard.ts
@@ -1,25 +1,59 @@
-import { Injectable } from "@angular/core";
-import { CanActivate, Router } from "@angular/router";
+import { inject } from "@angular/core";
+import {
+  ActivatedRouteSnapshot,
+  CanActivateFn,
+  Router,
+  RouterStateSnapshot,
+} from "@angular/router";
 
 import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 
-@Injectable()
-export class LockGuard implements CanActivate {
-  protected homepage = "vault";
-  protected loginpage = "login";
-  constructor(private authService: AuthService, private router: Router) {}
+/**
+ * Only allow access to this route if the vault is locked.
+ * If TDE is enabled then the user must also have had a user key at some point.
+ * Otherwise redirect to root.
+ */
+export function lockGuard(): CanActivateFn {
+  return async (
+    activatedRouteSnapshot: ActivatedRouteSnapshot,
+    routerStateSnapshot: RouterStateSnapshot
+  ) => {
+    const authService = inject(AuthService);
+    const cryptoService = inject(CryptoService);
+    const deviceTrustCryptoService = inject(DeviceTrustCryptoServiceAbstraction);
+    const router = inject(Router);
+    const userVerificationService = inject(UserVerificationService);
 
-  async canActivate() {
-    const authStatus = await this.authService.getAuthStatus();
+    const authStatus = await authService.getAuthStatus();
+    if (authStatus !== AuthenticationStatus.Locked) {
+      return router.createUrlTree(["/"]);
+    }
 
-    if (authStatus === AuthenticationStatus.Locked) {
+    // User is authN and in locked state.
+
+    const tdeEnabled = await deviceTrustCryptoService.supportsDeviceTrust();
+
+    // Create special exception which allows users to go from the login-initiated page to the lock page for the approve w/ MP flow
+    // The MP check is necessary to prevent direct manual navigation from other locked state pages for users who don't have a MP
+    if (
+      activatedRouteSnapshot.queryParams["from"] === "login-initiated" &&
+      tdeEnabled &&
+      (await userVerificationService.hasMasterPassword())
+    ) {
       return true;
     }
 
-    const redirectUrl =
-      authStatus === AuthenticationStatus.LoggedOut ? this.loginpage : this.homepage;
+    // If authN user with TDE directly navigates to lock, kick them upwards so redirect guard can
+    // properly route them to the login decryption options component.
+    const everHadUserKey = await cryptoService.getEverHadUserKey();
+    if (tdeEnabled && !everHadUserKey) {
+      return router.createUrlTree(["/"]);
+    }
 
-    return this.router.createUrlTree([redirectUrl]);
-  }
+    return true;
+  };
 }
diff --git a/libs/angular/src/auth/guards/redirect.guard.ts b/libs/angular/src/auth/guards/redirect.guard.ts
new file mode 100644
index 0000000000..4853b26e71
--- /dev/null
+++ b/libs/angular/src/auth/guards/redirect.guard.ts
@@ -0,0 +1,58 @@
+import { inject } from "@angular/core";
+import { CanActivateFn, Router } from "@angular/router";
+
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+
+export interface RedirectRoutes {
+  loggedIn: string;
+  loggedOut: string;
+  locked: string;
+  notDecrypted: string;
+}
+
+const defaultRoutes: RedirectRoutes = {
+  loggedIn: "/vault",
+  loggedOut: "/login",
+  locked: "/lock",
+  notDecrypted: "/login-initiated",
+};
+
+/**
+ * Guard that consolidates all redirection logic, should be applied to root route.
+ */
+export function redirectGuard(overrides: Partial<RedirectRoutes> = {}): CanActivateFn {
+  const routes = { ...defaultRoutes, ...overrides };
+  return async (route) => {
+    const authService = inject(AuthService);
+    const cryptoService = inject(CryptoService);
+    const deviceTrustCryptoService = inject(DeviceTrustCryptoServiceAbstraction);
+    const router = inject(Router);
+
+    const authStatus = await authService.getAuthStatus();
+
+    if (authStatus === AuthenticationStatus.LoggedOut) {
+      return router.createUrlTree([routes.loggedOut], { queryParams: route.queryParams });
+    }
+
+    if (authStatus === AuthenticationStatus.Unlocked) {
+      return router.createUrlTree([routes.loggedIn], { queryParams: route.queryParams });
+    }
+
+    // If locked, TDE is enabled, and the user hasn't decrypted yet, then redirect to the
+    // login decryption options component.
+    const tdeEnabled = await deviceTrustCryptoService.supportsDeviceTrust();
+    const everHadUserKey = await cryptoService.getEverHadUserKey();
+    if (authStatus === AuthenticationStatus.Locked && tdeEnabled && !everHadUserKey) {
+      return router.createUrlTree([routes.notDecrypted], { queryParams: route.queryParams });
+    }
+
+    if (authStatus === AuthenticationStatus.Locked) {
+      return router.createUrlTree([routes.locked], { queryParams: route.queryParams });
+    }
+
+    return router.createUrlTree(["/"]);
+  };
+}
diff --git a/libs/angular/src/auth/guards/tde-decryption-required.guard.ts b/libs/angular/src/auth/guards/tde-decryption-required.guard.ts
new file mode 100644
index 0000000000..84a4fef576
--- /dev/null
+++ b/libs/angular/src/auth/guards/tde-decryption-required.guard.ts
@@ -0,0 +1,34 @@
+import { inject } from "@angular/core";
+import {
+  ActivatedRouteSnapshot,
+  Router,
+  RouterStateSnapshot,
+  CanActivateFn,
+} from "@angular/router";
+
+import { AuthService } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { AuthenticationStatus } from "@bitwarden/common/auth/enums/authentication-status";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+
+/**
+ * Only allow access to this route if the vault is locked and has never been decrypted.
+ * Otherwise redirect to root.
+ */
+export function tdeDecryptionRequiredGuard(): CanActivateFn {
+  return async (_: ActivatedRouteSnapshot, state: RouterStateSnapshot) => {
+    const authService = inject(AuthService);
+    const cryptoService = inject(CryptoService);
+    const deviceTrustCryptoService = inject(DeviceTrustCryptoServiceAbstraction);
+    const router = inject(Router);
+
+    const authStatus = await authService.getAuthStatus();
+    const tdeEnabled = await deviceTrustCryptoService.supportsDeviceTrust();
+    const everHadUserKey = await cryptoService.getEverHadUserKey();
+    if (authStatus !== AuthenticationStatus.Locked || !tdeEnabled || everHadUserKey) {
+      return router.createUrlTree(["/"]);
+    }
+
+    return true;
+  };
+}
diff --git a/libs/angular/src/components/register.component.ts b/libs/angular/src/components/register.component.ts
index e096f2a098..5363be3941 100644
--- a/libs/angular/src/components/register.component.ts
+++ b/libs/angular/src/components/register.component.ts
@@ -271,16 +271,16 @@ export class RegisterComponent extends CaptchaProtectedComponent implements OnIn
     const hint = this.formGroup.value.hint;
     const kdf = DEFAULT_KDF_TYPE;
     const kdfConfig = DEFAULT_KDF_CONFIG;
-    const key = await this.cryptoService.makeKey(masterPassword, email, kdf, kdfConfig);
-    const encKey = await this.cryptoService.makeEncKey(key);
-    const hashedPassword = await this.cryptoService.hashPassword(masterPassword, key);
-    const keys = await this.cryptoService.makeKeyPair(encKey[0]);
+    const key = await this.cryptoService.makeMasterKey(masterPassword, email, kdf, kdfConfig);
+    const newUserKey = await this.cryptoService.makeUserKey(key);
+    const masterKeyHash = await this.cryptoService.hashMasterKey(masterPassword, key);
+    const keys = await this.cryptoService.makeKeyPair(newUserKey[0]);
     const request = new RegisterRequest(
       email,
       name,
-      hashedPassword,
+      masterKeyHash,
       hint,
-      encKey[1].encryptedString,
+      newUserKey[1].encryptedString,
       this.referenceData,
       this.captchaToken,
       kdf,
diff --git a/libs/angular/src/components/set-password.component.ts b/libs/angular/src/components/set-password.component.ts
index b432ae55ac..60230e7f31 100644
--- a/libs/angular/src/components/set-password.component.ts
+++ b/libs/angular/src/components/set-password.component.ts
@@ -18,7 +18,7 @@ import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/pl
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
+import { MasterKey, UserKey } from "@bitwarden/common/platform/models/domain/symmetric-crypto-key";
 import { PasswordGenerationServiceAbstraction } from "@bitwarden/common/tools/generator/password";
 import { SyncService } from "@bitwarden/common/vault/abstractions/sync/sync.service.abstraction";
 import { DialogService } from "@bitwarden/components";
@@ -101,16 +101,16 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
 
   async performSubmitActions(
     masterPasswordHash: string,
-    key: SymmetricCryptoKey,
-    encKey: [SymmetricCryptoKey, EncString]
+    masterKey: MasterKey,
+    userKey: [UserKey, EncString]
   ) {
-    const keys = await this.cryptoService.makeKeyPair(encKey[0]);
+    const newKeyPair = await this.cryptoService.makeKeyPair(userKey[0]);
     const request = new SetPasswordRequest(
       masterPasswordHash,
-      encKey[1].encryptedString,
+      userKey[1].encryptedString,
       this.hint,
       this.identifier,
-      new KeysRequest(keys[0], keys[1].encryptedString),
+      new KeysRequest(newKeyPair[0], newKeyPair[1].encryptedString),
       this.kdf,
       this.kdfConfig.iterations,
       this.kdfConfig.memory,
@@ -121,7 +121,7 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
         this.formPromise = this.apiService
           .setPassword(request)
           .then(async () => {
-            await this.onSetPasswordSuccess(key, encKey, keys);
+            await this.onSetPasswordSuccess(masterKey, userKey, newKeyPair);
             return this.organizationApiService.getKeys(this.orgId);
           })
           .then(async (response) => {
@@ -131,13 +131,13 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
             const userId = await this.stateService.getUserId();
             const publicKey = Utils.fromB64ToArray(response.publicKey);
 
-            // RSA Encrypt user's encKey.key with organization public key
-            const userEncKey = await this.cryptoService.getEncKey();
-            const encryptedKey = await this.cryptoService.rsaEncrypt(userEncKey.key, publicKey);
+            // RSA Encrypt user key with organization public key
+            const userKey = await this.cryptoService.getUserKey();
+            const encryptedUserKey = await this.cryptoService.rsaEncrypt(userKey.key, publicKey);
 
             const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
             resetRequest.masterPasswordHash = masterPasswordHash;
-            resetRequest.resetPasswordKey = encryptedKey.encryptedString;
+            resetRequest.resetPasswordKey = encryptedUserKey.encryptedString;
 
             return this.organizationUserService.putOrganizationUserResetPasswordEnrollment(
               this.orgId,
@@ -147,7 +147,7 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
           });
       } else {
         this.formPromise = this.apiService.setPassword(request).then(async () => {
-          await this.onSetPasswordSuccess(key, encKey, keys);
+          await this.onSetPasswordSuccess(masterKey, userKey, newKeyPair);
         });
       }
 
@@ -169,21 +169,21 @@ export class SetPasswordComponent extends BaseChangePasswordComponent {
   }
 
   private async onSetPasswordSuccess(
-    key: SymmetricCryptoKey,
-    encKey: [SymmetricCryptoKey, EncString],
-    keys: [string, EncString]
+    masterKey: MasterKey,
+    userKey: [UserKey, EncString],
+    keyPair: [string, EncString]
   ) {
     await this.stateService.setKdfType(this.kdf);
     await this.stateService.setKdfConfig(this.kdfConfig);
-    await this.cryptoService.setKey(key);
-    await this.cryptoService.setEncKey(encKey[1].encryptedString);
-    await this.cryptoService.setEncPrivateKey(keys[1].encryptedString);
+    await this.cryptoService.setMasterKey(masterKey);
+    await this.cryptoService.setUserKey(userKey[0]);
+    await this.cryptoService.setPrivateKey(keyPair[1].encryptedString);
 
-    const localKeyHash = await this.cryptoService.hashPassword(
+    const localMasterKeyHash = await this.cryptoService.hashMasterKey(
       this.masterPassword,
-      key,
+      masterKey,
       HashPurpose.LocalAuthorization
     );
-    await this.cryptoService.setKeyHash(localKeyHash);
+    await this.cryptoService.setMasterKeyHash(localMasterKeyHash);
   }
 }
diff --git a/libs/angular/src/components/set-pin.component.ts b/libs/angular/src/components/set-pin.component.ts
index af00980f15..bf92417ae6 100644
--- a/libs/angular/src/components/set-pin.component.ts
+++ b/libs/angular/src/components/set-pin.component.ts
@@ -1,6 +1,7 @@
 import { Directive, OnInit } from "@angular/core";
 
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+import { KeySuffixOptions } from "@bitwarden/common/enums/key-suffix-options.enum";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { StateService } from "@bitwarden/common/platform/abstractions/state.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
@@ -17,13 +18,13 @@ export class SetPinComponent implements OnInit {
   constructor(
     private modalRef: ModalRef,
     private cryptoService: CryptoService,
-    private keyConnectorService: KeyConnectorService,
+    private userVerificationService: UserVerificationService,
     private stateService: StateService
   ) {}
 
   async ngOnInit() {
     this.showMasterPassOnRestart = this.masterPassOnRestart =
-      !(await this.keyConnectorService.getUsesKeyConnector());
+      await this.userVerificationService.hasMasterPassword();
   }
 
   toggleVisibility() {
@@ -35,19 +36,22 @@ export class SetPinComponent implements OnInit {
       this.modalRef.close(false);
     }
 
-    const kdf = await this.stateService.getKdfType();
-    const kdfConfig = await this.stateService.getKdfConfig();
-    const email = await this.stateService.getEmail();
-    const pinKey = await this.cryptoService.makePinKey(this.pin, email, kdf, kdfConfig);
-    const key = await this.cryptoService.getKey();
-    const pinProtectedKey = await this.cryptoService.encrypt(key.key, pinKey);
+    const pinKey = await this.cryptoService.makePinKey(
+      this.pin,
+      await this.stateService.getEmail(),
+      await this.stateService.getKdfType(),
+      await this.stateService.getKdfConfig()
+    );
+    const userKey = await this.cryptoService.getUserKey();
+    const pinProtectedKey = await this.cryptoService.encrypt(userKey.key, pinKey);
+    const encPin = await this.cryptoService.encrypt(this.pin, userKey);
+    await this.stateService.setProtectedPin(encPin.encryptedString);
     if (this.masterPassOnRestart) {
-      const encPin = await this.cryptoService.encrypt(this.pin);
-      await this.stateService.setProtectedPin(encPin.encryptedString);
-      await this.stateService.setDecryptedPinProtected(pinProtectedKey);
+      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(pinProtectedKey);
     } else {
-      await this.stateService.setEncryptedPinProtected(pinProtectedKey.encryptedString);
+      await this.stateService.setPinKeyEncryptedUserKey(pinProtectedKey);
     }
+    await this.cryptoService.clearDeprecatedKeys(KeySuffixOptions.Pin);
 
     this.modalRef.close(true);
   }
diff --git a/libs/angular/src/components/settings/vault-timeout-input.component.ts b/libs/angular/src/components/settings/vault-timeout-input.component.ts
index 1bec3e1e39..b0dec5affb 100644
--- a/libs/angular/src/components/settings/vault-timeout-input.component.ts
+++ b/libs/angular/src/components/settings/vault-timeout-input.component.ts
@@ -6,11 +6,13 @@ import {
   ValidationErrors,
   Validator,
 } from "@angular/forms";
-import { filter, Subject, takeUntil } from "rxjs";
+import { filter, map, Observable, Subject, takeUntil } from "rxjs";
 
+import { VaultTimeoutSettingsService } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
 import { PolicyService } from "@bitwarden/common/admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "@bitwarden/common/admin-console/enums";
 import { Policy } from "@bitwarden/common/admin-console/models/domain/policy";
+import { VaultTimeoutAction } from "@bitwarden/common/enums/vault-timeout-action.enum";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 
 @Directive()
@@ -43,6 +45,8 @@ export class VaultTimeoutInputComponent
   vaultTimeoutPolicyHours: number;
   vaultTimeoutPolicyMinutes: number;
 
+  protected canLockVault$: Observable<boolean>;
+
   private onChange: (vaultTimeout: number) => void;
   private validatorChange: () => void;
   private destroy$ = new Subject<void>();
@@ -50,6 +54,7 @@ export class VaultTimeoutInputComponent
   constructor(
     private formBuilder: FormBuilder,
     private policyService: PolicyService,
+    private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
     private i18nService: I18nService
   ) {}
 
@@ -86,6 +91,10 @@ export class VaultTimeoutInputComponent
           },
         });
       });
+
+    this.canLockVault$ = this.vaultTimeoutSettingsService
+      .availableVaultTimeoutActions$()
+      .pipe(map((actions) => actions.includes(VaultTimeoutAction.Lock)));
   }
 
   ngOnDestroy() {
diff --git a/libs/angular/src/services/injection-tokens.ts b/libs/angular/src/services/injection-tokens.ts
index 270a5dfdf0..b87b239e16 100644
--- a/libs/angular/src/services/injection-tokens.ts
+++ b/libs/angular/src/services/injection-tokens.ts
@@ -11,10 +11,12 @@ export const MEMORY_STORAGE = new InjectionToken<AbstractMemoryStorageService>("
 export const SECURE_STORAGE = new InjectionToken<AbstractStorageService>("SECURE_STORAGE");
 export const STATE_FACTORY = new InjectionToken<StateFactory>("STATE_FACTORY");
 export const STATE_SERVICE_USE_CACHE = new InjectionToken<boolean>("STATE_SERVICE_USE_CACHE");
-export const LOGOUT_CALLBACK = new InjectionToken<(expired: boolean, userId?: string) => void>(
-  "LOGOUT_CALLBACK"
+export const LOGOUT_CALLBACK = new InjectionToken<
+  (expired: boolean, userId?: string) => Promise<void>
+>("LOGOUT_CALLBACK");
+export const LOCKED_CALLBACK = new InjectionToken<(userId?: string) => Promise<void>>(
+  "LOCKED_CALLBACK"
 );
-export const LOCKED_CALLBACK = new InjectionToken<() => void>("LOCKED_CALLBACK");
 export const CLIENT_TYPE = new InjectionToken<boolean>("CLIENT_TYPE");
 export const LOCALES_DIRECTORY = new InjectionToken<string>("LOCALES_DIRECTORY");
 export const SYSTEM_LANGUAGE = new InjectionToken<string>("SYSTEM_LANGUAGE");
diff --git a/libs/angular/src/services/jslib-services.module.ts b/libs/angular/src/services/jslib-services.module.ts
index 6198437c02..e292617a90 100644
--- a/libs/angular/src/services/jslib-services.module.ts
+++ b/libs/angular/src/services/jslib-services.module.ts
@@ -4,8 +4,7 @@ import { AvatarUpdateService as AccountUpdateServiceAbstraction } from "@bitward
 import { AnonymousHubService as AnonymousHubServiceAbstraction } from "@bitwarden/common/abstractions/anonymousHub.service";
 import { ApiService as ApiServiceAbstraction } from "@bitwarden/common/abstractions/api.service";
 import { AuditService as AuditServiceAbstraction } from "@bitwarden/common/abstractions/audit.service";
-import { DeviceCryptoServiceAbstraction } from "@bitwarden/common/abstractions/device-crypto.service.abstraction";
-import { DevicesApiServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices-api.service.abstraction";
+import { DevicesServiceAbstraction } from "@bitwarden/common/abstractions/devices/devices.service.abstraction";
 import { EventCollectionService as EventCollectionServiceAbstraction } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { EventUploadService as EventUploadServiceAbstraction } from "@bitwarden/common/abstractions/event/event-upload.service";
 import { NotificationsService as NotificationsServiceAbstraction } from "@bitwarden/common/abstractions/notifications.service";
@@ -18,8 +17,8 @@ import { OrganizationUserService } from "@bitwarden/common/abstractions/organiza
 import { SearchService as SearchServiceAbstraction } from "@bitwarden/common/abstractions/search.service";
 import { SettingsService as SettingsServiceAbstraction } from "@bitwarden/common/abstractions/settings.service";
 import { TotpService as TotpServiceAbstraction } from "@bitwarden/common/abstractions/totp.service";
-import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "@bitwarden/common/abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "@bitwarden/common/abstractions/vault-timeout/vault-timeout.service";
 import { OrganizationApiServiceAbstraction } from "@bitwarden/common/admin-console/abstractions/organization/organization-api.service.abstraction";
 import {
   InternalOrganizationServiceAbstraction,
@@ -41,18 +40,26 @@ import {
   AccountService as AccountServiceAbstraction,
   InternalAccountService,
 } from "@bitwarden/common/auth/abstractions/account.service";
+import { AuthRequestCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth-request-crypto.service.abstraction";
 import { AuthService as AuthServiceAbstraction } from "@bitwarden/common/auth/abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "@bitwarden/common/auth/abstractions/device-trust-crypto.service.abstraction";
+import { DevicesApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/devices-api.service.abstraction";
 import { KeyConnectorService as KeyConnectorServiceAbstraction } from "@bitwarden/common/auth/abstractions/key-connector.service";
 import { LoginService as LoginServiceAbstraction } from "@bitwarden/common/auth/abstractions/login.service";
+import { PasswordResetEnrollmentServiceAbstraction } from "@bitwarden/common/auth/abstractions/password-reset-enrollment.service.abstraction";
 import { TokenService as TokenServiceAbstraction } from "@bitwarden/common/auth/abstractions/token.service";
 import { TwoFactorService as TwoFactorServiceAbstraction } from "@bitwarden/common/auth/abstractions/two-factor.service";
 import { UserVerificationApiServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification-api.service.abstraction";
 import { UserVerificationService as UserVerificationServiceAbstraction } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { AccountApiServiceImplementation } from "@bitwarden/common/auth/services/account-api.service";
 import { AccountServiceImplementation } from "@bitwarden/common/auth/services/account.service";
+import { AuthRequestCryptoServiceImplementation } from "@bitwarden/common/auth/services/auth-request-crypto.service.implementation";
 import { AuthService } from "@bitwarden/common/auth/services/auth.service";
+import { DeviceTrustCryptoService } from "@bitwarden/common/auth/services/device-trust-crypto.service.implementation";
+import { DevicesApiServiceImplementation } from "@bitwarden/common/auth/services/devices-api.service.implementation";
 import { KeyConnectorService } from "@bitwarden/common/auth/services/key-connector.service";
 import { LoginService } from "@bitwarden/common/auth/services/login.service";
+import { PasswordResetEnrollmentServiceImplementation } from "@bitwarden/common/auth/services/password-reset-enrollment.service.implementation";
 import { TokenService } from "@bitwarden/common/auth/services/token.service";
 import { TwoFactorService } from "@bitwarden/common/auth/services/two-factor.service";
 import { UserVerificationApiService } from "@bitwarden/common/auth/services/user-verification/user-verification-api.service";
@@ -95,8 +102,7 @@ import { AvatarUpdateService } from "@bitwarden/common/services/account/avatar-u
 import { AnonymousHubService } from "@bitwarden/common/services/anonymousHub.service";
 import { ApiService } from "@bitwarden/common/services/api.service";
 import { AuditService } from "@bitwarden/common/services/audit.service";
-import { DeviceCryptoService } from "@bitwarden/common/services/device-crypto.service.implementation";
-import { DevicesApiServiceImplementation } from "@bitwarden/common/services/devices/devices-api.service.implementation";
+import { DevicesServiceImplementation } from "@bitwarden/common/services/devices/devices.service.implementation";
 import { EventCollectionService } from "@bitwarden/common/services/event/event-collection.service";
 import { EventUploadService } from "@bitwarden/common/services/event/event-upload.service";
 import { NotificationsService } from "@bitwarden/common/services/notifications.service";
@@ -106,8 +112,8 @@ import { OrganizationUserServiceImplementation } from "@bitwarden/common/service
 import { SearchService } from "@bitwarden/common/services/search.service";
 import { SettingsService } from "@bitwarden/common/services/settings.service";
 import { TotpService } from "@bitwarden/common/services/totp.service";
-import { VaultTimeoutService } from "@bitwarden/common/services/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "@bitwarden/common/services/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService } from "@bitwarden/common/services/vault-timeout/vault-timeout.service";
 import {
   PasswordGenerationService,
   PasswordGenerationServiceAbstraction,
@@ -148,7 +154,6 @@ import {
 } from "@bitwarden/exporter/vault-export";
 
 import { AuthGuard } from "../auth/guards/auth.guard";
-import { LockGuard } from "../auth/guards/lock.guard";
 import { UnauthGuard } from "../auth/guards/unauth.guard";
 import { FormValidationErrorsService as FormValidationErrorsServiceAbstraction } from "../platform/abstractions/form-validation-errors.service";
 import { BroadcasterService } from "../platform/services/broadcaster.service";
@@ -176,7 +181,6 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
   providers: [
     AuthGuard,
     UnauthGuard,
-    LockGuard,
     ModalService,
     { provide: WINDOW, useValue: window },
     {
@@ -245,6 +249,8 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
         EncryptService,
         PasswordStrengthServiceAbstraction,
         PolicyServiceAbstraction,
+        DeviceTrustCryptoServiceAbstraction,
+        AuthRequestCryptoServiceAbstraction,
       ],
     },
     {
@@ -441,11 +447,40 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
         TokenServiceAbstraction,
         PolicyServiceAbstraction,
         StateServiceAbstraction,
+        UserVerificationServiceAbstraction,
       ],
     },
     {
-      provide: VaultTimeoutServiceAbstraction,
-      useClass: VaultTimeoutService,
+      provide: VaultTimeoutService,
+      useFactory: (
+        cipherService: CipherServiceAbstraction,
+        folderService: FolderServiceAbstraction,
+        collectionService: CollectionServiceAbstraction,
+        cryptoService: CryptoServiceAbstraction,
+        platformUtilsService: PlatformUtilsServiceAbstraction,
+        messagingService: MessagingServiceAbstraction,
+        searchService: SearchServiceAbstraction,
+        stateService: StateServiceAbstraction,
+        authService: AuthServiceAbstraction,
+        vaultTimeoutSettingsService: VaultTimeoutSettingsServiceAbstraction,
+        lockedCallback: (userId?: string) => Promise<void>,
+        logoutCallback: (expired: boolean, userId?: string) => Promise<void>
+      ) => {
+        return new VaultTimeoutService(
+          cipherService,
+          folderService,
+          collectionService,
+          cryptoService,
+          platformUtilsService,
+          messagingService,
+          searchService,
+          stateService,
+          authService,
+          vaultTimeoutSettingsService,
+          lockedCallback,
+          logoutCallback
+        );
+      },
       deps: [
         CipherServiceAbstraction,
         FolderServiceAbstraction,
@@ -454,7 +489,6 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
         PlatformUtilsServiceAbstraction,
         MessagingServiceAbstraction,
         SearchServiceAbstraction,
-        KeyConnectorServiceAbstraction,
         StateServiceAbstraction,
         AuthServiceAbstraction,
         VaultTimeoutSettingsServiceAbstraction,
@@ -462,6 +496,10 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
         LOGOUT_CALLBACK,
       ],
     },
+    {
+      provide: VaultTimeoutServiceAbstraction,
+      useExisting: VaultTimeoutService,
+    },
     {
       provide: StateServiceAbstraction,
       useClass: StateService,
@@ -571,6 +609,7 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
       provide: UserVerificationServiceAbstraction,
       useClass: UserVerificationService,
       deps: [
+        StateServiceAbstraction,
         CryptoServiceAbstraction,
         I18nServiceAbstraction,
         UserVerificationApiServiceAbstraction,
@@ -591,6 +630,17 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
       useClass: OrganizationUserServiceImplementation,
       deps: [ApiServiceAbstraction],
     },
+    {
+      provide: PasswordResetEnrollmentServiceAbstraction,
+      useClass: PasswordResetEnrollmentServiceImplementation,
+      deps: [
+        OrganizationApiServiceAbstraction,
+        StateServiceAbstraction,
+        CryptoServiceAbstraction,
+        OrganizationUserService,
+        I18nServiceAbstraction,
+      ],
+    },
     {
       provide: ProviderServiceAbstraction,
       useClass: ProviderService,
@@ -677,8 +727,13 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
       deps: [ApiServiceAbstraction],
     },
     {
-      provide: DeviceCryptoServiceAbstraction,
-      useClass: DeviceCryptoService,
+      provide: DevicesServiceAbstraction,
+      useClass: DevicesServiceImplementation,
+      deps: [DevicesApiServiceAbstraction],
+    },
+    {
+      provide: DeviceTrustCryptoServiceAbstraction,
+      useClass: DeviceTrustCryptoService,
       deps: [
         CryptoFunctionServiceAbstraction,
         CryptoServiceAbstraction,
@@ -686,8 +741,15 @@ import { AbstractThemingService } from "./theming/theming.service.abstraction";
         StateServiceAbstraction,
         AppIdServiceAbstraction,
         DevicesApiServiceAbstraction,
+        I18nServiceAbstraction,
+        PlatformUtilsServiceAbstraction,
       ],
     },
+    {
+      provide: AuthRequestCryptoServiceAbstraction,
+      useClass: AuthRequestCryptoServiceImplementation,
+      deps: [CryptoServiceAbstraction],
+    },
   ],
 })
 export class JslibServicesModule {}
diff --git a/libs/angular/src/vault/components/attachments.component.ts b/libs/angular/src/vault/components/attachments.component.ts
index 3b3eaa1d86..164735e6f3 100644
--- a/libs/angular/src/vault/components/attachments.component.ts
+++ b/libs/angular/src/vault/components/attachments.component.ts
@@ -191,7 +191,7 @@ export class AttachmentsComponent implements OnInit {
     this.cipherDomain = await this.loadCipher();
     this.cipher = await this.cipherDomain.decrypt();
 
-    this.hasUpdatedKey = await this.cryptoService.hasEncKey();
+    this.hasUpdatedKey = await this.cryptoService.hasUserKey();
     const canAccessPremium = await this.stateService.getCanAccessPremium();
     this.canAccessAttachments = canAccessPremium || this.cipher.organizationId != null;
 
diff --git a/libs/angular/src/vault/services/password-reprompt.service.spec.ts b/libs/angular/src/vault/services/password-reprompt.service.spec.ts
new file mode 100644
index 0000000000..f2fb64bac3
--- /dev/null
+++ b/libs/angular/src/vault/services/password-reprompt.service.spec.ts
@@ -0,0 +1,34 @@
+import { MockProxy, mock } from "jest-mock-extended";
+
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
+
+import { ModalService } from "../../services/modal.service";
+
+import { PasswordRepromptService } from "./password-reprompt.service";
+
+describe("PasswordRepromptService", () => {
+  let passwordRepromptService: PasswordRepromptService;
+
+  let userVerificationService: MockProxy<UserVerificationService>;
+  let modalService: MockProxy<ModalService>;
+
+  beforeEach(() => {
+    modalService = mock<ModalService>();
+    userVerificationService = mock<UserVerificationService>();
+
+    passwordRepromptService = new PasswordRepromptService(modalService, userVerificationService);
+  });
+
+  describe("enabled()", () => {
+    it("returns false if a user does not have a master password", async () => {
+      userVerificationService.hasMasterPasswordAndMasterKeyHash.mockResolvedValue(false);
+
+      expect(await passwordRepromptService.enabled()).toBe(false);
+    });
+    it("returns true if the user has a master password", async () => {
+      userVerificationService.hasMasterPasswordAndMasterKeyHash.mockResolvedValue(true);
+
+      expect(await passwordRepromptService.enabled()).toBe(true);
+    });
+  });
+});
diff --git a/libs/angular/src/vault/services/password-reprompt.service.ts b/libs/angular/src/vault/services/password-reprompt.service.ts
index 0bd945001c..7a06771a45 100644
--- a/libs/angular/src/vault/services/password-reprompt.service.ts
+++ b/libs/angular/src/vault/services/password-reprompt.service.ts
@@ -1,6 +1,6 @@
 import { Injectable } from "@angular/core";
 
-import { KeyConnectorService } from "@bitwarden/common/auth/abstractions/key-connector.service";
+import { UserVerificationService } from "@bitwarden/common/auth/abstractions/user-verification/user-verification.service.abstraction";
 import { PasswordRepromptService as PasswordRepromptServiceAbstraction } from "@bitwarden/common/vault/abstractions/password-reprompt.service";
 
 import { ModalService } from "../../services/modal.service";
@@ -16,7 +16,7 @@ export class PasswordRepromptService implements PasswordRepromptServiceAbstracti
 
   constructor(
     private modalService: ModalService,
-    private keyConnectorService: KeyConnectorService
+    private userVerificationService: UserVerificationService
   ) {}
 
   protectedFields() {
@@ -39,6 +39,6 @@ export class PasswordRepromptService implements PasswordRepromptServiceAbstracti
   }
 
   async enabled() {
-    return !(await this.keyConnectorService.getUsesKeyConnector());
+    return await this.userVerificationService.hasMasterPasswordAndMasterKeyHash();
   }
 }
diff --git a/libs/common/src/abstractions/api.service.ts b/libs/common/src/abstractions/api.service.ts
index 51027b3405..c51ffd3d3c 100644
--- a/libs/common/src/abstractions/api.service.ts
+++ b/libs/common/src/abstractions/api.service.ts
@@ -200,6 +200,7 @@ export abstract class ApiService {
   postConvertToKeyConnector: () => Promise<void>;
   //passwordless
   postAuthRequest: (request: PasswordlessCreateAuthRequest) => Promise<AuthRequestResponse>;
+  postAdminAuthRequest: (request: PasswordlessCreateAuthRequest) => Promise<AuthRequestResponse>;
   getAuthResponse: (id: string, accessCode: string) => Promise<AuthRequestResponse>;
   getAuthRequest: (id: string) => Promise<AuthRequestResponse>;
   putAuthRequest: (id: string, request: PasswordlessAuthRequest) => Promise<AuthRequestResponse>;
@@ -523,7 +524,7 @@ export abstract class ApiService {
   ) => Promise<void>;
   postResendSponsorshipOffer: (sponsoringOrgId: string) => Promise<void>;
 
-  getUserKeyFromKeyConnector: (keyConnectorUrl: string) => Promise<KeyConnectorUserKeyResponse>;
+  getMasterKeyFromKeyConnector: (keyConnectorUrl: string) => Promise<KeyConnectorUserKeyResponse>;
   postUserKeyToKeyConnector: (
     keyConnectorUrl: string,
     request: KeyConnectorUserKeyRequest
diff --git a/libs/common/src/abstractions/device-crypto.service.abstraction.ts b/libs/common/src/abstractions/device-crypto.service.abstraction.ts
deleted file mode 100644
index f720ade9a2..0000000000
--- a/libs/common/src/abstractions/device-crypto.service.abstraction.ts
+++ /dev/null
@@ -1,8 +0,0 @@
-import { DeviceKey } from "../platform/models/domain/symmetric-crypto-key";
-
-import { DeviceResponse } from "./devices/responses/device.response";
-
-export abstract class DeviceCryptoServiceAbstraction {
-  trustDevice: () => Promise<DeviceResponse>;
-  getDeviceKey: () => Promise<DeviceKey>;
-}
diff --git a/libs/common/src/abstractions/devices/devices-api.service.abstraction.ts b/libs/common/src/abstractions/devices/devices-api.service.abstraction.ts
deleted file mode 100644
index 345b728977..0000000000
--- a/libs/common/src/abstractions/devices/devices-api.service.abstraction.ts
+++ /dev/null
@@ -1,14 +0,0 @@
-import { DeviceResponse } from "./responses/device.response";
-
-export abstract class DevicesApiServiceAbstraction {
-  getKnownDevice: (email: string, deviceIdentifier: string) => Promise<boolean>;
-
-  getDeviceByIdentifier: (deviceIdentifier: string) => Promise<DeviceResponse>;
-
-  updateTrustedDeviceKeys: (
-    deviceIdentifier: string,
-    devicePublicKeyEncryptedUserSymKey: string,
-    userSymKeyEncryptedDevicePublicKey: string,
-    deviceKeyEncryptedDevicePrivateKey: string
-  ) => Promise<DeviceResponse>;
-}
diff --git a/libs/common/src/abstractions/devices/devices.service.abstraction.ts b/libs/common/src/abstractions/devices/devices.service.abstraction.ts
new file mode 100644
index 0000000000..ca803f9242
--- /dev/null
+++ b/libs/common/src/abstractions/devices/devices.service.abstraction.ts
@@ -0,0 +1,15 @@
+import { Observable } from "rxjs";
+
+import { DeviceView } from "./views/device.view";
+
+export abstract class DevicesServiceAbstraction {
+  getDevices$: () => Observable<Array<DeviceView>>;
+  getDeviceByIdentifier$: (deviceIdentifier: string) => Observable<DeviceView>;
+  isDeviceKnownForUser$: (email: string, deviceIdentifier: string) => Observable<boolean>;
+  updateTrustedDeviceKeys$: (
+    deviceIdentifier: string,
+    devicePublicKeyEncryptedUserKey: string,
+    userKeyEncryptedDevicePublicKey: string,
+    deviceKeyEncryptedDevicePrivateKey: string
+  ) => Observable<DeviceView>;
+}
diff --git a/libs/common/src/abstractions/devices/responses/device.response.ts b/libs/common/src/abstractions/devices/responses/device.response.ts
index 331df2e16c..46874027cd 100644
--- a/libs/common/src/abstractions/devices/responses/device.response.ts
+++ b/libs/common/src/abstractions/devices/responses/device.response.ts
@@ -3,23 +3,20 @@ import { BaseResponse } from "../../../models/response/base.response";
 
 export class DeviceResponse extends BaseResponse {
   id: string;
-  name: number;
+  userId: string;
+  name: string;
   identifier: string;
   type: DeviceType;
   creationDate: string;
-  encryptedUserKey: string;
-  encryptedPublicKey: string;
-  encryptedPrivateKey: string;
-
+  revisionDate: string;
   constructor(response: any) {
     super(response);
     this.id = this.getResponseProperty("Id");
+    this.userId = this.getResponseProperty("UserId");
     this.name = this.getResponseProperty("Name");
     this.identifier = this.getResponseProperty("Identifier");
     this.type = this.getResponseProperty("Type");
     this.creationDate = this.getResponseProperty("CreationDate");
-    this.encryptedUserKey = this.getResponseProperty("EncryptedUserKey");
-    this.encryptedPublicKey = this.getResponseProperty("EncryptedPublicKey");
-    this.encryptedPrivateKey = this.getResponseProperty("EncryptedPrivateKey");
+    this.revisionDate = this.getResponseProperty("RevisionDate");
   }
 }
diff --git a/libs/common/src/abstractions/devices/views/device.view.ts b/libs/common/src/abstractions/devices/views/device.view.ts
new file mode 100644
index 0000000000..5438aa4de1
--- /dev/null
+++ b/libs/common/src/abstractions/devices/views/device.view.ts
@@ -0,0 +1,17 @@
+import { DeviceType } from "../../../enums";
+import { View } from "../../../models/view/view";
+import { DeviceResponse } from "../responses/device.response";
+
+export class DeviceView implements View {
+  id: string;
+  userId: string;
+  name: string;
+  identifier: string;
+  type: DeviceType;
+  creationDate: string;
+  revisionDate: string;
+
+  constructor(deviceResponse: DeviceResponse) {
+    Object.assign(this, deviceResponse);
+  }
+}
diff --git a/libs/common/src/abstractions/vault-timeout/vault-timeout-settings.service.ts b/libs/common/src/abstractions/vault-timeout/vault-timeout-settings.service.ts
new file mode 100644
index 0000000000..3f0e7ae98a
--- /dev/null
+++ b/libs/common/src/abstractions/vault-timeout/vault-timeout-settings.service.ts
@@ -0,0 +1,56 @@
+import { Observable } from "rxjs";
+
+import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
+import { PinLockType } from "../../services/vault-timeout/vault-timeout-settings.service";
+
+export abstract class VaultTimeoutSettingsService {
+  /**
+   * Set the vault timeout options for the user
+   * @param vaultTimeout The vault timeout in minutes
+   * @param vaultTimeoutAction The vault timeout action
+   * @param userId The user id to set. If not provided, the current user is used
+   */
+  setVaultTimeoutOptions: (
+    vaultTimeout: number,
+    vaultTimeoutAction: VaultTimeoutAction
+  ) => Promise<void>;
+
+  /**
+   * Get the available vault timeout actions for the current user
+   *
+   * **NOTE:** This observable is not yet connected to the state service, so it will not update when the state changes
+   * @param userId The user id to check. If not provided, the current user is used
+   */
+  availableVaultTimeoutActions$: (userId?: string) => Observable<VaultTimeoutAction[]>;
+
+  /**
+   * Get the current vault timeout action for the user. This is not the same as the current state, it is
+   * calculated based on the current state, the user's policy, and the user's available unlock methods.
+   */
+  getVaultTimeout: (userId?: string) => Promise<number>;
+
+  /**
+   * Observe the vault timeout action for the user. This is calculated based on users preferred lock action saved in the state,
+   * the user's policy, and the user's available unlock methods.
+   *
+   * **NOTE:** This observable is not yet connected to the state service, so it will not update when the state changes
+   * @param userId The user id to check. If not provided, the current user is used
+   */
+  vaultTimeoutAction$: (userId?: string) => Observable<VaultTimeoutAction>;
+
+  /**
+   * Has the user enabled unlock with Pin.
+   * @param userId The user id to check. If not provided, the current user is used
+   * @returns PinLockType
+   */
+  isPinLockSet: (userId?: string) => Promise<PinLockType>;
+
+  /**
+   * Has the user enabled unlock with Biometric.
+   * @param userId The user id to check. If not provided, the current user is used
+   * @returns boolean true if biometric lock is set
+   */
+  isBiometricLockSet: (userId?: string) => Promise<boolean>;
+
+  clear: (userId?: string) => Promise<void>;
+}
diff --git a/libs/common/src/abstractions/vaultTimeout/vaultTimeout.service.ts b/libs/common/src/abstractions/vault-timeout/vault-timeout.service.ts
similarity index 100%
rename from libs/common/src/abstractions/vaultTimeout/vaultTimeout.service.ts
rename to libs/common/src/abstractions/vault-timeout/vault-timeout.service.ts
diff --git a/libs/common/src/abstractions/vaultTimeout/vaultTimeoutSettings.service.ts b/libs/common/src/abstractions/vaultTimeout/vaultTimeoutSettings.service.ts
deleted file mode 100644
index 03f89b0476..0000000000
--- a/libs/common/src/abstractions/vaultTimeout/vaultTimeoutSettings.service.ts
+++ /dev/null
@@ -1,13 +0,0 @@
-import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
-
-export abstract class VaultTimeoutSettingsService {
-  setVaultTimeoutOptions: (
-    vaultTimeout: number,
-    vaultTimeoutAction: VaultTimeoutAction
-  ) => Promise<void>;
-  getVaultTimeout: (userId?: string) => Promise<number>;
-  getVaultTimeoutAction: (userId?: string) => Promise<VaultTimeoutAction>;
-  isPinLockSet: () => Promise<[boolean, boolean]>;
-  isBiometricLockSet: () => Promise<boolean>;
-  clear: (userId?: string) => Promise<void>;
-}
diff --git a/libs/common/src/auth/abstractions/auth-request-crypto.service.abstraction.ts b/libs/common/src/auth/abstractions/auth-request-crypto.service.abstraction.ts
new file mode 100644
index 0000000000..f18c8d45ba
--- /dev/null
+++ b/libs/common/src/auth/abstractions/auth-request-crypto.service.abstraction.ts
@@ -0,0 +1,24 @@
+import { UserKey, MasterKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { AuthRequestResponse } from "../models/response/auth-request.response";
+
+export abstract class AuthRequestCryptoServiceAbstraction {
+  setUserKeyAfterDecryptingSharedUserKey: (
+    authReqResponse: AuthRequestResponse,
+    authReqPrivateKey: ArrayBuffer
+  ) => Promise<void>;
+  setKeysAfterDecryptingSharedMasterKeyAndHash: (
+    authReqResponse: AuthRequestResponse,
+    authReqPrivateKey: ArrayBuffer
+  ) => Promise<void>;
+
+  decryptPubKeyEncryptedUserKey: (
+    pubKeyEncryptedUserKey: string,
+    privateKey: ArrayBuffer
+  ) => Promise<UserKey>;
+
+  decryptPubKeyEncryptedMasterKeyAndHash: (
+    pubKeyEncryptedMasterKey: string,
+    pubKeyEncryptedMasterKeyHash: string,
+    privateKey: ArrayBuffer
+  ) => Promise<{ masterKey: MasterKey; masterKeyHash: string }>;
+}
diff --git a/libs/common/src/auth/abstractions/auth.service.ts b/libs/common/src/auth/abstractions/auth.service.ts
index 231521382f..b6978c54c5 100644
--- a/libs/common/src/auth/abstractions/auth.service.ts
+++ b/libs/common/src/auth/abstractions/auth.service.ts
@@ -1,7 +1,7 @@
 import { Observable } from "rxjs";
 
 import { AuthRequestPushNotification } from "../../models/response/notification.response";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { MasterKey } from "../../platform/models/domain/symmetric-crypto-key";
 import { AuthenticationStatus } from "../enums/authentication-status";
 import { AuthResult } from "../models/domain/auth-result";
 import {
@@ -32,7 +32,7 @@ export abstract class AuthService {
     captchaResponse: string
   ) => Promise<AuthResult>;
   logOut: (callback: () => void) => void;
-  makePreloginKey: (masterPassword: string, email: string) => Promise<SymmetricCryptoKey>;
+  makePreloginKey: (masterPassword: string, email: string) => Promise<MasterKey>;
   authingWithUserApiKey: () => boolean;
   authingWithSso: () => boolean;
   authingWithPassword: () => boolean;
diff --git a/libs/common/src/auth/abstractions/device-trust-crypto.service.abstraction.ts b/libs/common/src/auth/abstractions/device-trust-crypto.service.abstraction.ts
new file mode 100644
index 0000000000..c30a567681
--- /dev/null
+++ b/libs/common/src/auth/abstractions/device-trust-crypto.service.abstraction.ts
@@ -0,0 +1,25 @@
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { EncString } from "../../platform/models/domain/enc-string";
+import { DeviceKey, UserKey } from "../../platform/models/domain/symmetric-crypto-key";
+
+export abstract class DeviceTrustCryptoServiceAbstraction {
+  /**
+   * @description Retrieves the users choice to trust the device which can only happen after decryption
+   * Note: this value should only be used once and then reset
+   */
+  getShouldTrustDevice: () => Promise<boolean | null>;
+  setShouldTrustDevice: (value: boolean) => Promise<void>;
+
+  trustDeviceIfRequired: () => Promise<void>;
+
+  trustDevice: () => Promise<DeviceResponse>;
+  getDeviceKey: () => Promise<DeviceKey>;
+  decryptUserKeyWithDeviceKey: (
+    encryptedDevicePrivateKey: EncString,
+    encryptedUserKey: EncString,
+    deviceKey?: DeviceKey
+  ) => Promise<UserKey | null>;
+  rotateDevicesTrust: (newUserKey: UserKey, masterPasswordHash: string) => Promise<void>;
+
+  supportsDeviceTrust: () => Promise<boolean>;
+}
diff --git a/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts b/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts
new file mode 100644
index 0000000000..1bf0385ba1
--- /dev/null
+++ b/libs/common/src/auth/abstractions/devices-api.service.abstraction.ts
@@ -0,0 +1,27 @@
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { ListResponse } from "../../models/response/list.response";
+import { SecretVerificationRequest } from "../models/request/secret-verification.request";
+import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request";
+import { ProtectedDeviceResponse } from "../models/response/protected-device.response";
+
+export abstract class DevicesApiServiceAbstraction {
+  getKnownDevice: (email: string, deviceIdentifier: string) => Promise<boolean>;
+
+  getDeviceByIdentifier: (deviceIdentifier: string) => Promise<DeviceResponse>;
+
+  getDevices: () => Promise<ListResponse<DeviceResponse>>;
+
+  updateTrustedDeviceKeys: (
+    deviceIdentifier: string,
+    devicePublicKeyEncryptedUserKey: string,
+    userKeyEncryptedDevicePublicKey: string,
+    deviceKeyEncryptedDevicePrivateKey: string
+  ) => Promise<DeviceResponse>;
+
+  updateTrust: (updateDevicesTrustRequestModel: UpdateDevicesTrustRequest) => Promise<void>;
+
+  getDeviceKeys: (
+    deviceIdentifier: string,
+    secretVerificationRequest: SecretVerificationRequest
+  ) => Promise<ProtectedDeviceResponse>;
+}
diff --git a/libs/common/src/auth/abstractions/key-connector.service.ts b/libs/common/src/auth/abstractions/key-connector.service.ts
index 0c4426a683..0722c89db9 100644
--- a/libs/common/src/auth/abstractions/key-connector.service.ts
+++ b/libs/common/src/auth/abstractions/key-connector.service.ts
@@ -2,7 +2,7 @@ import { Organization } from "../../admin-console/models/domain/organization";
 import { IdentityTokenResponse } from "../models/response/identity-token.response";
 
 export abstract class KeyConnectorService {
-  getAndSetKey: (url?: string) => Promise<void>;
+  setMasterKeyFromUrl: (url?: string) => Promise<void>;
   getManagingOrganization: () => Promise<Organization>;
   getUsesKeyConnector: () => Promise<boolean>;
   migrateUser: () => Promise<void>;
diff --git a/libs/common/src/auth/abstractions/password-reset-enrollment.service.abstraction.ts b/libs/common/src/auth/abstractions/password-reset-enrollment.service.abstraction.ts
new file mode 100644
index 0000000000..ccfe0d645c
--- /dev/null
+++ b/libs/common/src/auth/abstractions/password-reset-enrollment.service.abstraction.ts
@@ -0,0 +1,26 @@
+import { UserKey } from "../../platform/models/domain/symmetric-crypto-key";
+
+export abstract class PasswordResetEnrollmentServiceAbstraction {
+  /*
+   * Checks the user's enrollment status and enrolls them if required
+   */
+  abstract enrollIfRequired(organizationSsoIdentifier: string): Promise<void>;
+
+  /**
+   * Enroll current user in password reset
+   * @param organizationId - Organization in which to enroll the user
+   * @returns Promise that resolves when the user is enrolled
+   * @throws Error if the action fails
+   */
+  abstract enroll(organizationId: string): Promise<void>;
+
+  /**
+   * Enroll user in password reset
+   * @param organizationId - Organization in which to enroll the user
+   * @param userId - User to enroll
+   * @param userKey - User's symmetric key
+   * @returns Promise that resolves when the user is enrolled
+   * @throws Error if the action fails
+   */
+  abstract enroll(organizationId: string, userId: string, userKey: UserKey): Promise<void>;
+}
diff --git a/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts b/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts
index 09e4063434..46b8d753c9 100644
--- a/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts
+++ b/libs/common/src/auth/abstractions/user-verification/user-verification.service.abstraction.ts
@@ -9,4 +9,16 @@ export abstract class UserVerificationService {
   ) => Promise<T>;
   verifyUser: (verification: Verification) => Promise<boolean>;
   requestOTP: () => Promise<void>;
+  /**
+   * Check if user has master password or only uses passwordless technologies to log in
+   * @param userId The user id to check. If not provided, the current user is used
+   * @returns True if the user has a master password
+   */
+  hasMasterPassword: (userId?: string) => Promise<boolean>;
+  /**
+   * Check if the user has a master password and has used it during their current session
+   * @param userId The user id to check. If not provided, the current user id used
+   * @returns True if the user has a master password and has used it in the current session
+   */
+  hasMasterPasswordAndMasterKeyHash: (userId?: string) => Promise<boolean>;
 }
diff --git a/libs/common/src/auth/enums/auth-request-type.ts b/libs/common/src/auth/enums/auth-request-type.ts
index 4edfa5b888..31db246786 100644
--- a/libs/common/src/auth/enums/auth-request-type.ts
+++ b/libs/common/src/auth/enums/auth-request-type.ts
@@ -1,4 +1,5 @@
 export enum AuthRequestType {
   AuthenticateAndUnlock = 0,
   Unlock = 1,
+  AdminApproval = 2,
 }
diff --git a/libs/common/src/auth/login-strategies/login.strategy.spec.ts b/libs/common/src/auth/login-strategies/login.strategy.spec.ts
index ed958af6c7..f7128b35df 100644
--- a/libs/common/src/auth/login-strategies/login.strategy.spec.ts
+++ b/libs/common/src/auth/login-strategies/login.strategy.spec.ts
@@ -9,12 +9,25 @@ import { MessagingService } from "../../platform/abstractions/messaging.service"
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
-import { Account, AccountProfile, AccountTokens } from "../../platform/models/domain/account";
+import {
+  Account,
+  AccountDecryptionOptions,
+  AccountKeys,
+  AccountProfile,
+  AccountTokens,
+} from "../../platform/models/domain/account";
 import { EncString } from "../../platform/models/domain/enc-string";
+import {
+  DeviceKey,
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
 import {
   PasswordStrengthService,
   PasswordStrengthServiceAbstraction,
 } from "../../tools/password-strength";
+import { CsprngArray } from "../../types/csprng";
 import { AuthService } from "../abstractions/auth.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
@@ -28,6 +41,10 @@ import { IdentityCaptchaResponse } from "../models/response/identity-captcha.res
 import { IdentityTokenResponse } from "../models/response/identity-token.response";
 import { IdentityTwoFactorResponse } from "../models/response/identity-two-factor.response";
 import { MasterPasswordPolicyResponse } from "../models/response/master-password-policy.response";
+import {
+  IUserDecryptionOptionsServerResponse,
+  UserDecryptionOptionsResponse,
+} from "../models/response/user-decryption-options/user-decryption-options.response";
 
 import { PasswordLogInStrategy } from "./password-login.strategy";
 
@@ -37,7 +54,7 @@ const masterPassword = "password";
 const deviceId = Utils.newGuid();
 const accessToken = "ACCESS_TOKEN";
 const refreshToken = "REFRESH_TOKEN";
-const encKey = "ENC_KEY";
+const userKey = "USER_KEY";
 const privateKey = "PRIVATE_KEY";
 const captchaSiteKey = "CAPTCHA_SITE_KEY";
 const kdf = 0;
@@ -45,6 +62,13 @@ const kdfIterations = 10000;
 const userId = Utils.newGuid();
 const masterPasswordHash = "MASTER_PASSWORD_HASH";
 const name = "NAME";
+const defaultUserDecryptionOptionsServerResponse: IUserDecryptionOptionsServerResponse = {
+  HasMasterPassword: true,
+};
+const userDecryptionOptions = new UserDecryptionOptionsResponse(
+  defaultUserDecryptionOptionsServerResponse
+);
+const acctDecryptionOptions = AccountDecryptionOptions.fromResponse(userDecryptionOptions);
 
 const decodedToken = {
   sub: userId,
@@ -58,13 +82,14 @@ const twoFactorToken = "TWO_FACTOR_TOKEN";
 const twoFactorRemember = true;
 
 export function identityTokenResponseFactory(
-  masterPasswordPolicyResponse: MasterPasswordPolicyResponse = null
+  masterPasswordPolicyResponse: MasterPasswordPolicyResponse = null,
+  userDecryptionOptions: IUserDecryptionOptionsServerResponse = null
 ) {
   return new IdentityTokenResponse({
     ForcePasswordReset: false,
     Kdf: kdf,
     KdfIterations: kdfIterations,
-    Key: encKey,
+    Key: userKey,
     PrivateKey: privateKey,
     ResetMasterPassword: false,
     access_token: accessToken,
@@ -73,9 +98,11 @@ export function identityTokenResponseFactory(
     scope: "api offline_access",
     token_type: "Bearer",
     MasterPasswordPolicy: masterPasswordPolicyResponse,
+    UserDecryptionOptions: userDecryptionOptions || defaultUserDecryptionOptionsServerResponse,
   });
 }
 
+// TODO: add tests for latest changes to base class for TDE
 describe("LogInStrategy", () => {
   let cryptoService: MockProxy<CryptoService>;
   let apiService: MockProxy<ApiService>;
@@ -129,8 +156,23 @@ describe("LogInStrategy", () => {
   });
 
   describe("base class", () => {
-    it("sets the local environment after a successful login", async () => {
-      apiService.postIdentityToken.mockResolvedValue(identityTokenResponseFactory());
+    const userKeyBytesLength = 64;
+    const masterKeyBytesLength = 64;
+    let userKey: UserKey;
+    let masterKey: MasterKey;
+
+    beforeEach(() => {
+      userKey = new SymmetricCryptoKey(
+        new Uint8Array(userKeyBytesLength).buffer as CsprngArray
+      ) as UserKey;
+      masterKey = new SymmetricCryptoKey(
+        new Uint8Array(masterKeyBytesLength).buffer as CsprngArray
+      ) as MasterKey;
+    });
+
+    it("sets the local environment after a successful login with master password", async () => {
+      const idTokenResponse = identityTokenResponseFactory();
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
 
       await passwordLogInStrategy.logIn(credentials);
 
@@ -154,13 +196,36 @@ describe("LogInStrategy", () => {
               refreshToken: refreshToken,
             },
           },
+          keys: new AccountKeys(),
+          decryptionOptions: acctDecryptionOptions,
         })
       );
-      expect(cryptoService.setEncKey).toHaveBeenCalledWith(encKey);
-      expect(cryptoService.setEncPrivateKey).toHaveBeenCalledWith(privateKey);
       expect(messagingService.send).toHaveBeenCalledWith("loggedIn");
     });
 
+    it("persists a device key for trusted device encryption when it exists on login", async () => {
+      // Arrange
+      const idTokenResponse = identityTokenResponseFactory();
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+
+      const deviceKey = new SymmetricCryptoKey(
+        new Uint8Array(userKeyBytesLength).buffer as CsprngArray
+      ) as DeviceKey;
+
+      stateService.getDeviceKey.mockResolvedValue(deviceKey);
+
+      const accountKeys = new AccountKeys();
+      accountKeys.deviceKey = deviceKey;
+
+      // Act
+      await passwordLogInStrategy.logIn(credentials);
+
+      // Assert
+      expect(stateService.addAccount).toHaveBeenCalledWith(
+        expect.objectContaining({ keys: accountKeys })
+      );
+    });
+
     it("builds AuthResult", async () => {
       const tokenResponse = identityTokenResponseFactory();
       tokenResponse.forcePasswordReset = true;
@@ -187,6 +252,8 @@ describe("LogInStrategy", () => {
       });
 
       apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+      cryptoService.getMasterKey.mockResolvedValue(masterKey);
+      cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
 
       const result = await passwordLogInStrategy.logIn(credentials);
 
@@ -204,13 +271,15 @@ describe("LogInStrategy", () => {
       cryptoService.makeKeyPair.mockResolvedValue(["PUBLIC_KEY", new EncString("PRIVATE_KEY")]);
 
       apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+      cryptoService.getMasterKey.mockResolvedValue(masterKey);
+      cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
 
       await passwordLogInStrategy.logIn(credentials);
 
-      // User key must be set before the new RSA keypair is generated, otherwise we can't decrypt the EncKey
-      expect(cryptoService.setKey).toHaveBeenCalled();
+      // User symmetric key must be set before the new RSA keypair is generated
+      expect(cryptoService.setUserKey).toHaveBeenCalled();
       expect(cryptoService.makeKeyPair).toHaveBeenCalled();
-      expect(cryptoService.setKey.mock.invocationCallOrder[0]).toBeLessThan(
+      expect(cryptoService.setUserKey.mock.invocationCallOrder[0]).toBeLessThan(
         cryptoService.makeKeyPair.mock.invocationCallOrder[0]
       );
 
diff --git a/libs/common/src/auth/login-strategies/login.strategy.ts b/libs/common/src/auth/login-strategies/login.strategy.ts
index fbfa912f43..7bc8358016 100644
--- a/libs/common/src/auth/login-strategies/login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/login.strategy.ts
@@ -6,7 +6,13 @@ import { LogService } from "../../platform/abstractions/log.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
-import { Account, AccountProfile, AccountTokens } from "../../platform/models/domain/account";
+import {
+  Account,
+  AccountDecryptionOptions,
+  AccountKeys,
+  AccountProfile,
+  AccountTokens,
+} from "../../platform/models/domain/account";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
 import { TwoFactorProviderType } from "../enums/two-factor-provider-type";
@@ -53,9 +59,6 @@ export abstract class LogInStrategy {
       | PasswordlessLogInCredentials
   ): Promise<AuthResult>;
 
-  // The user key comes from different sources depending on the login strategy
-  protected abstract setUserKey(response: IdentityTokenResponse): Promise<void>;
-
   async logInTwoFactor(
     twoFactor: TokenTwoFactorRequest,
     captchaResponse: string = null
@@ -101,12 +104,28 @@ export abstract class LogInStrategy {
 
   protected async saveAccountInformation(tokenResponse: IdentityTokenResponse) {
     const accountInformation = await this.tokenService.decodeToken(tokenResponse.accessToken);
+
+    // Must persist existing device key if it exists for trusted device decryption to work
+    // However, we must provide a user id so that the device key can be retrieved
+    // as the state service won't have an active account at this point in time
+    // even though the data exists in local storage.
+    const userId = accountInformation.sub;
+
+    const deviceKey = await this.stateService.getDeviceKey({ userId });
+    const accountKeys = new AccountKeys();
+    if (deviceKey) {
+      accountKeys.deviceKey = deviceKey;
+    }
+
+    // If you don't persist existing admin auth requests on login, they will get deleted.
+    const adminAuthRequest = await this.stateService.getAdminAuthRequest({ userId });
+
     await this.stateService.addAccount(
       new Account({
         profile: {
           ...new AccountProfile(),
           ...{
-            userId: accountInformation.sub,
+            userId,
             name: accountInformation.name,
             email: accountInformation.email,
             hasPremiumPersonally: accountInformation.premium,
@@ -123,6 +142,11 @@ export abstract class LogInStrategy {
             refreshToken: tokenResponse.refreshToken,
           },
         },
+        keys: accountKeys,
+        decryptionOptions: AccountDecryptionOptions.fromResponse(
+          tokenResponse.userDecryptionOptions
+        ),
+        adminAuthRequest: adminAuthRequest?.toJSON(),
       })
     );
   }
@@ -135,28 +159,41 @@ export abstract class LogInStrategy {
       result.forcePasswordReset = ForceResetPasswordReason.AdminForcePasswordReset;
     }
 
+    // Must come before setting keys, user key needs email to update additional keys
     await this.saveAccountInformation(response);
 
     if (response.twoFactorToken != null) {
       await this.tokenService.setTwoFactorToken(response);
     }
 
+    await this.setMasterKey(response);
+
     await this.setUserKey(response);
 
-    // Must come after the user Key is set, otherwise createKeyPairForOldAccount will fail
-    const newSsoUser = response.key == null;
-    if (!newSsoUser) {
-      await this.cryptoService.setEncKey(response.key);
-      await this.cryptoService.setEncPrivateKey(
-        response.privateKey ?? (await this.createKeyPairForOldAccount())
-      );
-    }
+    await this.setPrivateKey(response);
 
     this.messagingService.send("loggedIn");
 
     return result;
   }
 
+  // The keys comes from different sources depending on the login strategy
+  protected abstract setMasterKey(response: IdentityTokenResponse): Promise<void>;
+
+  protected abstract setUserKey(response: IdentityTokenResponse): Promise<void>;
+
+  protected abstract setPrivateKey(response: IdentityTokenResponse): Promise<void>;
+
+  protected async createKeyPairForOldAccount() {
+    try {
+      const [publicKey, privateKey] = await this.cryptoService.makeKeyPair();
+      await this.apiService.postAccountKeys(new KeysRequest(publicKey, privateKey.encryptedString));
+      return privateKey.encryptedString;
+    } catch (e) {
+      this.logService.error(e);
+    }
+  }
+
   private async processTwoFactorResponse(response: IdentityTwoFactorResponse): Promise<AuthResult> {
     const result = new AuthResult();
     result.twoFactorProviders = response.twoFactorProviders2;
@@ -173,14 +210,4 @@ export abstract class LogInStrategy {
     result.captchaSiteKey = response.siteKey;
     return result;
   }
-
-  private async createKeyPairForOldAccount() {
-    try {
-      const [publicKey, privateKey] = await this.cryptoService.makeKeyPair();
-      await this.apiService.postAccountKeys(new KeysRequest(publicKey, privateKey.encryptedString));
-      return privateKey.encryptedString;
-    } catch (e) {
-      this.logService.error(e);
-    }
-  }
 }
diff --git a/libs/common/src/auth/login-strategies/password-login.strategy.spec.ts b/libs/common/src/auth/login-strategies/password-login.strategy.spec.ts
index 9e3ff7da68..64cbc23d6a 100644
--- a/libs/common/src/auth/login-strategies/password-login.strategy.spec.ts
+++ b/libs/common/src/auth/login-strategies/password-login.strategy.spec.ts
@@ -10,17 +10,23 @@ import { MessagingService } from "../../platform/abstractions/messaging.service"
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
 import {
   PasswordStrengthService,
   PasswordStrengthServiceAbstraction,
 } from "../../tools/password-strength";
+import { CsprngArray } from "../../types/csprng";
 import { AuthService } from "../abstractions/auth.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
 import { TwoFactorProviderType } from "../enums/two-factor-provider-type";
 import { ForceResetPasswordReason } from "../models/domain/force-reset-password-reason";
 import { PasswordLogInCredentials } from "../models/domain/log-in-credentials";
+import { IdentityTokenResponse } from "../models/response/identity-token.response";
 import { IdentityTwoFactorResponse } from "../models/response/identity-two-factor.response";
 import { MasterPasswordPolicyResponse } from "../models/response/master-password-policy.response";
 
@@ -31,11 +37,11 @@ const email = "hello@world.com";
 const masterPassword = "password";
 const hashedPassword = "HASHED_PASSWORD";
 const localHashedPassword = "LOCAL_HASHED_PASSWORD";
-const preloginKey = new SymmetricCryptoKey(
+const masterKey = new SymmetricCryptoKey(
   Utils.fromB64ToArray(
     "N2KWjlLpfi5uHjv+YcfUKIpZ1l+W+6HRensmIqD+BFYBf6N/dvFpJfWwYnVBdgFCK2tJTAIMLhqzIQQEUmGFgg=="
   )
-);
+) as MasterKey;
 const deviceId = Utils.newGuid();
 const masterPasswordPolicy = new MasterPasswordPolicyResponse({
   EnforceOnLogin: true,
@@ -58,6 +64,7 @@ describe("PasswordLogInStrategy", () => {
 
   let passwordLogInStrategy: PasswordLogInStrategy;
   let credentials: PasswordLogInCredentials;
+  let tokenResponse: IdentityTokenResponse;
 
   beforeEach(async () => {
     cryptoService = mock<CryptoService>();
@@ -76,12 +83,12 @@ describe("PasswordLogInStrategy", () => {
     appIdService.getAppId.mockResolvedValue(deviceId);
     tokenService.decodeToken.mockResolvedValue({});
 
-    authService.makePreloginKey.mockResolvedValue(preloginKey);
+    authService.makePreloginKey.mockResolvedValue(masterKey);
 
-    cryptoService.hashPassword
+    cryptoService.hashMasterKey
       .calledWith(masterPassword, expect.anything(), undefined)
       .mockResolvedValue(hashedPassword);
-    cryptoService.hashPassword
+    cryptoService.hashMasterKey
       .calledWith(masterPassword, expect.anything(), HashPurpose.LocalAuthorization)
       .mockResolvedValue(localHashedPassword);
 
@@ -102,10 +109,9 @@ describe("PasswordLogInStrategy", () => {
       authService
     );
     credentials = new PasswordLogInCredentials(email, masterPassword);
+    tokenResponse = identityTokenResponseFactory(masterPasswordPolicy);
 
-    apiService.postIdentityToken.mockResolvedValue(
-      identityTokenResponseFactory(masterPasswordPolicy)
-    );
+    apiService.postIdentityToken.mockResolvedValue(tokenResponse);
   });
 
   it("sends master password credentials to the server", async () => {
@@ -127,15 +133,23 @@ describe("PasswordLogInStrategy", () => {
     );
   });
 
-  it("sets the local environment after a successful login", async () => {
+  it("sets keys after a successful authentication", async () => {
+    const userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
+
+    cryptoService.getMasterKey.mockResolvedValue(masterKey);
+    cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
+
     await passwordLogInStrategy.logIn(credentials);
 
-    expect(cryptoService.setKey).toHaveBeenCalledWith(preloginKey);
-    expect(cryptoService.setKeyHash).toHaveBeenCalledWith(localHashedPassword);
+    expect(cryptoService.setMasterKey).toHaveBeenCalledWith(masterKey);
+    expect(cryptoService.setMasterKeyHash).toHaveBeenCalledWith(localHashedPassword);
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(tokenResponse.key);
+    expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey);
+    expect(cryptoService.setPrivateKey).toHaveBeenCalledWith(tokenResponse.privateKey);
   });
 
   it("does not force the user to update their master password when there are no requirements", async () => {
-    apiService.postIdentityToken.mockResolvedValueOnce(identityTokenResponseFactory(null));
+    apiService.postIdentityToken.mockResolvedValueOnce(identityTokenResponseFactory());
 
     const result = await passwordLogInStrategy.logIn(credentials);
 
diff --git a/libs/common/src/auth/login-strategies/password-login.strategy.ts b/libs/common/src/auth/login-strategies/password-login.strategy.ts
index 41f7c30ec7..7f7ec58569 100644
--- a/libs/common/src/auth/login-strategies/password-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/password-login.strategy.ts
@@ -8,7 +8,7 @@ import { LogService } from "../../platform/abstractions/log.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { MasterKey } from "../../platform/models/domain/symmetric-crypto-key";
 import { PasswordStrengthServiceAbstraction } from "../../tools/password-strength";
 import { AuthService } from "../abstractions/auth.service";
 import { TokenService } from "../abstractions/token.service";
@@ -35,8 +35,8 @@ export class PasswordLogInStrategy extends LogInStrategy {
 
   tokenRequest: PasswordTokenRequest;
 
-  private localHashedPassword: string;
-  private key: SymmetricCryptoKey;
+  private localMasterKeyHash: string;
+  private masterKey: MasterKey;
 
   /**
    * Options to track if the user needs to update their password due to a password that does not meet an organization's
@@ -71,12 +71,7 @@ export class PasswordLogInStrategy extends LogInStrategy {
     );
   }
 
-  async setUserKey() {
-    await this.cryptoService.setKey(this.key);
-    await this.cryptoService.setKeyHash(this.localHashedPassword);
-  }
-
-  async logInTwoFactor(
+  override async logInTwoFactor(
     twoFactor: TokenTwoFactorRequest,
     captchaResponse: string
   ): Promise<AuthResult> {
@@ -96,28 +91,29 @@ export class PasswordLogInStrategy extends LogInStrategy {
     return result;
   }
 
-  async logIn(credentials: PasswordLogInCredentials) {
+  override async logIn(credentials: PasswordLogInCredentials) {
     const { email, masterPassword, captchaToken, twoFactor } = credentials;
 
-    this.key = await this.authService.makePreloginKey(masterPassword, email);
+    this.masterKey = await this.authService.makePreloginKey(masterPassword, email);
 
     // Hash the password early (before authentication) so we don't persist it in memory in plaintext
-    this.localHashedPassword = await this.cryptoService.hashPassword(
+    this.localMasterKeyHash = await this.cryptoService.hashMasterKey(
       masterPassword,
-      this.key,
+      this.masterKey,
       HashPurpose.LocalAuthorization
     );
-    const hashedPassword = await this.cryptoService.hashPassword(masterPassword, this.key);
+    const masterKeyHash = await this.cryptoService.hashMasterKey(masterPassword, this.masterKey);
 
     this.tokenRequest = new PasswordTokenRequest(
       email,
-      hashedPassword,
+      masterKeyHash,
       captchaToken,
       await this.buildTwoFactor(twoFactor),
       await this.buildDeviceRequest()
     );
 
     const [authResult, identityResponse] = await this.startLogIn();
+
     const masterPasswordPolicyOptions =
       this.getMasterPasswordPolicyOptionsFromResponse(identityResponse);
 
@@ -145,6 +141,27 @@ export class PasswordLogInStrategy extends LogInStrategy {
     return authResult;
   }
 
+  protected override async setMasterKey(response: IdentityTokenResponse) {
+    await this.cryptoService.setMasterKey(this.masterKey);
+    await this.cryptoService.setMasterKeyHash(this.localMasterKeyHash);
+  }
+
+  protected override async setUserKey(response: IdentityTokenResponse): Promise<void> {
+    await this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
+
+    const masterKey = await this.cryptoService.getMasterKey();
+    if (masterKey) {
+      const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+      await this.cryptoService.setUserKey(userKey);
+    }
+  }
+
+  protected override async setPrivateKey(response: IdentityTokenResponse): Promise<void> {
+    await this.cryptoService.setPrivateKey(
+      response.privateKey ?? (await this.createKeyPairForOldAccount())
+    );
+  }
+
   private getMasterPasswordPolicyOptionsFromResponse(
     response: IdentityTokenResponse | IdentityTwoFactorResponse | IdentityCaptchaResponse
   ): MasterPasswordPolicyOptions {
diff --git a/libs/common/src/auth/login-strategies/passwordless-login.strategy.spec.ts b/libs/common/src/auth/login-strategies/passwordless-login.strategy.spec.ts
new file mode 100644
index 0000000000..8bbd36436c
--- /dev/null
+++ b/libs/common/src/auth/login-strategies/passwordless-login.strategy.spec.ts
@@ -0,0 +1,138 @@
+import { mock, MockProxy } from "jest-mock-extended";
+
+import { ApiService } from "../../abstractions/api.service";
+import { AppIdService } from "../../platform/abstractions/app-id.service";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { LogService } from "../../platform/abstractions/log.service";
+import { MessagingService } from "../../platform/abstractions/messaging.service";
+import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
+import { StateService } from "../../platform/abstractions/state.service";
+import { Utils } from "../../platform/misc/utils";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "../../types/csprng";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
+import { TokenService } from "../abstractions/token.service";
+import { TwoFactorService } from "../abstractions/two-factor.service";
+import { PasswordlessLogInCredentials } from "../models/domain/log-in-credentials";
+import { IdentityTokenResponse } from "../models/response/identity-token.response";
+
+import { identityTokenResponseFactory } from "./login.strategy.spec";
+import { PasswordlessLogInStrategy } from "./passwordless-login.strategy";
+
+describe("PasswordlessLogInStrategy", () => {
+  let cryptoService: MockProxy<CryptoService>;
+  let apiService: MockProxy<ApiService>;
+  let tokenService: MockProxy<TokenService>;
+  let appIdService: MockProxy<AppIdService>;
+  let platformUtilsService: MockProxy<PlatformUtilsService>;
+  let messagingService: MockProxy<MessagingService>;
+  let logService: MockProxy<LogService>;
+  let stateService: MockProxy<StateService>;
+  let twoFactorService: MockProxy<TwoFactorService>;
+  let deviceTrustCryptoService: MockProxy<DeviceTrustCryptoServiceAbstraction>;
+
+  let passwordlessLoginStrategy: PasswordlessLogInStrategy;
+  let credentials: PasswordlessLogInCredentials;
+  let tokenResponse: IdentityTokenResponse;
+
+  const deviceId = Utils.newGuid();
+
+  const email = "EMAIL";
+  const accessCode = "ACCESS_CODE";
+  const authRequestId = "AUTH_REQUEST_ID";
+  const decMasterKey = new SymmetricCryptoKey(
+    new Uint8Array(64).buffer as CsprngArray
+  ) as MasterKey;
+  const decUserKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
+  const decMasterKeyHash = "LOCAL_PASSWORD_HASH";
+
+  beforeEach(async () => {
+    cryptoService = mock<CryptoService>();
+    apiService = mock<ApiService>();
+    tokenService = mock<TokenService>();
+    appIdService = mock<AppIdService>();
+    platformUtilsService = mock<PlatformUtilsService>();
+    messagingService = mock<MessagingService>();
+    logService = mock<LogService>();
+    stateService = mock<StateService>();
+    twoFactorService = mock<TwoFactorService>();
+    deviceTrustCryptoService = mock<DeviceTrustCryptoServiceAbstraction>();
+
+    tokenService.getTwoFactorToken.mockResolvedValue(null);
+    appIdService.getAppId.mockResolvedValue(deviceId);
+    tokenService.decodeToken.mockResolvedValue({});
+
+    passwordlessLoginStrategy = new PasswordlessLogInStrategy(
+      cryptoService,
+      apiService,
+      tokenService,
+      appIdService,
+      platformUtilsService,
+      messagingService,
+      logService,
+      stateService,
+      twoFactorService,
+      deviceTrustCryptoService
+    );
+
+    tokenResponse = identityTokenResponseFactory();
+    apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+  });
+
+  it("sets keys after a successful authentication when masterKey and masterKeyHash provided in login credentials", async () => {
+    credentials = new PasswordlessLogInCredentials(
+      email,
+      accessCode,
+      authRequestId,
+      null,
+      decMasterKey,
+      decMasterKeyHash
+    );
+
+    const masterKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as MasterKey;
+    const userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
+
+    cryptoService.getMasterKey.mockResolvedValue(masterKey);
+    cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
+
+    await passwordlessLoginStrategy.logIn(credentials);
+
+    expect(cryptoService.setMasterKey).toHaveBeenCalledWith(masterKey);
+    expect(cryptoService.setMasterKeyHash).toHaveBeenCalledWith(decMasterKeyHash);
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(tokenResponse.key);
+    expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey);
+    expect(deviceTrustCryptoService.trustDeviceIfRequired).toHaveBeenCalled();
+    expect(cryptoService.setPrivateKey).toHaveBeenCalledWith(tokenResponse.privateKey);
+  });
+
+  it("sets keys after a successful authentication when only userKey provided in login credentials", async () => {
+    // Initialize credentials with only userKey
+    credentials = new PasswordlessLogInCredentials(
+      email,
+      accessCode,
+      authRequestId,
+      decUserKey, // Pass userKey
+      null, // No masterKey
+      null // No masterKeyHash
+    );
+
+    // Call logIn
+    await passwordlessLoginStrategy.logIn(credentials);
+
+    // setMasterKey and setMasterKeyHash should not be called
+    expect(cryptoService.setMasterKey).not.toHaveBeenCalled();
+    expect(cryptoService.setMasterKeyHash).not.toHaveBeenCalled();
+
+    // setMasterKeyEncryptedUserKey, setUserKey, and setPrivateKey should still be called
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(tokenResponse.key);
+    expect(cryptoService.setUserKey).toHaveBeenCalledWith(decUserKey);
+    expect(cryptoService.setPrivateKey).toHaveBeenCalledWith(tokenResponse.privateKey);
+
+    // trustDeviceIfRequired should be called
+    expect(deviceTrustCryptoService.trustDeviceIfRequired).not.toHaveBeenCalled();
+  });
+});
diff --git a/libs/common/src/auth/login-strategies/passwordless-login.strategy.ts b/libs/common/src/auth/login-strategies/passwordless-login.strategy.ts
index 382c55f06e..bcaacb69f1 100644
--- a/libs/common/src/auth/login-strategies/passwordless-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/passwordless-login.strategy.ts
@@ -5,13 +5,14 @@ import { LogService } from "../../platform/abstractions/log.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
-import { AuthService } from "../abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
 import { AuthResult } from "../models/domain/auth-result";
 import { PasswordlessLogInCredentials } from "../models/domain/log-in-credentials";
 import { PasswordTokenRequest } from "../models/request/identity-token/password-token.request";
 import { TokenTwoFactorRequest } from "../models/request/identity-token/token-two-factor.request";
+import { IdentityTokenResponse } from "../models/response/identity-token.response";
 
 import { LogInStrategy } from "./login.strategy";
 
@@ -41,7 +42,7 @@ export class PasswordlessLogInStrategy extends LogInStrategy {
     logService: LogService,
     stateService: StateService,
     twoFactorService: TwoFactorService,
-    private authService: AuthService
+    private deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction
   ) {
     super(
       cryptoService,
@@ -56,20 +57,7 @@ export class PasswordlessLogInStrategy extends LogInStrategy {
     );
   }
 
-  async setUserKey() {
-    await this.cryptoService.setKey(this.passwordlessCredentials.decKey);
-    await this.cryptoService.setKeyHash(this.passwordlessCredentials.localPasswordHash);
-  }
-
-  async logInTwoFactor(
-    twoFactor: TokenTwoFactorRequest,
-    captchaResponse: string
-  ): Promise<AuthResult> {
-    this.tokenRequest.captchaResponse = captchaResponse ?? this.captchaBypassToken;
-    return super.logInTwoFactor(twoFactor);
-  }
-
-  async logIn(credentials: PasswordlessLogInCredentials) {
+  override async logIn(credentials: PasswordlessLogInCredentials) {
     this.passwordlessCredentials = credentials;
 
     this.tokenRequest = new PasswordTokenRequest(
@@ -84,4 +72,52 @@ export class PasswordlessLogInStrategy extends LogInStrategy {
     const [authResult] = await this.startLogIn();
     return authResult;
   }
+
+  override async logInTwoFactor(
+    twoFactor: TokenTwoFactorRequest,
+    captchaResponse: string
+  ): Promise<AuthResult> {
+    this.tokenRequest.captchaResponse = captchaResponse ?? this.captchaBypassToken;
+    return super.logInTwoFactor(twoFactor);
+  }
+
+  protected override async setMasterKey(response: IdentityTokenResponse) {
+    if (
+      this.passwordlessCredentials.decryptedMasterKey &&
+      this.passwordlessCredentials.decryptedMasterKeyHash
+    ) {
+      await this.cryptoService.setMasterKey(this.passwordlessCredentials.decryptedMasterKey);
+      await this.cryptoService.setMasterKeyHash(
+        this.passwordlessCredentials.decryptedMasterKeyHash
+      );
+    }
+  }
+
+  protected override async setUserKey(response: IdentityTokenResponse): Promise<void> {
+    // User now may or may not have a master password
+    // but set the master key encrypted user key if it exists regardless
+    await this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
+
+    if (this.passwordlessCredentials.decryptedUserKey) {
+      await this.cryptoService.setUserKey(this.passwordlessCredentials.decryptedUserKey);
+    } else {
+      await this.trySetUserKeyWithMasterKey();
+      // Establish trust if required after setting user key
+      await this.deviceTrustCryptoService.trustDeviceIfRequired();
+    }
+  }
+
+  private async trySetUserKeyWithMasterKey(): Promise<void> {
+    const masterKey = await this.cryptoService.getMasterKey();
+    if (masterKey) {
+      const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+      await this.cryptoService.setUserKey(userKey);
+    }
+  }
+
+  protected override async setPrivateKey(response: IdentityTokenResponse): Promise<void> {
+    await this.cryptoService.setPrivateKey(
+      response.privateKey ?? (await this.createKeyPairForOldAccount())
+    );
+  }
 }
diff --git a/libs/common/src/auth/login-strategies/sso-login.strategy.spec.ts b/libs/common/src/auth/login-strategies/sso-login.strategy.spec.ts
index e0225fcacc..78d0a491c3 100644
--- a/libs/common/src/auth/login-strategies/sso-login.strategy.spec.ts
+++ b/libs/common/src/auth/login-strategies/sso-login.strategy.spec.ts
@@ -3,19 +3,34 @@ import { mock, MockProxy } from "jest-mock-extended";
 import { ApiService } from "../../abstractions/api.service";
 import { AppIdService } from "../../platform/abstractions/app-id.service";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
 import { LogService } from "../../platform/abstractions/log.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
+import {
+  DeviceKey,
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "../../types/csprng";
+import { AuthRequestCryptoServiceAbstraction } from "../abstractions/auth-request-crypto.service.abstraction";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
 import { KeyConnectorService } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
 import { SsoLogInCredentials } from "../models/domain/log-in-credentials";
+import { IdentityTokenResponse } from "../models/response/identity-token.response";
+import { IUserDecryptionOptionsServerResponse } from "../models/response/user-decryption-options/user-decryption-options.response";
 
 import { identityTokenResponseFactory } from "./login.strategy.spec";
 import { SsoLogInStrategy } from "./sso-login.strategy";
 
+// TODO: Add tests for new trySetUserKeyWithApprovedAdminRequestIfExists logic
+// https://bitwarden.atlassian.net/browse/PM-3339
+
 describe("SsoLogInStrategy", () => {
   let cryptoService: MockProxy<CryptoService>;
   let apiService: MockProxy<ApiService>;
@@ -27,6 +42,9 @@ describe("SsoLogInStrategy", () => {
   let stateService: MockProxy<StateService>;
   let twoFactorService: MockProxy<TwoFactorService>;
   let keyConnectorService: MockProxy<KeyConnectorService>;
+  let deviceTrustCryptoService: MockProxy<DeviceTrustCryptoServiceAbstraction>;
+  let authRequestCryptoService: MockProxy<AuthRequestCryptoServiceAbstraction>;
+  let i18nService: MockProxy<I18nService>;
 
   let ssoLogInStrategy: SsoLogInStrategy;
   let credentials: SsoLogInCredentials;
@@ -50,6 +68,9 @@ describe("SsoLogInStrategy", () => {
     stateService = mock<StateService>();
     twoFactorService = mock<TwoFactorService>();
     keyConnectorService = mock<KeyConnectorService>();
+    deviceTrustCryptoService = mock<DeviceTrustCryptoServiceAbstraction>();
+    authRequestCryptoService = mock<AuthRequestCryptoServiceAbstraction>();
+    i18nService = mock<I18nService>();
 
     tokenService.getTwoFactorToken.mockResolvedValue(null);
     appIdService.getAppId.mockResolvedValue(deviceId);
@@ -65,7 +86,10 @@ describe("SsoLogInStrategy", () => {
       logService,
       stateService,
       twoFactorService,
-      keyConnectorService
+      keyConnectorService,
+      deviceTrustCryptoService,
+      authRequestCryptoService,
+      i18nService
     );
     credentials = new SsoLogInCredentials(ssoCode, ssoCodeVerifier, ssoRedirectUrl, ssoOrgId);
   });
@@ -98,33 +122,194 @@ describe("SsoLogInStrategy", () => {
 
     await ssoLogInStrategy.logIn(credentials);
 
-    expect(cryptoService.setEncPrivateKey).not.toHaveBeenCalled();
-    expect(cryptoService.setEncKey).not.toHaveBeenCalled();
+    expect(cryptoService.setMasterKey).not.toHaveBeenCalled();
+    expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+    expect(cryptoService.setPrivateKey).not.toHaveBeenCalled();
   });
 
-  it("gets and sets KeyConnector key for enrolled user", async () => {
+  it("sets master key encrypted user key for existing SSO users", async () => {
+    // Arrange
     const tokenResponse = identityTokenResponseFactory();
-    tokenResponse.keyConnectorUrl = keyConnectorUrl;
-
     apiService.postIdentityToken.mockResolvedValue(tokenResponse);
 
+    // Act
     await ssoLogInStrategy.logIn(credentials);
 
-    expect(keyConnectorService.getAndSetKey).toHaveBeenCalledWith(keyConnectorUrl);
+    // Assert
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledTimes(1);
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(tokenResponse.key);
   });
 
-  it("converts new SSO user to Key Connector on first login", async () => {
-    const tokenResponse = identityTokenResponseFactory();
-    tokenResponse.keyConnectorUrl = keyConnectorUrl;
-    tokenResponse.key = null;
+  describe("Trusted Device Decryption", () => {
+    const deviceKeyBytesLength = 64;
+    const mockDeviceKeyRandomBytes = new Uint8Array(deviceKeyBytesLength).buffer as CsprngArray;
+    const mockDeviceKey: DeviceKey = new SymmetricCryptoKey(mockDeviceKeyRandomBytes) as DeviceKey;
 
-    apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+    const userKeyBytesLength = 64;
+    const mockUserKeyRandomBytes = new Uint8Array(userKeyBytesLength).buffer as CsprngArray;
+    const mockUserKey: UserKey = new SymmetricCryptoKey(mockUserKeyRandomBytes) as UserKey;
 
-    await ssoLogInStrategy.logIn(credentials);
+    const mockEncDevicePrivateKey =
+      "2.eh465OrUcluL9UpnCOUTAg==|2HXNXwrLwAjUfZ/U75c92rZEltt1eHxjMkp/ADAmx346oT1+GaQvaL1QIV/9Om0T72m8AnlO92iUfWdhbA/ifHZ+lhFoUVeyw1M88CMzktbVcq42rFoK7SGHSAGdTL3ccUWKI8yCCQJhpt2X6a/5+T7ey5k2CqvylKyOtkiCnVeLmYqETn5BM9Rl3tEgJW1yDLuSJ+L+Qh9xnk/Z3zJUV5HAs+YwjKwuSNrd00SXjDyx8rBEstD9MKI+lrk7to/q90vqKqCucAj/dzUpVtHe88al2AAlBVwQ13HUPdNFOyti6niUgCAWx+DzRqlhkFvl/z/rtxtQsyqq/3Eh/EL54ylxKzAya0ev9EaIOm/dD1aBmI58p4Bs0eMOCIKJjtw+Cmdql+RhCtKtumgFShqyXv+LfD/FgUsdTVNExk3YNhgwPR4jOaMa/j9LCrBMCLKxdAhQyBe7T3qoX1fBBirvY6t77ifMu1YEQ6DfmFphVSwDH5C9xGeTSh5IELSf0tGVtlWUe9RffDDzccD0L1lR8U+dqzoSTYCuXvhEhQptdIW6fpH/47u0M5MiI97/d35A7Et2I1gjHp7WF3qsY20ellBueu7ZL5P1BmqPXl58yaBBXJaCutYHDfIucspqdZmfBGEbdRT4wmuZRON0J8zLmUejM0VR/2MOmpfyYQXnJhTfrvnZ1bOg1aMhUxJ2vhDNPXUFm5b+vwsho4GEvcLAKq9WwbvOJ/sK7sEVfTfEO2IG+0X6wkWm7RpR6Wq9FGKSrv2PSjMAYnb+z3ETeWiaaiD+tVFxa2AaqsbOuX092/86GySpHES7cFWhQ/YMOgj6egUi8mEC0CqMXYsx0TTJDsn16oP+XB3a2WoRqzE0YBozp2aMXxhVf/jMZ03BmEmRQu5B+Sq1gMEZwtIfJ+srkZLMYlLjvVw92FRoFy+N6ytPiyf6RMHMUnJ3vEZSBogaElYoQAtFJ5kK811CUzb78zEHH8xWtPrCZn9zZfvf/zaWxo7fpV8VwAwUeHXHcQMraZum5QeO+5tLRUYrLm85JNelGfmUA3BjfNyFbfb32PhkWWd0CbDaPME48uIriVK32pNEtvtR/+I/f3YgA/jP9kSlDvbzG/OAg/AFBIpNwKUzsu4+va8mI+O5FDufw5D74WwdGJ9DeyEb2CHtWMR1VwtFKL0ZZsqltNf8EkBeJ5RtTNtAMM8ie4dDZaKC96ymQHKrdB4hjkAr0F1XFsU4XdOa9Nbkdcm/7KoNc6bE6oJtG9lqE8h+1CysfcbfJ7am+hvDFzT0IPmp3GDSMAk+e6xySgFQw0C/SZ7LQsxPa1s6hc+BOtTn0oClZnU7Mowxv+z+xURJj4Yp3Cy6tAoia1jEQSs6lSMNKPf9bi3xFKtPl4143hwhpvTAzJUcski9OVGd7Du+VyxwIrvLqp5Ct/oNrESVJpf1EDCs9xT1EW+PiSkRmHXoZ1t5MOLFEiMAZL2+bNe3A2661oJeMtps8zrfCVc251OUE1WvqWePlTOs5TDVqdwDH88J6rHLsbaf33Mxh5DP8gMfZQxE44Nsp6H0/Szfkss5UmFwBEpHjl1GJMWDnB3u2d+l1CSkLoB6C+diAUlY6wL/VwJBeMPHZTf6amQIS2B/lo/CnvV/E3k=|uuoY4b7xwMYBNIZi85KBsaHmNqtJl5FrKxZI9ugeNwc=";
 
-    expect(keyConnectorService.convertNewSsoUserToKeyConnector).toHaveBeenCalledWith(
-      tokenResponse,
-      ssoOrgId
-    );
+    const mockEncUserKey =
+      "4.Xht6K9GA9jKcSNy4TaIvdj7f9+WsgQycs/HdkrJi33aC//roKkjf3UTGpdzFLxVP3WhyOVGyo9f2Jymf1MFPdpg7AuMnpGJlcrWLDbnPjOJo4x5gUwwBUmy3nFw6+wamyS1LRmrBPcv56yKpf80k5Q3hUrum8q9YS9m2I10vklX/TaB1YML0yo+K1feWUxg8vIx+vloxhUdkkysvcV5xU3R+AgYLrwvJS8TLL7Ug/P5HxinCaIroRrNe8xcv84vyVnzPFdXe0cfZ0cpcrm586LwfEXP2seeldO/bC51Uk/mudeSALJURPC64f5ch2cOvk48GOTapGnssCqr6ky5yFw==";
+
+    const userDecryptionOptsServerResponseWithTdeOption: IUserDecryptionOptionsServerResponse = {
+      HasMasterPassword: true,
+      TrustedDeviceOption: {
+        HasAdminApproval: true,
+        HasLoginApprovingDevice: true,
+        HasManageResetPasswordPermission: false,
+        EncryptedPrivateKey: mockEncDevicePrivateKey,
+        EncryptedUserKey: mockEncUserKey,
+      },
+    };
+
+    const mockIdTokenResponseWithModifiedTrustedDeviceOption = (key: string, value: any) => {
+      const userDecryptionOpts: IUserDecryptionOptionsServerResponse = {
+        ...userDecryptionOptsServerResponseWithTdeOption,
+        TrustedDeviceOption: {
+          ...userDecryptionOptsServerResponseWithTdeOption.TrustedDeviceOption,
+          [key]: value,
+        },
+      };
+      return identityTokenResponseFactory(null, userDecryptionOpts);
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it("decrypts and sets user key when trusted device decryption option exists with valid device key and enc key data", async () => {
+      // Arrange
+      const idTokenResponse: IdentityTokenResponse = identityTokenResponseFactory(
+        null,
+        userDecryptionOptsServerResponseWithTdeOption
+      );
+
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+      deviceTrustCryptoService.getDeviceKey.mockResolvedValue(mockDeviceKey);
+      deviceTrustCryptoService.decryptUserKeyWithDeviceKey.mockResolvedValue(mockUserKey);
+
+      const cryptoSvcSetUserKeySpy = jest.spyOn(cryptoService, "setUserKey");
+
+      // Act
+      await ssoLogInStrategy.logIn(credentials);
+
+      // Assert
+      expect(deviceTrustCryptoService.getDeviceKey).toHaveBeenCalledTimes(1);
+      expect(deviceTrustCryptoService.decryptUserKeyWithDeviceKey).toHaveBeenCalledTimes(1);
+      expect(cryptoSvcSetUserKeySpy).toHaveBeenCalledTimes(1);
+      expect(cryptoSvcSetUserKeySpy).toHaveBeenCalledWith(mockUserKey);
+    });
+
+    it("does not set the user key when deviceKey is missing", async () => {
+      // Arrange
+      const idTokenResponse: IdentityTokenResponse = identityTokenResponseFactory(
+        null,
+        userDecryptionOptsServerResponseWithTdeOption
+      );
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+      // Set deviceKey to be null
+      deviceTrustCryptoService.getDeviceKey.mockResolvedValue(null);
+      deviceTrustCryptoService.decryptUserKeyWithDeviceKey.mockResolvedValue(mockUserKey);
+
+      // Act
+      await ssoLogInStrategy.logIn(credentials);
+
+      // Assert
+      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+    });
+
+    describe.each([
+      {
+        valueName: "encDevicePrivateKey",
+      },
+      {
+        valueName: "encUserKey",
+      },
+    ])("given trusted device decryption option has missing encrypted key data", ({ valueName }) => {
+      it(`does not set the user key when ${valueName} is missing`, async () => {
+        // Arrange
+        const idTokenResponse = mockIdTokenResponseWithModifiedTrustedDeviceOption(valueName, null);
+        apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+        deviceTrustCryptoService.getDeviceKey.mockResolvedValue(mockDeviceKey);
+
+        // Act
+        await ssoLogInStrategy.logIn(credentials);
+
+        // Assert
+        expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+      });
+    });
+
+    it("does not set user key when decrypted user key is null", async () => {
+      // Arrange
+      const idTokenResponse: IdentityTokenResponse = identityTokenResponseFactory(
+        null,
+        userDecryptionOptsServerResponseWithTdeOption
+      );
+      apiService.postIdentityToken.mockResolvedValue(idTokenResponse);
+      deviceTrustCryptoService.getDeviceKey.mockResolvedValue(mockDeviceKey);
+      // Set userKey to be null
+      deviceTrustCryptoService.decryptUserKeyWithDeviceKey.mockResolvedValue(null);
+
+      // Act
+      await ssoLogInStrategy.logIn(credentials);
+
+      // Assert
+      expect(cryptoService.setUserKey).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("Key Connector", () => {
+    let tokenResponse: IdentityTokenResponse;
+    beforeEach(() => {
+      tokenResponse = identityTokenResponseFactory();
+      tokenResponse.keyConnectorUrl = keyConnectorUrl;
+    });
+
+    it("gets and sets the master key if Key Connector is enabled", async () => {
+      const masterKey = new SymmetricCryptoKey(
+        new Uint8Array(64).buffer as CsprngArray
+      ) as MasterKey;
+
+      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+      cryptoService.getMasterKey.mockResolvedValue(masterKey);
+
+      await ssoLogInStrategy.logIn(credentials);
+
+      expect(keyConnectorService.setMasterKeyFromUrl).toHaveBeenCalledWith(keyConnectorUrl);
+    });
+
+    it("converts new SSO user to Key Connector on first login", async () => {
+      tokenResponse.key = null;
+
+      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+
+      await ssoLogInStrategy.logIn(credentials);
+
+      expect(keyConnectorService.convertNewSsoUserToKeyConnector).toHaveBeenCalledWith(
+        tokenResponse,
+        ssoOrgId
+      );
+    });
+
+    it("decrypts and sets the user key if Key Connector is enabled", async () => {
+      const userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
+      const masterKey = new SymmetricCryptoKey(
+        new Uint8Array(64).buffer as CsprngArray
+      ) as MasterKey;
+
+      apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+      cryptoService.getMasterKey.mockResolvedValue(masterKey);
+      cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
+
+      await ssoLogInStrategy.logIn(credentials);
+
+      expect(cryptoService.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(masterKey);
+      expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey);
+    });
   });
 });
diff --git a/libs/common/src/auth/login-strategies/sso-login.strategy.ts b/libs/common/src/auth/login-strategies/sso-login.strategy.ts
index c77aa16841..3bfa5ce01f 100644
--- a/libs/common/src/auth/login-strategies/sso-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/sso-login.strategy.ts
@@ -1,10 +1,16 @@
 import { ApiService } from "../../abstractions/api.service";
+import { AuthRequestResponse } from "../../auth/models/response/auth-request.response";
+import { HttpStatusCode } from "../../enums";
+import { ErrorResponse } from "../../models/response/error.response";
 import { AppIdService } from "../../platform/abstractions/app-id.service";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
 import { LogService } from "../../platform/abstractions/log.service";
 import { MessagingService } from "../../platform/abstractions/messaging.service";
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
+import { AuthRequestCryptoServiceAbstraction } from "../abstractions/auth-request-crypto.service.abstraction";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
 import { KeyConnectorService } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
@@ -34,7 +40,10 @@ export class SsoLogInStrategy extends LogInStrategy {
     logService: LogService,
     stateService: StateService,
     twoFactorService: TwoFactorService,
-    private keyConnectorService: KeyConnectorService
+    private keyConnectorService: KeyConnectorService,
+    private deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    private authReqCryptoService: AuthRequestCryptoServiceAbstraction,
+    private i18nService: I18nService
   ) {
     super(
       cryptoService,
@@ -49,18 +58,6 @@ export class SsoLogInStrategy extends LogInStrategy {
     );
   }
 
-  async setUserKey(tokenResponse: IdentityTokenResponse) {
-    const newSsoUser = tokenResponse.key == null;
-
-    if (tokenResponse.keyConnectorUrl != null) {
-      if (!newSsoUser) {
-        await this.keyConnectorService.getAndSetKey(tokenResponse.keyConnectorUrl);
-      } else {
-        await this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);
-      }
-    }
-  }
-
   async logIn(credentials: SsoLogInCredentials) {
     this.orgId = credentials.orgId;
     this.tokenRequest = new SsoTokenRequest(
@@ -78,4 +75,155 @@ export class SsoLogInStrategy extends LogInStrategy {
 
     return ssoAuthResult;
   }
+
+  protected override async setMasterKey(tokenResponse: IdentityTokenResponse) {
+    // TODO: discuss how this is no longer true with TDE
+    // eventually we’ll need to support migration of existing TDE users to Key Connector
+    const newSsoUser = tokenResponse.key == null;
+
+    if (tokenResponse.keyConnectorUrl != null) {
+      if (!newSsoUser) {
+        await this.keyConnectorService.setMasterKeyFromUrl(tokenResponse.keyConnectorUrl);
+      } else {
+        await this.keyConnectorService.convertNewSsoUserToKeyConnector(tokenResponse, this.orgId);
+      }
+    }
+  }
+
+  // TODO: future passkey login strategy will need to support setting user key (decrypting via TDE or admin approval request)
+  // so might be worth moving this logic to a common place (base login strategy or a separate service?)
+  protected override async setUserKey(tokenResponse: IdentityTokenResponse): Promise<void> {
+    const masterKeyEncryptedUserKey = tokenResponse.key;
+
+    // Note: masterKeyEncryptedUserKey is undefined for SSO JIT provisioned users
+    // on account creation and subsequent logins (confirmed or unconfirmed)
+    // but that is fine for TDE so we cannot return if it is undefined
+
+    if (masterKeyEncryptedUserKey) {
+      // set the master key encrypted user key if it exists
+      await this.cryptoService.setMasterKeyEncryptedUserKey(masterKeyEncryptedUserKey);
+    }
+
+    const userDecryptionOptions = tokenResponse?.userDecryptionOptions;
+
+    // Note: TDE and key connector are mutually exclusive
+    if (userDecryptionOptions?.trustedDeviceOption) {
+      await this.trySetUserKeyWithApprovedAdminRequestIfExists();
+
+      const hasUserKey = await this.cryptoService.hasUserKey();
+
+      // Only try to set user key with device key if admin approval request was not successful
+      if (!hasUserKey) {
+        await this.trySetUserKeyWithDeviceKey(tokenResponse);
+      }
+    } else if (
+      // TODO: remove tokenResponse.keyConnectorUrl when it's deprecated
+      masterKeyEncryptedUserKey != null &&
+      (tokenResponse.keyConnectorUrl || userDecryptionOptions?.keyConnectorOption?.keyConnectorUrl)
+    ) {
+      // Key connector enabled for user
+      await this.trySetUserKeyWithMasterKey();
+    }
+
+    // Note: In the traditional SSO flow with MP without key connector, the lock component
+    // is responsible for deriving master key from MP entry and then decrypting the user key
+  }
+
+  private async trySetUserKeyWithApprovedAdminRequestIfExists(): Promise<void> {
+    // At this point a user could have an admin auth request that has been approved
+    const adminAuthReqStorable = await this.stateService.getAdminAuthRequest();
+
+    if (!adminAuthReqStorable) {
+      return;
+    }
+
+    // Call server to see if admin auth request has been approved
+    let adminAuthReqResponse: AuthRequestResponse;
+
+    try {
+      adminAuthReqResponse = await this.apiService.getAuthRequest(adminAuthReqStorable.id);
+    } catch (error) {
+      if (error instanceof ErrorResponse && error.statusCode === HttpStatusCode.NotFound) {
+        // if we get a 404, it means the auth request has been deleted so clear it from storage
+        await this.stateService.setAdminAuthRequest(null);
+      }
+
+      // Always return on an error here as we don't want to block the user from logging in
+      return;
+    }
+
+    if (adminAuthReqResponse?.requestApproved) {
+      // if masterPasswordHash has a value, we will always receive authReqResponse.key
+      // as authRequestPublicKey(masterKey) + authRequestPublicKey(masterPasswordHash)
+      if (adminAuthReqResponse.masterPasswordHash) {
+        await this.authReqCryptoService.setKeysAfterDecryptingSharedMasterKeyAndHash(
+          adminAuthReqResponse,
+          adminAuthReqStorable.privateKey
+        );
+      } else {
+        // if masterPasswordHash is null, we will always receive authReqResponse.key
+        // as authRequestPublicKey(userKey)
+        await this.authReqCryptoService.setUserKeyAfterDecryptingSharedUserKey(
+          adminAuthReqResponse,
+          adminAuthReqStorable.privateKey
+        );
+      }
+
+      if (await this.cryptoService.hasUserKey()) {
+        // Now that we have a decrypted user key in memory, we can check if we
+        // need to establish trust on the current device
+        await this.deviceTrustCryptoService.trustDeviceIfRequired();
+
+        // if we successfully decrypted the user key, we can delete the admin auth request out of state
+        // TODO: eventually we post and clean up DB as well once consumed on client
+        await this.stateService.setAdminAuthRequest(null);
+
+        this.platformUtilsService.showToast("success", null, this.i18nService.t("loginApproved"));
+      }
+    }
+  }
+
+  private async trySetUserKeyWithDeviceKey(tokenResponse: IdentityTokenResponse): Promise<void> {
+    const trustedDeviceOption = tokenResponse.userDecryptionOptions?.trustedDeviceOption;
+
+    const deviceKey = await this.deviceTrustCryptoService.getDeviceKey();
+    const encDevicePrivateKey = trustedDeviceOption?.encryptedPrivateKey;
+    const encUserKey = trustedDeviceOption?.encryptedUserKey;
+
+    if (!deviceKey || !encDevicePrivateKey || !encUserKey) {
+      return;
+    }
+
+    const userKey = await this.deviceTrustCryptoService.decryptUserKeyWithDeviceKey(
+      encDevicePrivateKey,
+      encUserKey,
+      deviceKey
+    );
+
+    if (userKey) {
+      await this.cryptoService.setUserKey(userKey);
+    }
+  }
+
+  private async trySetUserKeyWithMasterKey(): Promise<void> {
+    const masterKey = await this.cryptoService.getMasterKey();
+
+    if (!masterKey) {
+      throw new Error("Master key not found");
+    }
+
+    const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+
+    await this.cryptoService.setUserKey(userKey);
+  }
+
+  protected override async setPrivateKey(tokenResponse: IdentityTokenResponse): Promise<void> {
+    const newSsoUser = tokenResponse.key == null;
+
+    if (!newSsoUser) {
+      await this.cryptoService.setPrivateKey(
+        tokenResponse.privateKey ?? (await this.createKeyPairForOldAccount())
+      );
+    }
+  }
 }
diff --git a/libs/common/src/auth/login-strategies/user-api-login.strategy.spec.ts b/libs/common/src/auth/login-strategies/user-api-login.strategy.spec.ts
index 92cae9d98c..044b594b89 100644
--- a/libs/common/src/auth/login-strategies/user-api-login.strategy.spec.ts
+++ b/libs/common/src/auth/login-strategies/user-api-login.strategy.spec.ts
@@ -9,6 +9,12 @@ import { MessagingService } from "../../platform/abstractions/messaging.service"
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "../../types/csprng";
 import { KeyConnectorService } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
@@ -101,7 +107,18 @@ describe("UserApiLogInStrategy", () => {
     expect(stateService.addAccount).toHaveBeenCalled();
   });
 
-  it("gets and sets the Key Connector key from environmentUrl", async () => {
+  it("sets the encrypted user key and private key from the identity token response", async () => {
+    const tokenResponse = identityTokenResponseFactory();
+
+    apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+
+    await apiLogInStrategy.logIn(credentials);
+
+    expect(cryptoService.setMasterKeyEncryptedUserKey).toHaveBeenCalledWith(tokenResponse.key);
+    expect(cryptoService.setPrivateKey).toHaveBeenCalledWith(tokenResponse.privateKey);
+  });
+
+  it("gets and sets the master key if Key Connector is enabled", async () => {
     const tokenResponse = identityTokenResponseFactory();
     tokenResponse.apiUseKeyConnector = true;
 
@@ -110,6 +127,24 @@ describe("UserApiLogInStrategy", () => {
 
     await apiLogInStrategy.logIn(credentials);
 
-    expect(keyConnectorService.getAndSetKey).toHaveBeenCalledWith(keyConnectorUrl);
+    expect(keyConnectorService.setMasterKeyFromUrl).toHaveBeenCalledWith(keyConnectorUrl);
+  });
+
+  it("decrypts and sets the user key if Key Connector is enabled", async () => {
+    const userKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as UserKey;
+    const masterKey = new SymmetricCryptoKey(new Uint8Array(64).buffer as CsprngArray) as MasterKey;
+
+    const tokenResponse = identityTokenResponseFactory();
+    tokenResponse.apiUseKeyConnector = true;
+
+    apiService.postIdentityToken.mockResolvedValue(tokenResponse);
+    environmentService.getKeyConnectorUrl.mockReturnValue(keyConnectorUrl);
+    cryptoService.getMasterKey.mockResolvedValue(masterKey);
+    cryptoService.decryptUserKeyWithMasterKey.mockResolvedValue(userKey);
+
+    await apiLogInStrategy.logIn(credentials);
+
+    expect(cryptoService.decryptUserKeyWithMasterKey).toHaveBeenCalledWith(masterKey);
+    expect(cryptoService.setUserKey).toHaveBeenCalledWith(userKey);
   });
 });
diff --git a/libs/common/src/auth/login-strategies/user-api-login.strategy.ts b/libs/common/src/auth/login-strategies/user-api-login.strategy.ts
index 967856ddd3..80aed0d153 100644
--- a/libs/common/src/auth/login-strategies/user-api-login.strategy.ts
+++ b/libs/common/src/auth/login-strategies/user-api-login.strategy.ts
@@ -44,14 +44,7 @@ export class UserApiLogInStrategy extends LogInStrategy {
     );
   }
 
-  async setUserKey(tokenResponse: IdentityTokenResponse) {
-    if (tokenResponse.apiUseKeyConnector) {
-      const keyConnectorUrl = this.environmentService.getKeyConnectorUrl();
-      await this.keyConnectorService.getAndSetKey(keyConnectorUrl);
-    }
-  }
-
-  async logIn(credentials: UserApiLogInCredentials) {
+  override async logIn(credentials: UserApiLogInCredentials) {
     this.tokenRequest = new UserApiTokenRequest(
       credentials.clientId,
       credentials.clientSecret,
@@ -63,6 +56,31 @@ export class UserApiLogInStrategy extends LogInStrategy {
     return authResult;
   }
 
+  protected override async setMasterKey(response: IdentityTokenResponse) {
+    if (response.apiUseKeyConnector) {
+      const keyConnectorUrl = this.environmentService.getKeyConnectorUrl();
+      await this.keyConnectorService.setMasterKeyFromUrl(keyConnectorUrl);
+    }
+  }
+
+  protected override async setUserKey(response: IdentityTokenResponse): Promise<void> {
+    await this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
+
+    if (response.apiUseKeyConnector) {
+      const masterKey = await this.cryptoService.getMasterKey();
+      if (masterKey) {
+        const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+        await this.cryptoService.setUserKey(userKey);
+      }
+    }
+  }
+
+  protected override async setPrivateKey(response: IdentityTokenResponse): Promise<void> {
+    await this.cryptoService.setPrivateKey(
+      response.privateKey ?? (await this.createKeyPairForOldAccount())
+    );
+  }
+
   protected async saveAccountInformation(tokenResponse: IdentityTokenResponse) {
     await super.saveAccountInformation(tokenResponse);
     await this.stateService.setApiKeyClientId(this.tokenRequest.clientId);
diff --git a/libs/common/src/auth/models/domain/admin-auth-req-storable.ts b/libs/common/src/auth/models/domain/admin-auth-req-storable.ts
new file mode 100644
index 0000000000..1eae7eeab1
--- /dev/null
+++ b/libs/common/src/auth/models/domain/admin-auth-req-storable.ts
@@ -0,0 +1,41 @@
+import { Utils } from "../../../platform/misc/utils";
+
+// TODO: Tech Debt: potentially create a type Storage shape vs using a class here in the future
+// type StorageShape {
+//   id: string;
+//   privateKey: string;
+// }
+// so we can get rid of the any type passed into fromJSON and coming out of ToJSON
+export class AdminAuthRequestStorable {
+  id: string;
+  privateKey: Uint8Array;
+
+  constructor(init?: Partial<AdminAuthRequestStorable>) {
+    if (init) {
+      Object.assign(this, init);
+    }
+  }
+
+  toJSON() {
+    return {
+      id: this.id,
+      privateKey: Utils.fromBufferToByteString(this.privateKey),
+    };
+  }
+
+  static fromJSON(obj: any): AdminAuthRequestStorable {
+    if (obj == null) {
+      return null;
+    }
+
+    let privateKeyBuffer = null;
+    if (obj.privateKey) {
+      privateKeyBuffer = Utils.fromByteStringToArray(obj.privateKey);
+    }
+
+    return new AdminAuthRequestStorable({
+      id: obj.id,
+      privateKey: privateKeyBuffer,
+    });
+  }
+}
diff --git a/libs/common/src/auth/models/domain/auth-result.ts b/libs/common/src/auth/models/domain/auth-result.ts
index 7a88d490f0..c0a6f034ae 100644
--- a/libs/common/src/auth/models/domain/auth-result.ts
+++ b/libs/common/src/auth/models/domain/auth-result.ts
@@ -5,7 +5,14 @@ import { ForceResetPasswordReason } from "./force-reset-password-reason";
 
 export class AuthResult {
   captchaSiteKey = "";
+  // TODO: PM-3287 - Remove this after 3 releases of backwards compatibility. - Target release 2023.12 for removal
+  /**
+   * @deprecated
+   * Replace with using AccountDecryptionOptions to determine if the user does
+   * not have a master password and is not using Key Connector.
+   * */
   resetMasterPassword = false;
+
   forcePasswordReset: ForceResetPasswordReason = ForceResetPasswordReason.None;
   twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> = null;
   ssoEmail2FaSessionToken?: string;
diff --git a/libs/common/src/auth/models/domain/log-in-credentials.ts b/libs/common/src/auth/models/domain/log-in-credentials.ts
index 5312b13751..7022bb66de 100644
--- a/libs/common/src/auth/models/domain/log-in-credentials.ts
+++ b/libs/common/src/auth/models/domain/log-in-credentials.ts
@@ -1,4 +1,4 @@
-import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { MasterKey, UserKey } from "../../../platform/models/domain/symmetric-crypto-key";
 import { AuthenticationType } from "../../enums/authentication-type";
 import { TokenTwoFactorRequest } from "../request/identity-token/token-two-factor.request";
 
@@ -38,8 +38,9 @@ export class PasswordlessLogInCredentials {
     public email: string,
     public accessCode: string,
     public authRequestId: string,
-    public decKey: SymmetricCryptoKey,
-    public localPasswordHash: string,
+    public decryptedUserKey: UserKey,
+    public decryptedMasterKey: MasterKey,
+    public decryptedMasterKeyHash: string,
     public twoFactor?: TokenTwoFactorRequest
   ) {}
 }
diff --git a/libs/common/src/auth/models/domain/user-decryption-options/key-connector-user-decryption-option.ts b/libs/common/src/auth/models/domain/user-decryption-options/key-connector-user-decryption-option.ts
new file mode 100644
index 0000000000..3422c078e4
--- /dev/null
+++ b/libs/common/src/auth/models/domain/user-decryption-options/key-connector-user-decryption-option.ts
@@ -0,0 +1,3 @@
+export class KeyConnectorUserDecryptionOption {
+  constructor(public keyConnectorUrl: string) {}
+}
diff --git a/libs/common/src/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option.ts b/libs/common/src/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option.ts
new file mode 100644
index 0000000000..7d7211061f
--- /dev/null
+++ b/libs/common/src/auth/models/domain/user-decryption-options/trusted-device-user-decryption-option.ts
@@ -0,0 +1,7 @@
+export class TrustedDeviceUserDecryptionOption {
+  constructor(
+    public hasAdminApproval: boolean,
+    public hasLoginApprovingDevice: boolean,
+    public hasManageResetPasswordPermission: boolean
+  ) {}
+}
diff --git a/libs/common/src/auth/models/request/update-devices-trust.request.ts b/libs/common/src/auth/models/request/update-devices-trust.request.ts
new file mode 100644
index 0000000000..000e9f139d
--- /dev/null
+++ b/libs/common/src/auth/models/request/update-devices-trust.request.ts
@@ -0,0 +1,15 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateDevicesTrustRequest extends SecretVerificationRequest {
+  currentDevice: DeviceKeysUpdateRequest;
+  otherDevices: OtherDeviceKeysUpdateRequest[];
+}
+
+export class DeviceKeysUpdateRequest {
+  encryptedPublicKey: string;
+  encryptedUserKey: string;
+}
+
+export class OtherDeviceKeysUpdateRequest extends DeviceKeysUpdateRequest {
+  id: string;
+}
diff --git a/libs/common/src/auth/models/response/identity-token.response.ts b/libs/common/src/auth/models/response/identity-token.response.ts
index 76f34617f8..d080341ed4 100644
--- a/libs/common/src/auth/models/response/identity-token.response.ts
+++ b/libs/common/src/auth/models/response/identity-token.response.ts
@@ -2,6 +2,7 @@ import { KdfType } from "../../../enums";
 import { BaseResponse } from "../../../models/response/base.response";
 
 import { MasterPasswordPolicyResponse } from "./master-password-policy.response";
+import { UserDecryptionOptionsResponse } from "./user-decryption-options/user-decryption-options.response";
 
 export class IdentityTokenResponse extends BaseResponse {
   accessToken: string;
@@ -22,6 +23,8 @@ export class IdentityTokenResponse extends BaseResponse {
   apiUseKeyConnector: boolean;
   keyConnectorUrl: string;
 
+  userDecryptionOptions: UserDecryptionOptionsResponse;
+
   constructor(response: any) {
     super(response);
     this.accessToken = response.access_token;
@@ -43,5 +46,11 @@ export class IdentityTokenResponse extends BaseResponse {
     this.masterPasswordPolicy = new MasterPasswordPolicyResponse(
       this.getResponseProperty("MasterPasswordPolicy")
     );
+
+    if (response.UserDecryptionOptions) {
+      this.userDecryptionOptions = new UserDecryptionOptionsResponse(
+        this.getResponseProperty("UserDecryptionOptions")
+      );
+    }
   }
 }
diff --git a/libs/common/src/auth/models/response/protected-device.response.ts b/libs/common/src/auth/models/response/protected-device.response.ts
new file mode 100644
index 0000000000..6d279f70c7
--- /dev/null
+++ b/libs/common/src/auth/models/response/protected-device.response.ts
@@ -0,0 +1,39 @@
+import { Jsonify } from "type-fest";
+
+import { DeviceType } from "../../../enums";
+import { BaseResponse } from "../../../models/response/base.response";
+import { EncString } from "../../../platform/models/domain/enc-string";
+
+export class ProtectedDeviceResponse extends BaseResponse {
+  constructor(response: Jsonify<ProtectedDeviceResponse>) {
+    super(response);
+    this.id = this.getResponseProperty("id");
+    this.name = this.getResponseProperty("name");
+    this.identifier = this.getResponseProperty("identifier");
+    this.type = this.getResponseProperty("type");
+    this.creationDate = new Date(this.getResponseProperty("creationDate"));
+    if (response.encryptedUserKey) {
+      this.encryptedUserKey = new EncString(this.getResponseProperty("encryptedUserKey"));
+    }
+    if (response.encryptedPublicKey) {
+      this.encryptedPublicKey = new EncString(this.getResponseProperty("encryptedPublicKey"));
+    }
+  }
+
+  id: string;
+  name: string;
+  type: DeviceType;
+  identifier: string;
+  creationDate: Date;
+  /**
+   * Intended to be the users symmetric key that is encrypted in some form, the current way to encrypt this is with
+   * the devices public key.
+   */
+  encryptedUserKey: EncString;
+  /**
+   * Intended to be the public key that was generated for a device upon trust and encrypted. Currenly encrypted using
+   * a users symmetric key so that when trusted and unlocked a user can decrypt the public key for all their devices.
+   * This enabled a user to rotate the keys for all of their devices.
+   */
+  encryptedPublicKey: EncString;
+}
diff --git a/libs/common/src/auth/models/response/user-decryption-options/key-connector-user-decryption-option.response.ts b/libs/common/src/auth/models/response/user-decryption-options/key-connector-user-decryption-option.response.ts
new file mode 100644
index 0000000000..6448a9547e
--- /dev/null
+++ b/libs/common/src/auth/models/response/user-decryption-options/key-connector-user-decryption-option.response.ts
@@ -0,0 +1,14 @@
+import { BaseResponse } from "../../../../models/response/base.response";
+
+export interface IKeyConnectorUserDecryptionOptionServerResponse {
+  KeyConnectorUrl: string;
+}
+
+export class KeyConnectorUserDecryptionOptionResponse extends BaseResponse {
+  keyConnectorUrl: string;
+
+  constructor(response: IKeyConnectorUserDecryptionOptionServerResponse) {
+    super(response);
+    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
+  }
+}
diff --git a/libs/common/src/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response.ts b/libs/common/src/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response.ts
new file mode 100644
index 0000000000..903022b074
--- /dev/null
+++ b/libs/common/src/auth/models/response/user-decryption-options/trusted-device-user-decryption-option.response.ts
@@ -0,0 +1,35 @@
+import { BaseResponse } from "../../../../models/response/base.response";
+import { EncString } from "../../../../platform/models/domain/enc-string";
+
+export interface ITrustedDeviceUserDecryptionOptionServerResponse {
+  HasAdminApproval: boolean;
+  HasLoginApprovingDevice: boolean;
+  HasManageResetPasswordPermission: boolean;
+  EncryptedPrivateKey?: string;
+  EncryptedUserKey?: string;
+}
+
+export class TrustedDeviceUserDecryptionOptionResponse extends BaseResponse {
+  hasAdminApproval: boolean;
+  hasLoginApprovingDevice: boolean;
+  hasManageResetPasswordPermission: boolean;
+  encryptedPrivateKey: EncString;
+  encryptedUserKey: EncString;
+
+  constructor(response: any) {
+    super(response);
+    this.hasAdminApproval = this.getResponseProperty("HasAdminApproval");
+
+    this.hasLoginApprovingDevice = this.getResponseProperty("HasLoginApprovingDevice");
+    this.hasManageResetPasswordPermission = this.getResponseProperty(
+      "HasManageResetPasswordPermission"
+    );
+
+    if (response.EncryptedPrivateKey) {
+      this.encryptedPrivateKey = new EncString(this.getResponseProperty("EncryptedPrivateKey"));
+    }
+    if (response.EncryptedUserKey) {
+      this.encryptedUserKey = new EncString(this.getResponseProperty("EncryptedUserKey"));
+    }
+  }
+}
diff --git a/libs/common/src/auth/models/response/user-decryption-options/user-decryption-options.response.ts b/libs/common/src/auth/models/response/user-decryption-options/user-decryption-options.response.ts
new file mode 100644
index 0000000000..fcf1f49ace
--- /dev/null
+++ b/libs/common/src/auth/models/response/user-decryption-options/user-decryption-options.response.ts
@@ -0,0 +1,39 @@
+import { BaseResponse } from "../../../../models/response/base.response";
+
+import {
+  IKeyConnectorUserDecryptionOptionServerResponse,
+  KeyConnectorUserDecryptionOptionResponse,
+} from "./key-connector-user-decryption-option.response";
+import {
+  ITrustedDeviceUserDecryptionOptionServerResponse,
+  TrustedDeviceUserDecryptionOptionResponse,
+} from "./trusted-device-user-decryption-option.response";
+
+export interface IUserDecryptionOptionsServerResponse {
+  HasMasterPassword: boolean;
+  TrustedDeviceOption?: ITrustedDeviceUserDecryptionOptionServerResponse;
+  KeyConnectorOption?: IKeyConnectorUserDecryptionOptionServerResponse;
+}
+
+export class UserDecryptionOptionsResponse extends BaseResponse {
+  hasMasterPassword: boolean;
+  trustedDeviceOption?: TrustedDeviceUserDecryptionOptionResponse;
+  keyConnectorOption?: KeyConnectorUserDecryptionOptionResponse;
+
+  constructor(response: IUserDecryptionOptionsServerResponse) {
+    super(response);
+
+    this.hasMasterPassword = this.getResponseProperty("HasMasterPassword");
+
+    if (response.TrustedDeviceOption) {
+      this.trustedDeviceOption = new TrustedDeviceUserDecryptionOptionResponse(
+        this.getResponseProperty("TrustedDeviceOption")
+      );
+    }
+    if (response.KeyConnectorOption) {
+      this.keyConnectorOption = new KeyConnectorUserDecryptionOptionResponse(
+        this.getResponseProperty("KeyConnectorOption")
+      );
+    }
+  }
+}
diff --git a/libs/common/src/auth/services/auth-request-crypto.service.implementation.ts b/libs/common/src/auth/services/auth-request-crypto.service.implementation.ts
new file mode 100644
index 0000000000..004957e101
--- /dev/null
+++ b/libs/common/src/auth/services/auth-request-crypto.service.implementation.ts
@@ -0,0 +1,81 @@
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { Utils } from "../../platform/misc/utils";
+import {
+  UserKey,
+  SymmetricCryptoKey,
+  MasterKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { AuthRequestCryptoServiceAbstraction } from "../abstractions/auth-request-crypto.service.abstraction";
+import { AuthRequestResponse } from "../models/response/auth-request.response";
+
+export class AuthRequestCryptoServiceImplementation implements AuthRequestCryptoServiceAbstraction {
+  constructor(private cryptoService: CryptoService) {}
+
+  async setUserKeyAfterDecryptingSharedUserKey(
+    authReqResponse: AuthRequestResponse,
+    authReqPrivateKey: Uint8Array
+  ) {
+    const userKey = await this.decryptPubKeyEncryptedUserKey(
+      authReqResponse.key,
+      authReqPrivateKey
+    );
+    await this.cryptoService.setUserKey(userKey);
+  }
+
+  async setKeysAfterDecryptingSharedMasterKeyAndHash(
+    authReqResponse: AuthRequestResponse,
+    authReqPrivateKey: Uint8Array
+  ) {
+    const { masterKey, masterKeyHash } = await this.decryptPubKeyEncryptedMasterKeyAndHash(
+      authReqResponse.key,
+      authReqResponse.masterPasswordHash,
+      authReqPrivateKey
+    );
+
+    // Decrypt and set user key in state
+    const userKey = await this.cryptoService.decryptUserKeyWithMasterKey(masterKey);
+
+    // Set masterKey + masterKeyHash in state after decryption (in case decryption fails)
+    await this.cryptoService.setMasterKey(masterKey);
+    await this.cryptoService.setMasterKeyHash(masterKeyHash);
+
+    await this.cryptoService.setUserKey(userKey);
+  }
+
+  // Decryption helpers
+  async decryptPubKeyEncryptedUserKey(
+    pubKeyEncryptedUserKey: string,
+    privateKey: Uint8Array
+  ): Promise<UserKey> {
+    const decryptedUserKeyBytes = await this.cryptoService.rsaDecrypt(
+      pubKeyEncryptedUserKey,
+      privateKey
+    );
+
+    return new SymmetricCryptoKey(decryptedUserKeyBytes) as UserKey;
+  }
+
+  async decryptPubKeyEncryptedMasterKeyAndHash(
+    pubKeyEncryptedMasterKey: string,
+    pubKeyEncryptedMasterKeyHash: string,
+    privateKey: Uint8Array
+  ): Promise<{ masterKey: MasterKey; masterKeyHash: string }> {
+    const decryptedMasterKeyArrayBuffer = await this.cryptoService.rsaDecrypt(
+      pubKeyEncryptedMasterKey,
+      privateKey
+    );
+
+    const decryptedMasterKeyHashArrayBuffer = await this.cryptoService.rsaDecrypt(
+      pubKeyEncryptedMasterKeyHash,
+      privateKey
+    );
+
+    const masterKey = new SymmetricCryptoKey(decryptedMasterKeyArrayBuffer) as MasterKey;
+    const masterKeyHash = Utils.fromBufferToUtf8(decryptedMasterKeyHashArrayBuffer);
+
+    return {
+      masterKey,
+      masterKeyHash,
+    };
+  }
+}
diff --git a/libs/common/src/auth/services/auth-request-crypto.service.spec.ts b/libs/common/src/auth/services/auth-request-crypto.service.spec.ts
new file mode 100644
index 0000000000..cab1cba0e7
--- /dev/null
+++ b/libs/common/src/auth/services/auth-request-crypto.service.spec.ts
@@ -0,0 +1,165 @@
+import { mock } from "jest-mock-extended";
+
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { Utils } from "../../platform/misc/utils";
+import {
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { AuthRequestCryptoServiceAbstraction } from "../abstractions/auth-request-crypto.service.abstraction";
+import { AuthRequestResponse } from "../models/response/auth-request.response";
+
+import { AuthRequestCryptoServiceImplementation } from "./auth-request-crypto.service.implementation";
+
+describe("AuthRequestCryptoService", () => {
+  let authReqCryptoService: AuthRequestCryptoServiceAbstraction;
+  const cryptoService = mock<CryptoService>();
+  let mockPrivateKey: Uint8Array;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    jest.resetAllMocks();
+
+    authReqCryptoService = new AuthRequestCryptoServiceImplementation(cryptoService);
+
+    mockPrivateKey = new Uint8Array(64);
+  });
+
+  it("instantiates", () => {
+    expect(authReqCryptoService).not.toBeFalsy();
+  });
+
+  describe("setUserKeyAfterDecryptingSharedUserKey", () => {
+    it("decrypts and sets user key when given valid auth request response and private key", async () => {
+      // Arrange
+      const mockAuthReqResponse = {
+        key: "authReqPublicKeyEncryptedUserKey",
+      } as AuthRequestResponse;
+
+      const mockDecryptedUserKey = {} as UserKey;
+      jest
+        .spyOn(authReqCryptoService, "decryptPubKeyEncryptedUserKey")
+        .mockResolvedValueOnce(mockDecryptedUserKey);
+
+      cryptoService.setUserKey.mockResolvedValueOnce(undefined);
+
+      // Act
+      await authReqCryptoService.setUserKeyAfterDecryptingSharedUserKey(
+        mockAuthReqResponse,
+        mockPrivateKey
+      );
+
+      // Assert
+      expect(authReqCryptoService.decryptPubKeyEncryptedUserKey).toBeCalledWith(
+        mockAuthReqResponse.key,
+        mockPrivateKey
+      );
+      expect(cryptoService.setUserKey).toBeCalledWith(mockDecryptedUserKey);
+    });
+  });
+
+  describe("setKeysAfterDecryptingSharedMasterKeyAndHash", () => {
+    it("decrypts and sets master key and hash and user key when given valid auth request response and private key", async () => {
+      // Arrange
+      const mockAuthReqResponse = {
+        key: "authReqPublicKeyEncryptedMasterKey",
+        masterPasswordHash: "authReqPublicKeyEncryptedMasterKeyHash",
+      } as AuthRequestResponse;
+
+      const mockDecryptedMasterKey = {} as MasterKey;
+      const mockDecryptedMasterKeyHash = "mockDecryptedMasterKeyHash";
+      const mockDecryptedUserKey = {} as UserKey;
+
+      jest
+        .spyOn(authReqCryptoService, "decryptPubKeyEncryptedMasterKeyAndHash")
+        .mockResolvedValueOnce({
+          masterKey: mockDecryptedMasterKey,
+          masterKeyHash: mockDecryptedMasterKeyHash,
+        });
+
+      cryptoService.setMasterKey.mockResolvedValueOnce(undefined);
+      cryptoService.setMasterKeyHash.mockResolvedValueOnce(undefined);
+      cryptoService.decryptUserKeyWithMasterKey.mockResolvedValueOnce(mockDecryptedUserKey);
+      cryptoService.setUserKey.mockResolvedValueOnce(undefined);
+
+      // Act
+      await authReqCryptoService.setKeysAfterDecryptingSharedMasterKeyAndHash(
+        mockAuthReqResponse,
+        mockPrivateKey
+      );
+
+      // Assert
+      expect(authReqCryptoService.decryptPubKeyEncryptedMasterKeyAndHash).toBeCalledWith(
+        mockAuthReqResponse.key,
+        mockAuthReqResponse.masterPasswordHash,
+        mockPrivateKey
+      );
+      expect(cryptoService.setMasterKey).toBeCalledWith(mockDecryptedMasterKey);
+      expect(cryptoService.setMasterKeyHash).toBeCalledWith(mockDecryptedMasterKeyHash);
+      expect(cryptoService.decryptUserKeyWithMasterKey).toBeCalledWith(mockDecryptedMasterKey);
+      expect(cryptoService.setUserKey).toBeCalledWith(mockDecryptedUserKey);
+    });
+  });
+
+  describe("decryptAuthReqPubKeyEncryptedUserKey", () => {
+    it("returns a decrypted user key when given valid public key encrypted user key and an auth req private key", async () => {
+      // Arrange
+      const mockPubKeyEncryptedUserKey = "pubKeyEncryptedUserKey";
+      const mockDecryptedUserKeyBytes = new Uint8Array(64);
+      const mockDecryptedUserKey = new SymmetricCryptoKey(mockDecryptedUserKeyBytes) as UserKey;
+
+      cryptoService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedUserKeyBytes);
+
+      // Act
+      const result = await authReqCryptoService.decryptPubKeyEncryptedUserKey(
+        mockPubKeyEncryptedUserKey,
+        mockPrivateKey
+      );
+
+      // Assert
+      expect(cryptoService.rsaDecrypt).toBeCalledWith(mockPubKeyEncryptedUserKey, mockPrivateKey);
+      expect(result).toEqual(mockDecryptedUserKey);
+    });
+  });
+
+  describe("decryptAuthReqPubKeyEncryptedMasterKeyAndHash", () => {
+    it("returns a decrypted master key and hash when given a valid public key encrypted master key, public key encrypted master key hash, and an auth req private key", async () => {
+      // Arrange
+      const mockPubKeyEncryptedMasterKey = "pubKeyEncryptedMasterKey";
+      const mockPubKeyEncryptedMasterKeyHash = "pubKeyEncryptedMasterKeyHash";
+
+      const mockDecryptedMasterKeyBytes = new Uint8Array(64);
+      const mockDecryptedMasterKey = new SymmetricCryptoKey(
+        mockDecryptedMasterKeyBytes
+      ) as MasterKey;
+      const mockDecryptedMasterKeyHashBytes = new Uint8Array(64);
+      const mockDecryptedMasterKeyHash = Utils.fromBufferToUtf8(mockDecryptedMasterKeyHashBytes);
+
+      cryptoService.rsaDecrypt
+        .mockResolvedValueOnce(mockDecryptedMasterKeyBytes)
+        .mockResolvedValueOnce(mockDecryptedMasterKeyHashBytes);
+
+      // Act
+      const result = await authReqCryptoService.decryptPubKeyEncryptedMasterKeyAndHash(
+        mockPubKeyEncryptedMasterKey,
+        mockPubKeyEncryptedMasterKeyHash,
+        mockPrivateKey
+      );
+
+      // Assert
+      expect(cryptoService.rsaDecrypt).toHaveBeenNthCalledWith(
+        1,
+        mockPubKeyEncryptedMasterKey,
+        mockPrivateKey
+      );
+      expect(cryptoService.rsaDecrypt).toHaveBeenNthCalledWith(
+        2,
+        mockPubKeyEncryptedMasterKeyHash,
+        mockPrivateKey
+      );
+      expect(result.masterKey).toEqual(mockDecryptedMasterKey);
+      expect(result.masterKeyHash).toEqual(mockDecryptedMasterKeyHash);
+    });
+  });
+});
diff --git a/libs/common/src/auth/services/auth.service.ts b/libs/common/src/auth/services/auth.service.ts
index 53d1b79922..815e7b2a5e 100644
--- a/libs/common/src/auth/services/auth.service.ts
+++ b/libs/common/src/auth/services/auth.service.ts
@@ -16,9 +16,11 @@ import { MessagingService } from "../../platform/abstractions/messaging.service"
 import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { MasterKey } from "../../platform/models/domain/symmetric-crypto-key";
 import { PasswordStrengthServiceAbstraction } from "../../tools/password-strength";
+import { AuthRequestCryptoServiceAbstraction } from "../abstractions/auth-request-crypto.service.abstraction";
 import { AuthService as AuthServiceAbstraction } from "../abstractions/auth.service";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
 import { KeyConnectorService } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { TwoFactorService } from "../abstractions/two-factor.service";
@@ -103,7 +105,9 @@ export class AuthService implements AuthServiceAbstraction {
     protected i18nService: I18nService,
     protected encryptService: EncryptService,
     protected passwordStrengthService: PasswordStrengthServiceAbstraction,
-    protected policyService: PolicyService
+    protected policyService: PolicyService,
+    protected deviceTrustCryptoService: DeviceTrustCryptoServiceAbstraction,
+    protected authReqCryptoService: AuthRequestCryptoServiceAbstraction
   ) {}
 
   async logIn(
@@ -149,7 +153,10 @@ export class AuthService implements AuthServiceAbstraction {
           this.logService,
           this.stateService,
           this.twoFactorService,
-          this.keyConnectorService
+          this.keyConnectorService,
+          this.deviceTrustCryptoService,
+          this.authReqCryptoService,
+          this.i18nService
         );
         break;
       case AuthenticationType.UserApi:
@@ -178,7 +185,7 @@ export class AuthService implements AuthServiceAbstraction {
           this.logService,
           this.stateService,
           this.twoFactorService,
-          this
+          this.deviceTrustCryptoService
         );
         break;
     }
@@ -238,23 +245,32 @@ export class AuthService implements AuthServiceAbstraction {
   }
 
   async getAuthStatus(userId?: string): Promise<AuthenticationStatus> {
+    // If we don't have an access token or userId, we're logged out
     const isAuthenticated = await this.stateService.getIsAuthenticated({ userId: userId });
     if (!isAuthenticated) {
       return AuthenticationStatus.LoggedOut;
     }
 
-    // Keys aren't stored for a device that is locked or logged out
-    // Make sure we're logged in before checking this, otherwise we could mix up those states
-    const neverLock =
-      (await this.cryptoService.hasKeyStored(KeySuffixOptions.Auto, userId)) &&
-      !(await this.stateService.getEverBeenUnlocked({ userId: userId }));
-    if (neverLock) {
-      // TODO: This also _sets_ the key so when we check memory in the next line it finds a key.
-      // We should refactor here.
-      await this.cryptoService.getKey(KeySuffixOptions.Auto, userId);
+    // If we don't have a user key in memory, we're locked
+    if (!(await this.cryptoService.hasUserKeyInMemory(userId))) {
+      // Check if the user has vault timeout set to never and verify that
+      // they've never unlocked their vault
+      const neverLock =
+        (await this.cryptoService.hasUserKeyStored(KeySuffixOptions.Auto, userId)) &&
+        !(await this.stateService.getEverBeenUnlocked({ userId: userId }));
+
+      if (neverLock) {
+        // Attempt to get the key from storage and set it in memory
+        const userKey = await this.cryptoService.getUserKeyFromStorage(
+          KeySuffixOptions.Auto,
+          userId
+        );
+        await this.cryptoService.setUserKey(userKey, userId);
+      }
     }
 
-    const hasKeyInMemory = await this.cryptoService.hasKeyInMemory(userId);
+    // We do another check here in case setting the auto key failed
+    const hasKeyInMemory = await this.cryptoService.hasUserKeyInMemory(userId);
     if (!hasKeyInMemory) {
       return AuthenticationStatus.Locked;
     }
@@ -262,7 +278,7 @@ export class AuthService implements AuthServiceAbstraction {
     return AuthenticationStatus.Unlocked;
   }
 
-  async makePreloginKey(masterPassword: string, email: string): Promise<SymmetricCryptoKey> {
+  async makePreloginKey(masterPassword: string, email: string): Promise<MasterKey> {
     email = email.trim().toLowerCase();
     let kdf: KdfType = null;
     let kdfConfig: KdfConfig = null;
@@ -281,7 +297,7 @@ export class AuthService implements AuthServiceAbstraction {
         throw e;
       }
     }
-    return this.cryptoService.makeKey(masterPassword, email, kdf, kdfConfig);
+    return await this.cryptoService.makeMasterKey(masterPassword, email, kdf, kdfConfig);
   }
 
   async authResponsePushNotification(notification: AuthRequestPushNotification): Promise<any> {
@@ -298,22 +314,33 @@ export class AuthService implements AuthServiceAbstraction {
     requestApproved: boolean
   ): Promise<AuthRequestResponse> {
     const pubKey = Utils.fromB64ToArray(key);
-    const encryptedKey = await this.cryptoService.rsaEncrypt(
-      (
-        await this.cryptoService.getKey()
-      ).encKey,
-      pubKey
-    );
-    let encryptedMasterPassword = null;
-    if ((await this.stateService.getKeyHash()) != null) {
-      encryptedMasterPassword = await this.cryptoService.rsaEncrypt(
-        Utils.fromUtf8ToArray(await this.stateService.getKeyHash()),
-        pubKey
-      );
+
+    const masterKey = await this.cryptoService.getMasterKey();
+    let keyToEncrypt;
+    let encryptedMasterKeyHash = null;
+
+    if (masterKey) {
+      keyToEncrypt = masterKey.encKey;
+
+      // Only encrypt the master password hash if masterKey exists as
+      // we won't have a masterKeyHash without a masterKey
+      const masterKeyHash = await this.stateService.getKeyHash();
+      if (masterKeyHash != null) {
+        encryptedMasterKeyHash = await this.cryptoService.rsaEncrypt(
+          Utils.fromUtf8ToArray(masterKeyHash),
+          pubKey
+        );
+      }
+    } else {
+      const userKey = await this.cryptoService.getUserKey();
+      keyToEncrypt = userKey.key;
     }
+
+    const encryptedKey = await this.cryptoService.rsaEncrypt(keyToEncrypt, pubKey);
+
     const request = new PasswordlessAuthRequest(
       encryptedKey.encryptedString,
-      encryptedMasterPassword?.encryptedString,
+      encryptedMasterKeyHash?.encryptedString,
       await this.appIdService.getAppId(),
       requestApproved
     );
diff --git a/libs/common/src/auth/services/device-trust-crypto.service.implementation.ts b/libs/common/src/auth/services/device-trust-crypto.service.implementation.ts
new file mode 100644
index 0000000000..e7e1349eae
--- /dev/null
+++ b/libs/common/src/auth/services/device-trust-crypto.service.implementation.ts
@@ -0,0 +1,215 @@
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { AppIdService } from "../../platform/abstractions/app-id.service";
+import { CryptoFunctionService } from "../../platform/abstractions/crypto-function.service";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { EncryptService } from "../../platform/abstractions/encrypt.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
+import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
+import { StateService } from "../../platform/abstractions/state.service";
+import { EncString } from "../../platform/models/domain/enc-string";
+import {
+  SymmetricCryptoKey,
+  DeviceKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "../../types/csprng";
+import { DeviceTrustCryptoServiceAbstraction } from "../abstractions/device-trust-crypto.service.abstraction";
+import { DevicesApiServiceAbstraction } from "../abstractions/devices-api.service.abstraction";
+import { SecretVerificationRequest } from "../models/request/secret-verification.request";
+import {
+  DeviceKeysUpdateRequest,
+  UpdateDevicesTrustRequest,
+} from "../models/request/update-devices-trust.request";
+
+export class DeviceTrustCryptoService implements DeviceTrustCryptoServiceAbstraction {
+  constructor(
+    private cryptoFunctionService: CryptoFunctionService,
+    private cryptoService: CryptoService,
+    private encryptService: EncryptService,
+    private stateService: StateService,
+    private appIdService: AppIdService,
+    private devicesApiService: DevicesApiServiceAbstraction,
+    private i18nService: I18nService,
+    private platformUtilsService: PlatformUtilsService
+  ) {}
+
+  /**
+   * @description Retrieves the users choice to trust the device which can only happen after decryption
+   * Note: this value should only be used once and then reset
+   */
+  async getShouldTrustDevice(): Promise<boolean> {
+    return await this.stateService.getShouldTrustDevice();
+  }
+
+  async setShouldTrustDevice(value: boolean): Promise<void> {
+    await this.stateService.setShouldTrustDevice(value);
+  }
+
+  async trustDeviceIfRequired(): Promise<void> {
+    const shouldTrustDevice = await this.getShouldTrustDevice();
+    if (shouldTrustDevice) {
+      await this.trustDevice();
+      // reset the trust choice
+      await this.setShouldTrustDevice(false);
+    }
+  }
+
+  async trustDevice(): Promise<DeviceResponse> {
+    // Attempt to get user key
+    const userKey: UserKey = await this.cryptoService.getUserKey();
+
+    // If user key is not found, throw error
+    if (!userKey) {
+      throw new Error("User symmetric key not found");
+    }
+
+    // Generate deviceKey
+    const deviceKey = await this.makeDeviceKey();
+
+    // Generate asymmetric RSA key pair: devicePrivateKey, devicePublicKey
+    const [devicePublicKey, devicePrivateKey] = await this.cryptoFunctionService.rsaGenerateKeyPair(
+      2048
+    );
+
+    const [
+      devicePublicKeyEncryptedUserKey,
+      userKeyEncryptedDevicePublicKey,
+      deviceKeyEncryptedDevicePrivateKey,
+    ] = await Promise.all([
+      // Encrypt user key with the DevicePublicKey
+      this.cryptoService.rsaEncrypt(userKey.key, devicePublicKey),
+
+      // Encrypt devicePublicKey with user key
+      this.encryptService.encrypt(devicePublicKey, userKey),
+
+      // Encrypt devicePrivateKey with deviceKey
+      this.encryptService.encrypt(devicePrivateKey, deviceKey),
+    ]);
+
+    // Send encrypted keys to server
+    const deviceIdentifier = await this.appIdService.getAppId();
+    const deviceResponse = await this.devicesApiService.updateTrustedDeviceKeys(
+      deviceIdentifier,
+      devicePublicKeyEncryptedUserKey.encryptedString,
+      userKeyEncryptedDevicePublicKey.encryptedString,
+      deviceKeyEncryptedDevicePrivateKey.encryptedString
+    );
+
+    // store device key in local/secure storage if enc keys posted to server successfully
+    await this.setDeviceKey(deviceKey);
+
+    this.platformUtilsService.showToast("success", null, this.i18nService.t("deviceTrusted"));
+
+    return deviceResponse;
+  }
+
+  async rotateDevicesTrust(newUserKey: UserKey, masterPasswordHash: string): Promise<void> {
+    const currentDeviceKey = await this.getDeviceKey();
+    if (currentDeviceKey == null) {
+      // If the current device doesn't have a device key available to it, then we can't
+      // rotate any trust at all, so early return.
+      return;
+    }
+
+    // At this point of rotating their keys, they should still have their old user key in state
+    const oldUserKey = await this.stateService.getUserKey();
+
+    const deviceIdentifier = await this.appIdService.getAppId();
+    const secretVerificationRequest = new SecretVerificationRequest();
+    secretVerificationRequest.masterPasswordHash = masterPasswordHash;
+
+    // Get the keys that are used in rotating a devices keys from the server
+    const currentDeviceKeys = await this.devicesApiService.getDeviceKeys(
+      deviceIdentifier,
+      secretVerificationRequest
+    );
+
+    // Decrypt the existing device public key with the old user key
+    const decryptedDevicePublicKey = await this.encryptService.decryptToBytes(
+      currentDeviceKeys.encryptedPublicKey,
+      oldUserKey
+    );
+
+    // Encrypt the brand new user key with the now-decrypted public key for the device
+    const encryptedNewUserKey = await this.cryptoService.rsaEncrypt(
+      newUserKey.key,
+      decryptedDevicePublicKey
+    );
+
+    // Re-encrypt the device public key with the new user key
+    const encryptedDevicePublicKey = await this.encryptService.encrypt(
+      decryptedDevicePublicKey,
+      newUserKey
+    );
+
+    const currentDeviceUpdateRequest = new DeviceKeysUpdateRequest();
+    currentDeviceUpdateRequest.encryptedUserKey = encryptedNewUserKey.encryptedString;
+    currentDeviceUpdateRequest.encryptedPublicKey = encryptedDevicePublicKey.encryptedString;
+
+    // TODO: For device management, allow this method to take an array of device ids that can be looped over and individually rotated
+    // then it can be added to trustRequest.otherDevices.
+
+    const trustRequest = new UpdateDevicesTrustRequest();
+    trustRequest.masterPasswordHash = masterPasswordHash;
+    trustRequest.currentDevice = currentDeviceUpdateRequest;
+    trustRequest.otherDevices = [];
+
+    await this.devicesApiService.updateTrust(trustRequest);
+  }
+
+  async getDeviceKey(): Promise<DeviceKey> {
+    return await this.stateService.getDeviceKey();
+  }
+
+  private async setDeviceKey(deviceKey: DeviceKey | null): Promise<void> {
+    await this.stateService.setDeviceKey(deviceKey);
+  }
+
+  private async makeDeviceKey(): Promise<DeviceKey> {
+    // Create 512-bit device key
+    const randomBytes: CsprngArray = await this.cryptoFunctionService.randomBytes(64);
+    const deviceKey = new SymmetricCryptoKey(randomBytes) as DeviceKey;
+
+    return deviceKey;
+  }
+
+  async decryptUserKeyWithDeviceKey(
+    encryptedDevicePrivateKey: EncString,
+    encryptedUserKey: EncString,
+    deviceKey?: DeviceKey
+  ): Promise<UserKey | null> {
+    // If device key provided use it, otherwise try to retrieve from storage
+    deviceKey ||= await this.getDeviceKey();
+
+    if (!deviceKey) {
+      // User doesn't have a device key anymore so device is untrusted
+      return null;
+    }
+
+    try {
+      // attempt to decrypt encryptedDevicePrivateKey with device key
+      const devicePrivateKey = await this.encryptService.decryptToBytes(
+        encryptedDevicePrivateKey,
+        deviceKey
+      );
+
+      // Attempt to decrypt encryptedUserDataKey with devicePrivateKey
+      const userKey = await this.cryptoService.rsaDecrypt(
+        encryptedUserKey.encryptedString,
+        devicePrivateKey
+      );
+
+      return new SymmetricCryptoKey(userKey) as UserKey;
+    } catch (e) {
+      // If either decryption effort fails, we want to remove the device key
+      await this.setDeviceKey(null);
+
+      return null;
+    }
+  }
+
+  async supportsDeviceTrust(): Promise<boolean> {
+    const decryptionOptions = await this.stateService.getAccountDecryptionOptions();
+    return decryptionOptions?.trustedDeviceOption != null;
+  }
+}
diff --git a/libs/common/src/auth/services/device-trust-crypto.service.spec.ts b/libs/common/src/auth/services/device-trust-crypto.service.spec.ts
new file mode 100644
index 0000000000..1ba2000892
--- /dev/null
+++ b/libs/common/src/auth/services/device-trust-crypto.service.spec.ts
@@ -0,0 +1,598 @@
+import { matches, mock } from "jest-mock-extended";
+
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { DeviceType } from "../../enums";
+import { EncryptionType } from "../../enums/encryption-type.enum";
+import { AppIdService } from "../../platform/abstractions/app-id.service";
+import { CryptoFunctionService } from "../../platform/abstractions/crypto-function.service";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { EncryptService } from "../../platform/abstractions/encrypt.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
+import { PlatformUtilsService } from "../../platform/abstractions/platform-utils.service";
+import { StateService } from "../../platform/abstractions/state.service";
+import { EncString } from "../../platform/models/domain/enc-string";
+import {
+  SymmetricCryptoKey,
+  DeviceKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
+import { CsprngArray } from "../../types/csprng";
+import { DevicesApiServiceAbstraction } from "../abstractions/devices-api.service.abstraction";
+import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request";
+import { ProtectedDeviceResponse } from "../models/response/protected-device.response";
+
+import { DeviceTrustCryptoService } from "./device-trust-crypto.service.implementation";
+describe("deviceTrustCryptoService", () => {
+  let deviceTrustCryptoService: DeviceTrustCryptoService;
+
+  const cryptoFunctionService = mock<CryptoFunctionService>();
+  const cryptoService = mock<CryptoService>();
+  const encryptService = mock<EncryptService>();
+  const stateService = mock<StateService>();
+  const appIdService = mock<AppIdService>();
+  const devicesApiService = mock<DevicesApiServiceAbstraction>();
+  const i18nService = mock<I18nService>();
+  const platformUtilsService = mock<PlatformUtilsService>();
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+
+    deviceTrustCryptoService = new DeviceTrustCryptoService(
+      cryptoFunctionService,
+      cryptoService,
+      encryptService,
+      stateService,
+      appIdService,
+      devicesApiService,
+      i18nService,
+      platformUtilsService
+    );
+  });
+
+  it("instantiates", () => {
+    expect(deviceTrustCryptoService).not.toBeFalsy();
+  });
+
+  describe("User Trust Device Choice For Decryption", () => {
+    describe("getShouldTrustDevice", () => {
+      it("gets the user trust device choice for decryption from the state service", async () => {
+        const stateSvcGetShouldTrustDeviceSpy = jest.spyOn(stateService, "getShouldTrustDevice");
+
+        const expectedValue = true;
+        stateSvcGetShouldTrustDeviceSpy.mockResolvedValue(expectedValue);
+        const result = await deviceTrustCryptoService.getShouldTrustDevice();
+
+        expect(stateSvcGetShouldTrustDeviceSpy).toHaveBeenCalledTimes(1);
+        expect(result).toEqual(expectedValue);
+      });
+    });
+
+    describe("setShouldTrustDevice", () => {
+      it("sets the user trust device choice for decryption in the state service", async () => {
+        const stateSvcSetShouldTrustDeviceSpy = jest.spyOn(stateService, "setShouldTrustDevice");
+
+        const newValue = true;
+        await deviceTrustCryptoService.setShouldTrustDevice(newValue);
+
+        expect(stateSvcSetShouldTrustDeviceSpy).toHaveBeenCalledTimes(1);
+        expect(stateSvcSetShouldTrustDeviceSpy).toHaveBeenCalledWith(newValue);
+      });
+    });
+  });
+
+  describe("trustDeviceIfRequired", () => {
+    it("should trust device and reset when getShouldTrustDevice returns true", async () => {
+      jest.spyOn(deviceTrustCryptoService, "getShouldTrustDevice").mockResolvedValue(true);
+      jest.spyOn(deviceTrustCryptoService, "trustDevice").mockResolvedValue({} as DeviceResponse);
+      jest.spyOn(deviceTrustCryptoService, "setShouldTrustDevice").mockResolvedValue();
+
+      await deviceTrustCryptoService.trustDeviceIfRequired();
+
+      expect(deviceTrustCryptoService.getShouldTrustDevice).toHaveBeenCalledTimes(1);
+      expect(deviceTrustCryptoService.trustDevice).toHaveBeenCalledTimes(1);
+      expect(deviceTrustCryptoService.setShouldTrustDevice).toHaveBeenCalledWith(false);
+    });
+
+    it("should not trust device nor reset when getShouldTrustDevice returns false", async () => {
+      const getShouldTrustDeviceSpy = jest
+        .spyOn(deviceTrustCryptoService, "getShouldTrustDevice")
+        .mockResolvedValue(false);
+      const trustDeviceSpy = jest.spyOn(deviceTrustCryptoService, "trustDevice");
+      const setShouldTrustDeviceSpy = jest.spyOn(deviceTrustCryptoService, "setShouldTrustDevice");
+
+      await deviceTrustCryptoService.trustDeviceIfRequired();
+
+      expect(getShouldTrustDeviceSpy).toHaveBeenCalledTimes(1);
+      expect(trustDeviceSpy).not.toHaveBeenCalled();
+      expect(setShouldTrustDeviceSpy).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("Trusted Device Encryption core logic tests", () => {
+    const deviceKeyBytesLength = 64;
+    const userKeyBytesLength = 64;
+
+    describe("getDeviceKey", () => {
+      let existingDeviceKey: DeviceKey;
+      let stateSvcGetDeviceKeySpy: jest.SpyInstance;
+
+      beforeEach(() => {
+        existingDeviceKey = new SymmetricCryptoKey(
+          new Uint8Array(deviceKeyBytesLength) as CsprngArray
+        ) as DeviceKey;
+
+        stateSvcGetDeviceKeySpy = jest.spyOn(stateService, "getDeviceKey");
+      });
+
+      it("returns null when there is not an existing device key", async () => {
+        stateSvcGetDeviceKeySpy.mockResolvedValue(null);
+
+        const deviceKey = await deviceTrustCryptoService.getDeviceKey();
+
+        expect(stateSvcGetDeviceKeySpy).toHaveBeenCalledTimes(1);
+
+        expect(deviceKey).toBeNull();
+      });
+
+      it("returns the device key when there is an existing device key", async () => {
+        stateSvcGetDeviceKeySpy.mockResolvedValue(existingDeviceKey);
+
+        const deviceKey = await deviceTrustCryptoService.getDeviceKey();
+
+        expect(stateSvcGetDeviceKeySpy).toHaveBeenCalledTimes(1);
+
+        expect(deviceKey).not.toBeNull();
+        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
+        expect(deviceKey).toEqual(existingDeviceKey);
+      });
+    });
+
+    describe("setDeviceKey", () => {
+      it("sets the device key in the state service", async () => {
+        const stateSvcSetDeviceKeySpy = jest.spyOn(stateService, "setDeviceKey");
+
+        const deviceKey = new SymmetricCryptoKey(
+          new Uint8Array(deviceKeyBytesLength) as CsprngArray
+        ) as DeviceKey;
+
+        // TypeScript will allow calling private methods if the object is of type 'any'
+        // This is a hacky workaround, but it allows for cleaner tests
+        await (deviceTrustCryptoService as any).setDeviceKey(deviceKey);
+
+        expect(stateSvcSetDeviceKeySpy).toHaveBeenCalledTimes(1);
+        expect(stateSvcSetDeviceKeySpy).toHaveBeenCalledWith(deviceKey);
+      });
+    });
+
+    describe("makeDeviceKey", () => {
+      it("creates a new non-null 64 byte device key, securely stores it, and returns it", async () => {
+        const mockRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
+
+        const cryptoFuncSvcRandomBytesSpy = jest
+          .spyOn(cryptoFunctionService, "randomBytes")
+          .mockResolvedValue(mockRandomBytes);
+
+        // TypeScript will allow calling private methods if the object is of type 'any'
+        // This is a hacky workaround, but it allows for cleaner tests
+        const deviceKey = await (deviceTrustCryptoService as any).makeDeviceKey();
+
+        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledTimes(1);
+        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledWith(deviceKeyBytesLength);
+
+        expect(deviceKey).not.toBeNull();
+        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
+      });
+    });
+
+    describe("trustDevice", () => {
+      let mockDeviceKeyRandomBytes: CsprngArray;
+      let mockDeviceKey: DeviceKey;
+
+      let mockUserKeyRandomBytes: CsprngArray;
+      let mockUserKey: UserKey;
+
+      const deviceRsaKeyLength = 2048;
+      let mockDeviceRsaKeyPair: [Uint8Array, Uint8Array];
+      let mockDevicePrivateKey: Uint8Array;
+      let mockDevicePublicKey: Uint8Array;
+      let mockDevicePublicKeyEncryptedUserKey: EncString;
+      let mockUserKeyEncryptedDevicePublicKey: EncString;
+      let mockDeviceKeyEncryptedDevicePrivateKey: EncString;
+
+      const mockDeviceResponse: DeviceResponse = new DeviceResponse({
+        Id: "mockId",
+        Name: "mockName",
+        Identifier: "mockIdentifier",
+        Type: "mockType",
+        CreationDate: "mockCreationDate",
+      });
+
+      const mockDeviceId = "mockDeviceId";
+
+      let makeDeviceKeySpy: jest.SpyInstance;
+      let rsaGenerateKeyPairSpy: jest.SpyInstance;
+      let cryptoSvcGetUserKeySpy: jest.SpyInstance;
+      let cryptoSvcRsaEncryptSpy: jest.SpyInstance;
+      let encryptServiceEncryptSpy: jest.SpyInstance;
+      let appIdServiceGetAppIdSpy: jest.SpyInstance;
+      let devicesApiServiceUpdateTrustedDeviceKeysSpy: jest.SpyInstance;
+
+      beforeEach(() => {
+        // Setup all spies and default return values for the happy path
+
+        mockDeviceKeyRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
+        mockDeviceKey = new SymmetricCryptoKey(mockDeviceKeyRandomBytes) as DeviceKey;
+
+        mockUserKeyRandomBytes = new Uint8Array(userKeyBytesLength) as CsprngArray;
+        mockUserKey = new SymmetricCryptoKey(mockUserKeyRandomBytes) as UserKey;
+
+        mockDeviceRsaKeyPair = [
+          new Uint8Array(deviceRsaKeyLength),
+          new Uint8Array(deviceRsaKeyLength),
+        ];
+
+        mockDevicePublicKey = mockDeviceRsaKeyPair[0];
+        mockDevicePrivateKey = mockDeviceRsaKeyPair[1];
+
+        mockDevicePublicKeyEncryptedUserKey = new EncString(
+          EncryptionType.Rsa2048_OaepSha1_B64,
+          "mockDevicePublicKeyEncryptedUserKey"
+        );
+
+        mockUserKeyEncryptedDevicePublicKey = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "mockUserKeyEncryptedDevicePublicKey"
+        );
+
+        mockDeviceKeyEncryptedDevicePrivateKey = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "mockDeviceKeyEncryptedDevicePrivateKey"
+        );
+
+        // TypeScript will allow calling private methods if the object is of type 'any'
+        makeDeviceKeySpy = jest
+          .spyOn(deviceTrustCryptoService as any, "makeDeviceKey")
+          .mockResolvedValue(mockDeviceKey);
+
+        rsaGenerateKeyPairSpy = jest
+          .spyOn(cryptoFunctionService, "rsaGenerateKeyPair")
+          .mockResolvedValue(mockDeviceRsaKeyPair);
+
+        cryptoSvcGetUserKeySpy = jest
+          .spyOn(cryptoService, "getUserKey")
+          .mockResolvedValue(mockUserKey);
+
+        cryptoSvcRsaEncryptSpy = jest
+          .spyOn(cryptoService, "rsaEncrypt")
+          .mockResolvedValue(mockDevicePublicKeyEncryptedUserKey);
+
+        encryptServiceEncryptSpy = jest
+          .spyOn(encryptService, "encrypt")
+          .mockImplementation((plainValue, key) => {
+            if (plainValue === mockDevicePublicKey && key === mockUserKey) {
+              return Promise.resolve(mockUserKeyEncryptedDevicePublicKey);
+            }
+            if (plainValue === mockDevicePrivateKey && key === mockDeviceKey) {
+              return Promise.resolve(mockDeviceKeyEncryptedDevicePrivateKey);
+            }
+          });
+
+        appIdServiceGetAppIdSpy = jest
+          .spyOn(appIdService, "getAppId")
+          .mockResolvedValue(mockDeviceId);
+
+        devicesApiServiceUpdateTrustedDeviceKeysSpy = jest
+          .spyOn(devicesApiService, "updateTrustedDeviceKeys")
+          .mockResolvedValue(mockDeviceResponse);
+      });
+
+      it("calls the required methods with the correct arguments and returns a DeviceResponse", async () => {
+        const response = await deviceTrustCryptoService.trustDevice();
+
+        expect(makeDeviceKeySpy).toHaveBeenCalledTimes(1);
+        expect(rsaGenerateKeyPairSpy).toHaveBeenCalledTimes(1);
+        expect(cryptoSvcGetUserKeySpy).toHaveBeenCalledTimes(1);
+
+        expect(cryptoSvcRsaEncryptSpy).toHaveBeenCalledTimes(1);
+
+        // RsaEncrypt must be called w/ a user key array buffer of 64 bytes
+        const userKeyKey: Uint8Array = cryptoSvcRsaEncryptSpy.mock.calls[0][0];
+        expect(userKeyKey.byteLength).toBe(64);
+
+        expect(encryptServiceEncryptSpy).toHaveBeenCalledTimes(2);
+
+        expect(appIdServiceGetAppIdSpy).toHaveBeenCalledTimes(1);
+        expect(devicesApiServiceUpdateTrustedDeviceKeysSpy).toHaveBeenCalledTimes(1);
+        expect(devicesApiServiceUpdateTrustedDeviceKeysSpy).toHaveBeenCalledWith(
+          mockDeviceId,
+          mockDevicePublicKeyEncryptedUserKey.encryptedString,
+          mockUserKeyEncryptedDevicePublicKey.encryptedString,
+          mockDeviceKeyEncryptedDevicePrivateKey.encryptedString
+        );
+
+        expect(response).toBeInstanceOf(DeviceResponse);
+        expect(response).toEqual(mockDeviceResponse);
+      });
+
+      it("throws specific error if user key is not found", async () => {
+        // setup the spy to return null
+        cryptoSvcGetUserKeySpy.mockResolvedValue(null);
+        // check if the expected error is thrown
+        await expect(deviceTrustCryptoService.trustDevice()).rejects.toThrow(
+          "User symmetric key not found"
+        );
+
+        // reset the spy
+        cryptoSvcGetUserKeySpy.mockReset();
+
+        // setup the spy to return undefined
+        cryptoSvcGetUserKeySpy.mockResolvedValue(undefined);
+        // check if the expected error is thrown
+        await expect(deviceTrustCryptoService.trustDevice()).rejects.toThrow(
+          "User symmetric key not found"
+        );
+      });
+
+      const methodsToTestForErrorsOrInvalidReturns: any = [
+        {
+          method: "makeDeviceKey",
+          spy: () => makeDeviceKeySpy,
+          errorText: "makeDeviceKey error",
+        },
+        {
+          method: "rsaGenerateKeyPair",
+          spy: () => rsaGenerateKeyPairSpy,
+          errorText: "rsaGenerateKeyPair error",
+        },
+        {
+          method: "getUserKey",
+          spy: () => cryptoSvcGetUserKeySpy,
+          errorText: "getUserKey error",
+        },
+        {
+          method: "rsaEncrypt",
+          spy: () => cryptoSvcRsaEncryptSpy,
+          errorText: "rsaEncrypt error",
+        },
+        {
+          method: "encryptService.encrypt",
+          spy: () => encryptServiceEncryptSpy,
+          errorText: "encryptService.encrypt error",
+        },
+      ];
+
+      describe.each(methodsToTestForErrorsOrInvalidReturns)(
+        "trustDevice error handling and invalid return testing",
+        ({ method, spy, errorText }) => {
+          // ensures that error propagation works correctly
+          it(`throws an error if ${method} fails`, async () => {
+            const methodSpy = spy();
+            methodSpy.mockRejectedValue(new Error(errorText));
+            await expect(deviceTrustCryptoService.trustDevice()).rejects.toThrow(errorText);
+          });
+
+          test.each([null, undefined])(
+            `throws an error if ${method} returns %s`,
+            async (invalidValue) => {
+              const methodSpy = spy();
+              methodSpy.mockResolvedValue(invalidValue);
+              await expect(deviceTrustCryptoService.trustDevice()).rejects.toThrow();
+            }
+          );
+        }
+      );
+    });
+
+    describe("decryptUserKeyWithDeviceKey", () => {
+      let mockDeviceKey: DeviceKey;
+      let mockEncryptedDevicePrivateKey: EncString;
+      let mockEncryptedUserKey: EncString;
+      let mockUserKey: UserKey;
+
+      beforeEach(() => {
+        const mockDeviceKeyRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
+        mockDeviceKey = new SymmetricCryptoKey(mockDeviceKeyRandomBytes) as DeviceKey;
+
+        const mockUserKeyRandomBytes = new Uint8Array(userKeyBytesLength) as CsprngArray;
+        mockUserKey = new SymmetricCryptoKey(mockUserKeyRandomBytes) as UserKey;
+
+        mockEncryptedDevicePrivateKey = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "mockEncryptedDevicePrivateKey"
+        );
+
+        mockEncryptedUserKey = new EncString(
+          EncryptionType.AesCbc256_HmacSha256_B64,
+          "mockEncryptedUserKey"
+        );
+
+        jest.clearAllMocks();
+      });
+
+      it("returns null when device key isn't provided and isn't in state", async () => {
+        const getDeviceKeySpy = jest
+          .spyOn(deviceTrustCryptoService, "getDeviceKey")
+          .mockResolvedValue(null);
+
+        const result = await deviceTrustCryptoService.decryptUserKeyWithDeviceKey(
+          mockEncryptedDevicePrivateKey,
+          mockEncryptedUserKey
+        );
+
+        expect(result).toBeNull();
+
+        expect(getDeviceKeySpy).toHaveBeenCalledTimes(1);
+      });
+
+      it("successfully returns the user key when provided keys (including device key) can decrypt it", async () => {
+        const decryptToBytesSpy = jest
+          .spyOn(encryptService, "decryptToBytes")
+          .mockResolvedValue(new Uint8Array(userKeyBytesLength));
+        const rsaDecryptSpy = jest
+          .spyOn(cryptoService, "rsaDecrypt")
+          .mockResolvedValue(new Uint8Array(userKeyBytesLength));
+
+        const result = await deviceTrustCryptoService.decryptUserKeyWithDeviceKey(
+          mockEncryptedDevicePrivateKey,
+          mockEncryptedUserKey,
+          mockDeviceKey
+        );
+
+        expect(result).toEqual(mockUserKey);
+        expect(decryptToBytesSpy).toHaveBeenCalledTimes(1);
+        expect(rsaDecryptSpy).toHaveBeenCalledTimes(1);
+      });
+
+      it("successfully returns the user key when a device key is not provided (retrieves device key from state)", async () => {
+        const getDeviceKeySpy = jest
+          .spyOn(deviceTrustCryptoService, "getDeviceKey")
+          .mockResolvedValue(mockDeviceKey);
+
+        const decryptToBytesSpy = jest
+          .spyOn(encryptService, "decryptToBytes")
+          .mockResolvedValue(new Uint8Array(userKeyBytesLength));
+        const rsaDecryptSpy = jest
+          .spyOn(cryptoService, "rsaDecrypt")
+          .mockResolvedValue(new Uint8Array(userKeyBytesLength));
+
+        // Call without providing a device key
+        const result = await deviceTrustCryptoService.decryptUserKeyWithDeviceKey(
+          mockEncryptedDevicePrivateKey,
+          mockEncryptedUserKey
+        );
+
+        expect(getDeviceKeySpy).toHaveBeenCalledTimes(1);
+
+        expect(result).toEqual(mockUserKey);
+        expect(decryptToBytesSpy).toHaveBeenCalledTimes(1);
+        expect(rsaDecryptSpy).toHaveBeenCalledTimes(1);
+      });
+
+      it("returns null and removes device key when the decryption fails", async () => {
+        const decryptToBytesSpy = jest
+          .spyOn(encryptService, "decryptToBytes")
+          .mockRejectedValue(new Error("Decryption error"));
+        const setDeviceKeySpy = jest.spyOn(deviceTrustCryptoService as any, "setDeviceKey");
+
+        const result = await deviceTrustCryptoService.decryptUserKeyWithDeviceKey(
+          mockEncryptedDevicePrivateKey,
+          mockEncryptedUserKey,
+          mockDeviceKey
+        );
+
+        expect(result).toBeNull();
+        expect(decryptToBytesSpy).toHaveBeenCalledTimes(1);
+        expect(setDeviceKeySpy).toHaveBeenCalledTimes(1);
+        expect(setDeviceKeySpy).toHaveBeenCalledWith(null);
+      });
+    });
+
+    describe("rotateDevicesTrust", () => {
+      let fakeNewUserKey: UserKey = null;
+
+      const FakeNewUserKeyMarker = 1;
+      const FakeOldUserKeyMarker = 5;
+      const FakeDecryptedPublicKeyMarker = 17;
+
+      beforeEach(() => {
+        const fakeNewUserKeyData = new Uint8Array(64);
+        fakeNewUserKeyData.fill(FakeNewUserKeyMarker, 0, 1);
+        fakeNewUserKey = new SymmetricCryptoKey(fakeNewUserKeyData) as UserKey;
+      });
+
+      it("does an early exit when the current device is not a trusted device", async () => {
+        stateService.getDeviceKey.mockResolvedValue(null);
+
+        await deviceTrustCryptoService.rotateDevicesTrust(fakeNewUserKey, "");
+
+        expect(devicesApiService.updateTrust).not.toBeCalled();
+      });
+
+      describe("is on a trusted device", () => {
+        beforeEach(() => {
+          stateService.getDeviceKey.mockResolvedValue(
+            new SymmetricCryptoKey(new Uint8Array(deviceKeyBytesLength)) as DeviceKey
+          );
+        });
+
+        it("rotates current device keys and calls api service when the current device is trusted", async () => {
+          const currentEncryptedPublicKey = new EncString("2.cHVibGlj|cHVibGlj|cHVibGlj");
+          const currentEncryptedUserKey = new EncString("4.dXNlcg==");
+
+          const fakeOldUserKeyData = new Uint8Array(new Uint8Array(64));
+          // Fill the first byte with something identifiable
+          fakeOldUserKeyData.fill(FakeOldUserKeyMarker, 0, 1);
+
+          // Mock the retrieval of a user key that differs from the new one passed into the method
+          stateService.getUserKey.mockResolvedValue(
+            new SymmetricCryptoKey(fakeOldUserKeyData) as UserKey
+          );
+
+          appIdService.getAppId.mockResolvedValue("test_device_identifier");
+
+          devicesApiService.getDeviceKeys.mockImplementation((deviceIdentifier, secretRequest) => {
+            if (
+              deviceIdentifier !== "test_device_identifier" ||
+              secretRequest.masterPasswordHash !== "my_password_hash"
+            ) {
+              return Promise.resolve(null);
+            }
+
+            return Promise.resolve(
+              new ProtectedDeviceResponse({
+                id: "",
+                creationDate: "",
+                identifier: "test_device_identifier",
+                name: "Firefox",
+                type: DeviceType.FirefoxBrowser,
+                encryptedPublicKey: currentEncryptedPublicKey.encryptedString,
+                encryptedUserKey: currentEncryptedUserKey.encryptedString,
+              })
+            );
+          });
+
+          // Mock the decryption of the public key with the old user key
+          encryptService.decryptToBytes.mockImplementationOnce((_encValue, privateKeyValue) => {
+            expect(privateKeyValue.key.byteLength).toBe(64);
+            expect(new Uint8Array(privateKeyValue.key)[0]).toBe(FakeOldUserKeyMarker);
+            const data = new Uint8Array(250);
+            data.fill(FakeDecryptedPublicKeyMarker, 0, 1);
+            return Promise.resolve(data);
+          });
+
+          // Mock the encryption of the new user key with the decrypted public key
+          cryptoService.rsaEncrypt.mockImplementationOnce((data, publicKey) => {
+            expect(data.byteLength).toBe(64); // New key should also be 64 bytes
+            expect(new Uint8Array(data)[0]).toBe(FakeNewUserKeyMarker); // New key should have the first byte be '1';
+
+            expect(new Uint8Array(publicKey)[0]).toBe(FakeDecryptedPublicKeyMarker);
+            return Promise.resolve(new EncString("4.ZW5jcnlwdGVkdXNlcg=="));
+          });
+
+          // Mock the reencryption of the device public key with the new user key
+          encryptService.encrypt.mockImplementationOnce((plainValue, key) => {
+            expect(plainValue).toBeInstanceOf(Uint8Array);
+            expect(new Uint8Array(plainValue as Uint8Array)[0]).toBe(FakeDecryptedPublicKeyMarker);
+
+            expect(new Uint8Array(key.key)[0]).toBe(FakeNewUserKeyMarker);
+            return Promise.resolve(
+              new EncString("2.ZW5jcnlwdGVkcHVibGlj|ZW5jcnlwdGVkcHVibGlj|ZW5jcnlwdGVkcHVibGlj")
+            );
+          });
+
+          await deviceTrustCryptoService.rotateDevicesTrust(fakeNewUserKey, "my_password_hash");
+
+          expect(devicesApiService.updateTrust).toBeCalledWith(
+            matches((updateTrustModel: UpdateDevicesTrustRequest) => {
+              return (
+                updateTrustModel.currentDevice.encryptedPublicKey ===
+                  "2.ZW5jcnlwdGVkcHVibGlj|ZW5jcnlwdGVkcHVibGlj|ZW5jcnlwdGVkcHVibGlj" &&
+                updateTrustModel.currentDevice.encryptedUserKey === "4.ZW5jcnlwdGVkdXNlcg=="
+              );
+            })
+          );
+        });
+      });
+    });
+  });
+});
diff --git a/libs/common/src/auth/services/devices-api.service.implementation.ts b/libs/common/src/auth/services/devices-api.service.implementation.ts
new file mode 100644
index 0000000000..e149a79ea2
--- /dev/null
+++ b/libs/common/src/auth/services/devices-api.service.implementation.ts
@@ -0,0 +1,96 @@
+import { ApiService } from "../../abstractions/api.service";
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { ListResponse } from "../../models/response/list.response";
+import { Utils } from "../../platform/misc/utils";
+import { TrustedDeviceKeysRequest } from "../../services/devices/requests/trusted-device-keys.request";
+import { DevicesApiServiceAbstraction } from "../abstractions/devices-api.service.abstraction";
+import { SecretVerificationRequest } from "../models/request/secret-verification.request";
+import { UpdateDevicesTrustRequest } from "../models/request/update-devices-trust.request";
+import { ProtectedDeviceResponse } from "../models/response/protected-device.response";
+
+export class DevicesApiServiceImplementation implements DevicesApiServiceAbstraction {
+  constructor(private apiService: ApiService) {}
+
+  async getKnownDevice(email: string, deviceIdentifier: string): Promise<boolean> {
+    const r = await this.apiService.send(
+      "GET",
+      "/devices/knowndevice",
+      null,
+      false,
+      true,
+      null,
+      (headers) => {
+        headers.set("X-Device-Identifier", deviceIdentifier);
+        headers.set("X-Request-Email", Utils.fromUtf8ToUrlB64(email));
+      }
+    );
+    return r as boolean;
+  }
+
+  /**
+   * Get device by identifier
+   * @param deviceIdentifier - client generated id (not device id in DB)
+   */
+  async getDeviceByIdentifier(deviceIdentifier: string): Promise<DeviceResponse> {
+    const r = await this.apiService.send(
+      "GET",
+      `/devices/identifier/${deviceIdentifier}`,
+      null,
+      true,
+      true
+    );
+    return new DeviceResponse(r);
+  }
+
+  async getDevices(): Promise<ListResponse<DeviceResponse>> {
+    const r = await this.apiService.send("GET", "/devices", null, true, true, null);
+    return new ListResponse(r, DeviceResponse);
+  }
+
+  async updateTrustedDeviceKeys(
+    deviceIdentifier: string,
+    devicePublicKeyEncryptedUserKey: string,
+    userKeyEncryptedDevicePublicKey: string,
+    deviceKeyEncryptedDevicePrivateKey: string
+  ): Promise<DeviceResponse> {
+    const request = new TrustedDeviceKeysRequest(
+      devicePublicKeyEncryptedUserKey,
+      userKeyEncryptedDevicePublicKey,
+      deviceKeyEncryptedDevicePrivateKey
+    );
+
+    const result = await this.apiService.send(
+      "PUT",
+      `/devices/${deviceIdentifier}/keys`,
+      request,
+      true,
+      true
+    );
+
+    return new DeviceResponse(result);
+  }
+
+  async updateTrust(updateDevicesTrustRequestModel: UpdateDevicesTrustRequest): Promise<void> {
+    await this.apiService.send(
+      "POST",
+      "/devices/update-trust",
+      updateDevicesTrustRequestModel,
+      true,
+      false
+    );
+  }
+
+  async getDeviceKeys(
+    deviceIdentifier: string,
+    secretVerificationRequest: SecretVerificationRequest
+  ): Promise<ProtectedDeviceResponse> {
+    const result = await this.apiService.send(
+      "POST",
+      `/devices/${deviceIdentifier}/retrieve-keys`,
+      secretVerificationRequest,
+      true,
+      true
+    );
+    return new ProtectedDeviceResponse(result);
+  }
+}
diff --git a/libs/common/src/auth/services/key-connector.service.ts b/libs/common/src/auth/services/key-connector.service.ts
index 17a891c40a..24bf76f76b 100644
--- a/libs/common/src/auth/services/key-connector.service.ts
+++ b/libs/common/src/auth/services/key-connector.service.ts
@@ -7,7 +7,7 @@ import { CryptoService } from "../../platform/abstractions/crypto.service";
 import { LogService } from "../../platform/abstractions/log.service";
 import { StateService } from "../../platform/abstractions/state.service";
 import { Utils } from "../../platform/misc/utils";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { MasterKey, SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
 import { KeyConnectorService as KeyConnectorServiceAbstraction } from "../abstractions/key-connector.service";
 import { TokenService } from "../abstractions/token.service";
 import { KdfConfig } from "../models/domain/kdf-config";
@@ -45,8 +45,8 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
 
   async migrateUser() {
     const organization = await this.getManagingOrganization();
-    const key = await this.cryptoService.getKey();
-    const keyConnectorRequest = new KeyConnectorUserKeyRequest(key.encKeyB64);
+    const masterKey = await this.cryptoService.getMasterKey();
+    const keyConnectorRequest = new KeyConnectorUserKeyRequest(masterKey.encKeyB64);
 
     try {
       await this.apiService.postUserKeyToKeyConnector(
@@ -60,12 +60,13 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
     await this.apiService.postConvertToKeyConnector();
   }
 
-  async getAndSetKey(url: string) {
+  // TODO: UserKey should be renamed to MasterKey and typed accordingly
+  async setMasterKeyFromUrl(url: string) {
     try {
-      const userKeyResponse = await this.apiService.getUserKeyFromKeyConnector(url);
-      const keyArr = Utils.fromB64ToArray(userKeyResponse.key);
-      const k = new SymmetricCryptoKey(keyArr);
-      await this.cryptoService.setKey(k);
+      const masterKeyResponse = await this.apiService.getMasterKeyFromKeyConnector(url);
+      const keyArr = Utils.fromB64ToArray(masterKeyResponse.key);
+      const masterKey = new SymmetricCryptoKey(keyArr) as MasterKey;
+      await this.cryptoService.setMasterKey(masterKey);
     } catch (e) {
       this.handleKeyConnectorError(e);
     }
@@ -87,17 +88,18 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
     const password = await this.cryptoFunctionService.randomBytes(64);
     const kdfConfig = new KdfConfig(kdfIterations, kdfMemory, kdfParallelism);
 
-    const k = await this.cryptoService.makeKey(
+    const masterKey = await this.cryptoService.makeMasterKey(
       Utils.fromBufferToB64(password),
       await this.tokenService.getEmail(),
       kdf,
       kdfConfig
     );
-    const keyConnectorRequest = new KeyConnectorUserKeyRequest(k.encKeyB64);
-    await this.cryptoService.setKey(k);
+    const keyConnectorRequest = new KeyConnectorUserKeyRequest(masterKey.encKeyB64);
+    await this.cryptoService.setMasterKey(masterKey);
 
-    const encKey = await this.cryptoService.makeEncKey(k);
-    await this.cryptoService.setEncKey(encKey[1].encryptedString);
+    const userKey = await this.cryptoService.makeUserKey(masterKey);
+    await this.cryptoService.setUserKey(userKey[0]);
+    await this.cryptoService.setMasterKeyEncryptedUserKey(userKey[1].encryptedString);
 
     const [pubKey, privKey] = await this.cryptoService.makeKeyPair();
 
@@ -109,7 +111,7 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
 
     const keys = new KeysRequest(pubKey, privKey.encryptedString);
     const setPasswordRequest = new SetKeyConnectorKeyRequest(
-      encKey[1].encryptedString,
+      userKey[1].encryptedString,
       kdf,
       kdfConfig,
       orgId,
diff --git a/libs/common/src/auth/services/password-reset-enrollment.service.implementation.spec.ts b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.spec.ts
new file mode 100644
index 0000000000..7d1ade8332
--- /dev/null
+++ b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.spec.ts
@@ -0,0 +1,123 @@
+import { mock, MockProxy } from "jest-mock-extended";
+
+import { OrganizationUserService } from "../../abstractions/organization-user/organization-user.service";
+import { OrganizationApiServiceAbstraction } from "../../admin-console/abstractions/organization/organization-api.service.abstraction";
+import { OrganizationAutoEnrollStatusResponse } from "../../admin-console/models/response/organization-auto-enroll-status.response";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
+import { StateService } from "../../platform/abstractions/state.service";
+
+import { PasswordResetEnrollmentServiceImplementation } from "./password-reset-enrollment.service.implementation";
+
+describe("PasswordResetEnrollmentServiceImplementation", () => {
+  let organizationApiService: MockProxy<OrganizationApiServiceAbstraction>;
+  let stateService: MockProxy<StateService>;
+  let cryptoService: MockProxy<CryptoService>;
+  let organizationUserService: MockProxy<OrganizationUserService>;
+  let i18nService: MockProxy<I18nService>;
+  let service: PasswordResetEnrollmentServiceImplementation;
+
+  beforeEach(() => {
+    organizationApiService = mock<OrganizationApiServiceAbstraction>();
+    stateService = mock<StateService>();
+    cryptoService = mock<CryptoService>();
+    organizationUserService = mock<OrganizationUserService>();
+    i18nService = mock<I18nService>();
+    service = new PasswordResetEnrollmentServiceImplementation(
+      organizationApiService,
+      stateService,
+      cryptoService,
+      organizationUserService,
+      i18nService
+    );
+  });
+
+  describe("enrollIfRequired", () => {
+    it("should not enroll when user is already enrolled in password reset", async () => {
+      const mockResponse = new OrganizationAutoEnrollStatusResponse({
+        ResetPasswordEnabled: true,
+        Id: "orgId",
+      });
+      organizationApiService.getAutoEnrollStatus.mockResolvedValue(mockResponse);
+
+      const enrollSpy = jest.spyOn(service, "enroll");
+      enrollSpy.mockResolvedValue();
+
+      await service.enrollIfRequired("ssoId");
+
+      expect(service.enroll).not.toHaveBeenCalled();
+    });
+
+    it("should enroll when user is not enrolled in password reset", async () => {
+      const mockResponse = new OrganizationAutoEnrollStatusResponse({
+        ResetPasswordEnabled: false,
+        Id: "orgId",
+      });
+      organizationApiService.getAutoEnrollStatus.mockResolvedValue(mockResponse);
+
+      const enrollSpy = jest.spyOn(service, "enroll");
+      enrollSpy.mockResolvedValue();
+
+      await service.enrollIfRequired("ssoId");
+
+      expect(service.enroll).toHaveBeenCalled();
+    });
+  });
+
+  describe("enroll", () => {
+    it("should throw an error if the organization keys are not found", async () => {
+      organizationApiService.getKeys.mockResolvedValue(null);
+      i18nService.t.mockReturnValue("resetPasswordOrgKeysError");
+
+      const result = () => service.enroll("orgId");
+
+      await expect(result).rejects.toThrowError("resetPasswordOrgKeysError");
+    });
+
+    it("should enroll the user when no user id or key is provided", async () => {
+      const orgKeyResponse = {
+        publicKey: "publicKey",
+        privateKey: "privateKey",
+      };
+      const encryptedKey = { encryptedString: "encryptedString" };
+      organizationApiService.getKeys.mockResolvedValue(orgKeyResponse as any);
+      stateService.getUserId.mockResolvedValue("userId");
+      cryptoService.getUserKey.mockResolvedValue({ key: "key" } as any);
+      cryptoService.rsaEncrypt.mockResolvedValue(encryptedKey as any);
+
+      await service.enroll("orgId");
+
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).toHaveBeenCalledWith(
+        "orgId",
+        "userId",
+        expect.objectContaining({
+          resetPasswordKey: encryptedKey.encryptedString,
+        })
+      );
+    });
+
+    it("should enroll the user when a user id and key is provided", async () => {
+      const orgKeyResponse = {
+        publicKey: "publicKey",
+        privateKey: "privateKey",
+      };
+      const encryptedKey = { encryptedString: "encryptedString" };
+      organizationApiService.getKeys.mockResolvedValue(orgKeyResponse as any);
+      cryptoService.rsaEncrypt.mockResolvedValue(encryptedKey as any);
+
+      await service.enroll("orgId", "userId", { key: "key" } as any);
+
+      expect(
+        organizationUserService.putOrganizationUserResetPasswordEnrollment
+      ).toHaveBeenCalledWith(
+        "orgId",
+        "userId",
+        expect.objectContaining({
+          resetPasswordKey: encryptedKey.encryptedString,
+        })
+      );
+    });
+  });
+});
diff --git a/libs/common/src/auth/services/password-reset-enrollment.service.implementation.ts b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.ts
new file mode 100644
index 0000000000..c6e19635c8
--- /dev/null
+++ b/libs/common/src/auth/services/password-reset-enrollment.service.implementation.ts
@@ -0,0 +1,56 @@
+import { OrganizationUserService } from "../../abstractions/organization-user/organization-user.service";
+import { OrganizationUserResetPasswordEnrollmentRequest } from "../../abstractions/organization-user/requests";
+import { OrganizationApiServiceAbstraction } from "../../admin-console/abstractions/organization/organization-api.service.abstraction";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { I18nService } from "../../platform/abstractions/i18n.service";
+import { StateService } from "../../platform/abstractions/state.service";
+import { Utils } from "../../platform/misc/utils";
+import { UserKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { PasswordResetEnrollmentServiceAbstraction } from "../abstractions/password-reset-enrollment.service.abstraction";
+
+export class PasswordResetEnrollmentServiceImplementation
+  implements PasswordResetEnrollmentServiceAbstraction
+{
+  constructor(
+    protected organizationApiService: OrganizationApiServiceAbstraction,
+    protected stateService: StateService,
+    protected cryptoService: CryptoService,
+    protected organizationUserService: OrganizationUserService,
+    protected i18nService: I18nService
+  ) {}
+
+  async enrollIfRequired(organizationSsoIdentifier: string): Promise<void> {
+    const orgAutoEnrollStatusResponse = await this.organizationApiService.getAutoEnrollStatus(
+      organizationSsoIdentifier
+    );
+
+    if (!orgAutoEnrollStatusResponse.resetPasswordEnabled) {
+      await this.enroll(orgAutoEnrollStatusResponse.id, null, null);
+    }
+  }
+
+  async enroll(organizationId: string): Promise<void>;
+  async enroll(organizationId: string, userId: string, userKey: UserKey): Promise<void>;
+  async enroll(organizationId: string, userId?: string, userKey?: UserKey): Promise<void> {
+    const orgKeyResponse = await this.organizationApiService.getKeys(organizationId);
+    if (orgKeyResponse == null) {
+      throw new Error(this.i18nService.t("resetPasswordOrgKeysError"));
+    }
+
+    const orgPublicKey = Utils.fromB64ToArray(orgKeyResponse.publicKey);
+
+    userId = userId ?? (await this.stateService.getUserId());
+    userKey = userKey ?? (await this.cryptoService.getUserKey(userId));
+    // RSA Encrypt user's userKey.key with organization public key
+    const encryptedKey = await this.cryptoService.rsaEncrypt(userKey.key, orgPublicKey);
+
+    const resetRequest = new OrganizationUserResetPasswordEnrollmentRequest();
+    resetRequest.resetPasswordKey = encryptedKey.encryptedString;
+
+    await this.organizationUserService.putOrganizationUserResetPasswordEnrollment(
+      organizationId,
+      userId,
+      resetRequest
+    );
+  }
+}
diff --git a/libs/common/src/auth/services/user-verification/user-verification.service.ts b/libs/common/src/auth/services/user-verification/user-verification.service.ts
index 0be8d3e729..5e20eb7645 100644
--- a/libs/common/src/auth/services/user-verification/user-verification.service.ts
+++ b/libs/common/src/auth/services/user-verification/user-verification.service.ts
@@ -1,5 +1,6 @@
 import { CryptoService } from "../../../platform/abstractions/crypto.service";
 import { I18nService } from "../../../platform/abstractions/i18n.service";
+import { StateService } from "../../../platform/abstractions/state.service";
 import { Verification } from "../../../types/verification";
 import { UserVerificationApiServiceAbstraction } from "../../abstractions/user-verification/user-verification-api.service.abstraction";
 import { UserVerificationService as UserVerificationServiceAbstraction } from "../../abstractions/user-verification/user-verification.service.abstraction";
@@ -13,6 +14,7 @@ import { VerifyOTPRequest } from "../../models/request/verify-otp.request";
  */
 export class UserVerificationService implements UserVerificationServiceAbstraction {
   constructor(
+    private stateService: StateService,
     private cryptoService: CryptoService,
     private i18nService: I18nService,
     private userVerificationApiService: UserVerificationApiServiceAbstraction
@@ -37,9 +39,18 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
     if (verification.type === VerificationType.OTP) {
       request.otp = verification.secret;
     } else {
+      let masterKey = await this.cryptoService.getMasterKey();
+      if (!masterKey && !alreadyHashed) {
+        masterKey = await this.cryptoService.makeMasterKey(
+          verification.secret,
+          await this.stateService.getEmail(),
+          await this.stateService.getKdfType(),
+          await this.stateService.getKdfConfig()
+        );
+      }
       request.masterPasswordHash = alreadyHashed
         ? verification.secret
-        : await this.cryptoService.hashPassword(verification.secret, null);
+        : await this.cryptoService.hashMasterKey(verification.secret, masterKey);
     }
 
     return request;
@@ -61,13 +72,23 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
         throw new Error(this.i18nService.t("invalidVerificationCode"));
       }
     } else {
+      let masterKey = await this.cryptoService.getMasterKey();
+      if (!masterKey) {
+        masterKey = await this.cryptoService.makeMasterKey(
+          verification.secret,
+          await this.stateService.getEmail(),
+          await this.stateService.getKdfType(),
+          await this.stateService.getKdfConfig()
+        );
+      }
       const passwordValid = await this.cryptoService.compareAndUpdateKeyHash(
         verification.secret,
-        null
+        masterKey
       );
       if (!passwordValid) {
         throw new Error(this.i18nService.t("invalidMasterPassword"));
       }
+      this.cryptoService.setMasterKey(masterKey);
     }
     return true;
   }
@@ -76,6 +97,30 @@ export class UserVerificationService implements UserVerificationServiceAbstracti
     await this.userVerificationApiService.postAccountRequestOTP();
   }
 
+  /**
+   * Check if user has master password or can only use passwordless technologies to log in
+   * Note: This only checks the server, not the local state
+   * @param userId The user id to check. If not provided, the current user is used
+   * @returns True if the user has a master password
+   */
+  async hasMasterPassword(userId?: string): Promise<boolean> {
+    const decryptionOptions = await this.stateService.getAccountDecryptionOptions({ userId });
+
+    if (decryptionOptions?.hasMasterPassword != undefined) {
+      return decryptionOptions.hasMasterPassword;
+    }
+
+    // TODO: PM-3518 - Left for backwards compatibility, remove after 2023.12.0
+    return !(await this.stateService.getUsesKeyConnector({ userId }));
+  }
+
+  async hasMasterPasswordAndMasterKeyHash(userId?: string): Promise<boolean> {
+    return (
+      (await this.hasMasterPassword(userId)) &&
+      (await this.cryptoService.getMasterKeyHash()) != null
+    );
+  }
+
   private validateInput(verification: Verification) {
     if (verification?.secret == null || verification.secret === "") {
       if (verification.type === VerificationType.OTP) {
diff --git a/libs/common/src/enums/device-type.enum.ts b/libs/common/src/enums/device-type.enum.ts
index d5ab33bbdd..663c482489 100644
--- a/libs/common/src/enums/device-type.enum.ts
+++ b/libs/common/src/enums/device-type.enum.ts
@@ -23,3 +23,16 @@ export enum DeviceType {
   SDK = 21,
   Server = 22,
 }
+
+export const MobileDeviceTypes: Set<DeviceType> = new Set([
+  DeviceType.Android,
+  DeviceType.iOS,
+  DeviceType.AndroidAmazon,
+]);
+
+export const DesktopDeviceTypes: Set<DeviceType> = new Set([
+  DeviceType.WindowsDesktop,
+  DeviceType.MacOsDesktop,
+  DeviceType.LinuxDesktop,
+  DeviceType.UWP,
+]);
diff --git a/libs/common/src/enums/event-type.enum.ts b/libs/common/src/enums/event-type.enum.ts
index 72cd73c39b..3232d885dc 100644
--- a/libs/common/src/enums/event-type.enum.ts
+++ b/libs/common/src/enums/event-type.enum.ts
@@ -10,6 +10,7 @@ export enum EventType {
   User_ClientExportedVault = 1007,
   User_UpdatedTempPassword = 1008,
   User_MigratedKeyToKeyConnector = 1009,
+  User_RequestedDeviceApproval = 1010,
 
   Cipher_Created = 1100,
   Cipher_Updated = 1101,
@@ -51,6 +52,8 @@ export enum EventType {
   OrganizationUser_FirstSsoLogin = 1510,
   OrganizationUser_Revoked = 1511,
   OrganizationUser_Restored = 1512,
+  OrganizationUser_ApprovedAuthRequest = 1513,
+  OrganizationUser_RejectedAuthRequest = 1514,
 
   Organization_Updated = 1600,
   Organization_PurgedVault = 1601,
diff --git a/libs/common/src/enums/key-suffix-options.enum.ts b/libs/common/src/enums/key-suffix-options.enum.ts
index 2ae98d8e9f..b268c4b777 100644
--- a/libs/common/src/enums/key-suffix-options.enum.ts
+++ b/libs/common/src/enums/key-suffix-options.enum.ts
@@ -1,4 +1,5 @@
 export enum KeySuffixOptions {
   Auto = "auto",
   Biometric = "biometric",
+  Pin = "pin",
 }
diff --git a/libs/common/src/platform/abstractions/crypto.service.ts b/libs/common/src/platform/abstractions/crypto.service.ts
index e8b95ff2f1..42f60bde84 100644
--- a/libs/common/src/platform/abstractions/crypto.service.ts
+++ b/libs/common/src/platform/abstractions/crypto.service.ts
@@ -5,82 +5,420 @@ import { KdfConfig } from "../../auth/models/domain/kdf-config";
 import { KeySuffixOptions, KdfType, HashPurpose } from "../../enums";
 import { EncArrayBuffer } from "../models/domain/enc-array-buffer";
 import { EncString } from "../models/domain/enc-string";
-import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+import {
+  MasterKey,
+  OrgKey,
+  PinKey,
+  ProviderKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../models/domain/symmetric-crypto-key";
 
 export abstract class CryptoService {
-  setKey: (key: SymmetricCryptoKey) => Promise<any>;
-  setKeyHash: (keyHash: string) => Promise<void>;
-  setEncKey: (encKey: string) => Promise<void>;
-  setEncPrivateKey: (encPrivateKey: string) => Promise<void>;
+  /**
+   * Sets the provided user key and stores
+   * any other necessary versions (such as auto, biometrics,
+   * or pin)
+   * @param key The user key to set
+   * @param userId The desired user
+   */
+  setUserKey: (key: UserKey, userId?: string) => Promise<void>;
+  /**
+   * Gets the user key from memory and sets it again,
+   * kicking off a refresh of any additional keys
+   * (such as auto, biometrics, or pin)
+   */
+  /**
+   * Check if the current sessions has ever had a user key, i.e. has ever been unlocked/decrypted.
+   * This is key for differentiating between TDE locked and standard locked states.
+   * @param userId The desired user
+   * @returns True if the current session has ever had a user key
+   */
+  getEverHadUserKey: (userId?: string) => Promise<boolean>;
+  refreshAdditionalKeys: () => Promise<void>;
+  /**
+   * Retrieves the user key
+   * @param userId The desired user
+   * @returns The user key
+   */
+  getUserKey: (userId?: string) => Promise<UserKey>;
+  /**
+   * Use for encryption/decryption of data in order to support legacy
+   * encryption models. It will return the user key if available,
+   * if not it will return the master key.
+   * @param userId The desired user
+   */
+  getUserKeyWithLegacySupport: (userId?: string) => Promise<UserKey>;
+  /**
+   * Retrieves the user key from storage
+   * @param keySuffix The desired version of the user's key to retrieve
+   * @param userId The desired user
+   * @returns The user key
+   */
+  getUserKeyFromStorage: (keySuffix: KeySuffixOptions, userId?: string) => Promise<UserKey>;
+
+  /**
+   * @returns True if the user key is available
+   */
+  hasUserKey: () => Promise<boolean>;
+  /**
+   * @param userId The desired user
+   * @returns True if the user key is set in memory
+   */
+  hasUserKeyInMemory: (userId?: string) => Promise<boolean>;
+  /**
+   * @param keySuffix The desired version of the user's key to check
+   * @param userId The desired user
+   * @returns True if the provided version of the user key is stored
+   */
+  hasUserKeyStored: (keySuffix: KeySuffixOptions, userId?: string) => Promise<boolean>;
+  /**
+   * Generates a new user key
+   * @param masterKey The user's master key
+   * @returns A new user key and the master key protected version of it
+   */
+  makeUserKey: (key: MasterKey) => Promise<[UserKey, EncString]>;
+  /**
+   * Clears the user key
+   * @param clearStoredKeys Clears all stored versions of the user keys as well,
+   * such as the biometrics key
+   * @param userId The desired user
+   */
+  clearUserKey: (clearSecretStorage?: boolean, userId?: string) => Promise<void>;
+  /**
+   * Clears the user's stored version of the user key
+   * @param keySuffix The desired version of the key to clear
+   * @param userId The desired user
+   */
+  clearStoredUserKey: (keySuffix: KeySuffixOptions, userId?: string) => Promise<void>;
+  /**
+   * Stores the master key encrypted user key
+   * @param userKeyMasterKey The master key encrypted user key to set
+   * @param userId The desired user
+   */
+  setMasterKeyEncryptedUserKey: (UserKeyMasterKey: string, userId?: string) => Promise<void>;
+  /**
+   * Sets the user's master key
+   * @param key The user's master key to set
+   * @param userId The desired user
+   */
+  setMasterKey: (key: MasterKey, userId?: string) => Promise<void>;
+  /**
+   * @param userId The desired user
+   * @returns The user's master key
+   */
+  getMasterKey: (userId?: string) => Promise<MasterKey>;
+
+  /**
+   * @param password The user's master password that will be used to derive a master key if one isn't found
+   * @param userId The desired user
+   */
+  getOrDeriveMasterKey: (password: string, userId?: string) => Promise<MasterKey>;
+  /**
+   * Generates a master key from the provided password
+   * @param password The user's master password
+   * @param email The user's email
+   * @param kdf The user's selected key derivation function to use
+   * @param KdfConfig The user's key derivation function configuration
+   * @returns A master key derived from the provided password
+   */
+  makeMasterKey: (
+    password: string,
+    email: string,
+    kdf: KdfType,
+    KdfConfig: KdfConfig
+  ) => Promise<MasterKey>;
+  /**
+   * Clears the user's master key
+   * @param userId The desired user
+   */
+  clearMasterKey: (userId?: string) => Promise<void>;
+  /**
+   * Encrypts the existing (or provided) user key with the
+   * provided master key
+   * @param masterKey The user's master key
+   * @param userKey The user key
+   * @returns The user key and the master key protected version of it
+   */
+  encryptUserKeyWithMasterKey: (
+    masterKey: MasterKey,
+    userKey?: UserKey
+  ) => Promise<[UserKey, EncString]>;
+  /**
+   * Decrypts the user key with the provided master key
+   * @param masterKey The user's master key
+   * @param userKey The user's encrypted symmetric key
+   * @param userId The desired user
+   * @returns The user key
+   */
+  decryptUserKeyWithMasterKey: (
+    masterKey: MasterKey,
+    userKey?: EncString,
+    userId?: string
+  ) => Promise<UserKey>;
+  /**
+   * Creates a master password hash from the user's master password. Can
+   * be used for local authentication or for server authentication depending
+   * on the hashPurpose provided.
+   * @param password The user's master password
+   * @param key The user's master key
+   * @param hashPurpose The iterations to use for the hash
+   * @returns The user's master password hash
+   */
+  hashMasterKey: (password: string, key: MasterKey, hashPurpose?: HashPurpose) => Promise<string>;
+  /**
+   * Sets the user's master password hash
+   * @param keyHash The user's master password hash to set
+   */
+  setMasterKeyHash: (keyHash: string) => Promise<void>;
+  /**
+   * @returns The user's master password hash
+   */
+  getMasterKeyHash: () => Promise<string>;
+  /**
+   * Clears the user's stored master password hash
+   * @param userId The desired user
+   */
+  clearMasterKeyHash: (userId?: string) => Promise<void>;
+  /**
+   * Compares the provided master password to the stored password hash and server password hash.
+   * Updates the stored hash if outdated.
+   * @param masterPassword The user's master password
+   * @param key The user's master key
+   * @returns True if the provided master password matches either the stored
+   * key hash or the server key hash
+   */
+  compareAndUpdateKeyHash: (masterPassword: string, masterKey: MasterKey) => Promise<boolean>;
+  /**
+   * Stores the encrypted organization keys and clears any decrypted
+   * organization keys currently in memory
+   * @param orgs The organizations to set keys for
+   * @param providerOrgs The provider organizations to set keys for
+   */
   setOrgKeys: (
     orgs: ProfileOrganizationResponse[],
     providerOrgs: ProfileProviderOrganizationResponse[]
   ) => Promise<void>;
-  setProviderKeys: (orgs: ProfileProviderResponse[]) => Promise<void>;
-  getKey: (keySuffix?: KeySuffixOptions, userId?: string) => Promise<SymmetricCryptoKey>;
-  getKeyFromStorage: (keySuffix: KeySuffixOptions, userId?: string) => Promise<SymmetricCryptoKey>;
-  getKeyHash: () => Promise<string>;
-  compareAndUpdateKeyHash: (masterPassword: string, key: SymmetricCryptoKey) => Promise<boolean>;
-  getEncKey: (key?: SymmetricCryptoKey) => Promise<SymmetricCryptoKey>;
-  getPublicKey: () => Promise<Uint8Array>;
-  getPrivateKey: () => Promise<Uint8Array>;
-  getFingerprint: (fingerprintMaterial: string, publicKey?: Uint8Array) => Promise<string[]>;
+  /**
+   * Returns the organization's symmetric key
+   * @param orgId The desired organization
+   * @returns The organization's symmetric key
+   */
+  getOrgKey: (orgId: string) => Promise<OrgKey>;
+  /**
+   * @returns A map of the organization Ids to their symmetric keys
+   */
   getOrgKeys: () => Promise<Map<string, SymmetricCryptoKey>>;
-  getOrgKey: (orgId: string) => Promise<SymmetricCryptoKey>;
-  getProviderKey: (providerId: string) => Promise<SymmetricCryptoKey>;
-  getKeyForUserEncryption: (key?: SymmetricCryptoKey) => Promise<SymmetricCryptoKey>;
-  hasKey: () => Promise<boolean>;
-  hasKeyInMemory: (userId?: string) => Promise<boolean>;
-  hasKeyStored: (keySuffix?: KeySuffixOptions, userId?: string) => Promise<boolean>;
-  hasEncKey: () => Promise<boolean>;
-  clearKey: (clearSecretStorage?: boolean, userId?: string) => Promise<any>;
-  clearKeyHash: () => Promise<any>;
-  clearEncKey: (memoryOnly?: boolean, userId?: string) => Promise<any>;
-  clearKeyPair: (memoryOnly?: boolean, userId?: string) => Promise<any>;
-  clearOrgKeys: (memoryOnly?: boolean, userId?: string) => Promise<any>;
-  clearProviderKeys: (memoryOnly?: boolean) => Promise<any>;
-  clearPinProtectedKey: () => Promise<any>;
-  clearKeys: (userId?: string) => Promise<any>;
-  toggleKey: () => Promise<any>;
-  makeKey: (
-    password: string,
-    salt: string,
-    kdf: KdfType,
-    kdfConfig: KdfConfig
-  ) => Promise<SymmetricCryptoKey>;
-  makeKeyFromPin: (
+  /**
+   * Uses the org key to derive a new symmetric key for encrypting data
+   * @param orgKey The organization's symmetric key
+   */
+  makeDataEncKey: <T extends UserKey | OrgKey>(key: T) => Promise<[SymmetricCryptoKey, EncString]>;
+  /**
+   * Clears the user's stored organization keys
+   * @param memoryOnly Clear only the in-memory keys
+   * @param userId The desired user
+   */
+  clearOrgKeys: (memoryOnly?: boolean, userId?: string) => Promise<void>;
+  /**
+   * Stores the encrypted provider keys and clears any decrypted
+   * provider keys currently in memory
+   * @param providers The providers to set keys for
+   */
+  setProviderKeys: (orgs: ProfileProviderResponse[]) => Promise<void>;
+  /**
+   * @param providerId The desired provider
+   * @returns The provider's symmetric key
+   */
+  getProviderKey: (providerId: string) => Promise<ProviderKey>;
+  /**
+   * @returns A map of the provider Ids to their symmetric keys
+   */
+  getProviderKeys: () => Promise<Map<string, ProviderKey>>;
+  /**
+   * @param memoryOnly Clear only the in-memory keys
+   * @param userId The desired user
+   */
+  clearProviderKeys: (memoryOnly?: boolean, userId?: string) => Promise<void>;
+  /**
+   * Returns the public key from memory. If not available, extracts it
+   * from the private key and stores it in memory
+   * @returns The user's public key
+   */
+  getPublicKey: () => Promise<Uint8Array>;
+  /**
+   * Creates a new organization key and encrypts it with the user's public key.
+   * This method can also return Provider keys for creating new Provider users.
+   * @returns The new encrypted org key and the decrypted key itself
+   */
+  makeOrgKey: <T extends OrgKey | ProviderKey>() => Promise<[EncString, T]>;
+  /**
+   * Sets the the user's encrypted private key in storage and
+   * clears the decrypted private key from memory
+   * Note: does not clear the private key if null is provided
+   * @param encPrivateKey An encrypted private key
+   */
+  setPrivateKey: (encPrivateKey: string) => Promise<void>;
+  /**
+   * Returns the private key from memory. If not available, decrypts it
+   * from storage and stores it in memory
+   * @returns The user's private key
+   */
+  getPrivateKey: () => Promise<Uint8Array>;
+  /**
+   * Generates a fingerprint phrase for the user based on their public key
+   * @param fingerprintMaterial Fingerprint material
+   * @param publicKey The user's public key
+   * @returns The user's fingerprint phrase
+   */
+  getFingerprint: (fingerprintMaterial: string, publicKey?: Uint8Array) => Promise<string[]>;
+  /**
+   * Generates a new keypair
+   * @param key A key to encrypt the private key with. If not provided,
+   * defaults to the user key
+   * @returns A new keypair: [publicKey in Base64, encrypted privateKey]
+   */
+  makeKeyPair: (key?: SymmetricCryptoKey) => Promise<[string, EncString]>;
+  /**
+   * Clears the user's key pair
+   * @param memoryOnly Clear only the in-memory keys
+   * @param userId The desired user
+   */
+  clearKeyPair: (memoryOnly?: boolean, userId?: string) => Promise<void[]>;
+  /**
+   * @param pin The user's pin
+   * @param salt The user's salt
+   * @param kdf The user's kdf
+   * @param kdfConfig The user's kdf config
+   * @returns A key derived from the user's pin
+   */
+  makePinKey: (pin: string, salt: string, kdf: KdfType, kdfConfig: KdfConfig) => Promise<PinKey>;
+  /**
+   * Clears the user's pin keys from storage
+   * Note: This will remove the stored pin and as a result,
+   * disable pin protection for the user
+   * @param userId The desired user
+   */
+  clearPinKeys: (userId?: string) => Promise<void>;
+  /**
+   * Decrypts the user key with their pin
+   * @param pin The user's PIN
+   * @param salt The user's salt
+   * @param kdf The user's KDF
+   * @param kdfConfig The user's KDF config
+   * @param pinProtectedUserKey The user's PIN protected symmetric key, if not provided
+   * it will be retrieved from storage
+   * @returns The decrypted user key
+   */
+  decryptUserKeyWithPin: (
     pin: string,
     salt: string,
     kdf: KdfType,
     kdfConfig: KdfConfig,
     protectedKeyCs?: EncString
-  ) => Promise<SymmetricCryptoKey>;
-  makeShareKey: () => Promise<[EncString, SymmetricCryptoKey]>;
-  makeKeyPair: (key?: SymmetricCryptoKey) => Promise<[string, EncString]>;
-  makePinKey: (
+  ) => Promise<UserKey>;
+  /**
+   * Creates a new Pin key that encrypts the user key instead of the
+   * master key. Clears the old Pin key from state.
+   * @param masterPasswordOnRestart True if Master Password on Restart is enabled
+   * @param pin User's PIN
+   * @param email User's email
+   * @param kdf User's KdfType
+   * @param kdfConfig User's KdfConfig
+   * @param oldPinKey The old Pin key from state (retrieved from different
+   * places depending on if Master Password on Restart was enabled)
+   * @returns The user key
+   */
+  decryptAndMigrateOldPinKey: (
+    masterPasswordOnRestart: boolean,
+    pin: string,
+    email: string,
+    kdf: KdfType,
+    kdfConfig: KdfConfig,
+    oldPinKey: EncString
+  ) => Promise<UserKey>;
+  /**
+   * Replaces old master auto keys with new user auto keys
+   */
+  migrateAutoKeyIfNeeded: (userId?: string) => Promise<void>;
+  /**
+   * @param keyMaterial The key material to derive the send key from
+   * @returns A new send key
+   */
+  makeSendKey: (keyMaterial: Uint8Array) => Promise<SymmetricCryptoKey>;
+  /**
+   * Clears all of the user's keys from storage
+   * @param userId The user's Id
+   */
+  clearKeys: (userId?: string) => Promise<any>;
+  /**
+   * RSA encrypts a value.
+   * @param data The data to encrypt
+   * @param publicKey The public key to use for encryption, if not provided, the user's public key will be used
+   * @returns The encrypted data
+   */
+  rsaEncrypt: (data: Uint8Array, publicKey?: Uint8Array) => Promise<EncString>;
+  /**
+   * Decrypts a value using RSA.
+   * @param encValue The encrypted value to decrypt
+   * @param privateKeyValue The private key to use for decryption
+   * @returns The decrypted value
+   */
+  rsaDecrypt: (encValue: string, privateKeyValue?: Uint8Array) => Promise<Uint8Array>;
+  randomNumber: (min: number, max: number) => Promise<number>;
+
+  /**
+   * Initialize all necessary crypto keys needed for a new account.
+   * Warning! This completely replaces any existing keys!
+   * @returns The user's newly created  public key, private key, and encrypted private key
+   */
+  initAccount: () => Promise<{
+    userKey: UserKey;
+    publicKey: string;
+    privateKey: EncString;
+  }>;
+
+  /**
+   * @deprecated Left for migration purposes. Use decryptUserKeyWithPin instead.
+   */
+  decryptMasterKeyWithPin: (
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfConfig: KdfConfig
-  ) => Promise<SymmetricCryptoKey>;
-  makeSendKey: (keyMaterial: Uint8Array) => Promise<SymmetricCryptoKey>;
-  hashPassword: (
-    password: string,
-    key: SymmetricCryptoKey,
-    hashPurpose?: HashPurpose
-  ) => Promise<string>;
-  makeEncKey: (key: SymmetricCryptoKey) => Promise<[SymmetricCryptoKey, EncString]>;
-  remakeEncKey: (
-    key: SymmetricCryptoKey,
-    encKey?: SymmetricCryptoKey
-  ) => Promise<[SymmetricCryptoKey, EncString]>;
+    kdfConfig: KdfConfig,
+    protectedKeyCs?: EncString
+  ) => Promise<MasterKey>;
+  /**
+   * Previously, the master key was used for any additional key like the biometrics or pin key.
+   * We have switched to using the user key for these purposes. This method is for clearing the state
+   * of the older keys on logout or post migration.
+   * @param keySuffix The desired type of key to clear
+   * @param userId The desired user
+   */
+  clearDeprecatedKeys: (keySuffix: KeySuffixOptions, userId?: string) => Promise<void>;
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.encrypt
+   */
   encrypt: (plainValue: string | Uint8Array, key?: SymmetricCryptoKey) => Promise<EncString>;
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.encryptToBytes
+   */
   encryptToBytes: (plainValue: Uint8Array, key?: SymmetricCryptoKey) => Promise<EncArrayBuffer>;
-  rsaEncrypt: (data: Uint8Array, publicKey?: Uint8Array) => Promise<EncString>;
-  rsaDecrypt: (encValue: string, privateKeyValue?: Uint8Array) => Promise<Uint8Array>;
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToBytes
+   */
   decryptToBytes: (encString: EncString, key?: SymmetricCryptoKey) => Promise<Uint8Array>;
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToUtf8
+   */
   decryptToUtf8: (encString: EncString, key?: SymmetricCryptoKey) => Promise<string>;
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToBytes
+   */
   decryptFromBytes: (encBuffer: EncArrayBuffer, key: SymmetricCryptoKey) => Promise<Uint8Array>;
-  randomNumber: (min: number, max: number) => Promise<number>;
-  validateKey: (key: SymmetricCryptoKey) => Promise<boolean>;
 }
diff --git a/libs/common/src/platform/abstractions/state.service.ts b/libs/common/src/platform/abstractions/state.service.ts
index 80159a9a8b..4a2b515b74 100644
--- a/libs/common/src/platform/abstractions/state.service.ts
+++ b/libs/common/src/platform/abstractions/state.service.ts
@@ -5,6 +5,7 @@ import { OrganizationData } from "../../admin-console/models/data/organization.d
 import { PolicyData } from "../../admin-console/models/data/policy.data";
 import { ProviderData } from "../../admin-console/models/data/provider.data";
 import { Policy } from "../../admin-console/models/domain/policy";
+import { AdminAuthRequestStorable } from "../../auth/models/domain/admin-auth-req-storable";
 import { EnvironmentUrls } from "../../auth/models/domain/environment-urls";
 import { ForceResetPasswordReason } from "../../auth/models/domain/force-reset-password-reason";
 import { KdfConfig } from "../../auth/models/domain/kdf-config";
@@ -23,10 +24,19 @@ import { CipherView } from "../../vault/models/view/cipher.view";
 import { CollectionView } from "../../vault/models/view/collection.view";
 import { AddEditCipherInfo } from "../../vault/types/add-edit-cipher-info";
 import { ServerConfigData } from "../models/data/server-config.data";
-import { Account, AccountSettingsSettings } from "../models/domain/account";
+import {
+  Account,
+  AccountDecryptionOptions,
+  AccountSettingsSettings,
+} from "../models/domain/account";
 import { EncString } from "../models/domain/enc-string";
 import { StorageOptions } from "../models/domain/storage-options";
-import { DeviceKey, SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+import {
+  DeviceKey,
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../models/domain/symmetric-crypto-key";
 
 export abstract class StateService<T extends Account = Account> {
   accounts$: Observable<{ [userId: string]: T }>;
@@ -71,24 +81,106 @@ export abstract class StateService<T extends Account = Account> {
   setCollapsedGroupings: (value: string[], options?: StorageOptions) => Promise<void>;
   getConvertAccountToKeyConnector: (options?: StorageOptions) => Promise<boolean>;
   setConvertAccountToKeyConnector: (value: boolean, options?: StorageOptions) => Promise<void>;
+  /**
+   * gets the user key
+   */
+  getUserKey: (options?: StorageOptions) => Promise<UserKey>;
+  /**
+   * Sets the user key
+   */
+  setUserKey: (value: UserKey, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user's master key
+   */
+  getMasterKey: (options?: StorageOptions) => Promise<MasterKey>;
+  /**
+   * Sets the user's master key
+   */
+  setMasterKey: (value: MasterKey, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user key encrypted by the master key
+   */
+  getMasterKeyEncryptedUserKey: (options?: StorageOptions) => Promise<string>;
+  /**
+   * Sets the user key encrypted by the master key
+   */
+  setMasterKeyEncryptedUserKey: (value: string, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user's auto key
+   */
+  getUserKeyAutoUnlock: (options?: StorageOptions) => Promise<string>;
+  /**
+   * Sets the user's auto key
+   */
+  setUserKeyAutoUnlock: (value: string, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user's biometric key
+   */
+  getUserKeyBiometric: (options?: StorageOptions) => Promise<string>;
+  /**
+   * Checks if the user has a biometric key available
+   */
+  hasUserKeyBiometric: (options?: StorageOptions) => Promise<boolean>;
+  /**
+   * Sets the user's biometric key
+   */
+  setUserKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user key encrypted by the Pin key.
+   * Used when Lock with MP on Restart is disabled
+   */
+  getPinKeyEncryptedUserKey: (options?: StorageOptions) => Promise<EncString>;
+  /**
+   * Sets the user key encrypted by the Pin key.
+   * Used when Lock with MP on Restart is disabled
+   */
+  setPinKeyEncryptedUserKey: (value: EncString, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the ephemeral version of the user key encrypted by the Pin key.
+   * Used when Lock with MP on Restart is enabled
+   */
+  getPinKeyEncryptedUserKeyEphemeral: (options?: StorageOptions) => Promise<EncString>;
+  /**
+   * Sets the ephemeral version of the user key encrypted by the Pin key.
+   * Used when Lock with MP on Restart is enabled
+   */
+  setPinKeyEncryptedUserKeyEphemeral: (value: EncString, options?: StorageOptions) => Promise<void>;
+  /**
+   * @deprecated For migration purposes only, use getUserKeyMasterKey instead
+   */
+  getEncryptedCryptoSymmetricKey: (options?: StorageOptions) => Promise<string>;
+  /**
+   * @deprecated For migration purposes only, use setUserKeyMasterKey instead
+   */
+  setEncryptedCryptoSymmetricKey: (value: string, options?: StorageOptions) => Promise<void>;
+  /**
+   * @deprecated For legacy purposes only, use getMasterKey instead
+   */
   getCryptoMasterKey: (options?: StorageOptions) => Promise<SymmetricCryptoKey>;
-  setCryptoMasterKey: (value: SymmetricCryptoKey, options?: StorageOptions) => Promise<void>;
+  /**
+   * @deprecated For migration purposes only, use getUserKeyAuto instead
+   */
   getCryptoMasterKeyAuto: (options?: StorageOptions) => Promise<string>;
+  /**
+   * @deprecated For migration purposes only, use setUserKeyAuto instead
+   */
   setCryptoMasterKeyAuto: (value: string, options?: StorageOptions) => Promise<void>;
-  getCryptoMasterKeyB64: (options?: StorageOptions) => Promise<string>;
-  setCryptoMasterKeyB64: (value: string, options?: StorageOptions) => Promise<void>;
+  /**
+   * @deprecated For migration purposes only, use getUserKeyBiometric instead
+   */
   getCryptoMasterKeyBiometric: (options?: StorageOptions) => Promise<string>;
+  /**
+   * @deprecated For migration purposes only, use hasUserKeyBiometric instead
+   */
   hasCryptoMasterKeyBiometric: (options?: StorageOptions) => Promise<boolean>;
+  /**
+   * @deprecated For migration purposes only, use setUserKeyBiometric instead
+   */
   setCryptoMasterKeyBiometric: (value: BiometricKey, options?: StorageOptions) => Promise<void>;
   getDecryptedCiphers: (options?: StorageOptions) => Promise<CipherView[]>;
   setDecryptedCiphers: (value: CipherView[], options?: StorageOptions) => Promise<void>;
   getDecryptedCollections: (options?: StorageOptions) => Promise<CollectionView[]>;
   setDecryptedCollections: (value: CollectionView[], options?: StorageOptions) => Promise<void>;
-  getDecryptedCryptoSymmetricKey: (options?: StorageOptions) => Promise<SymmetricCryptoKey>;
-  setDecryptedCryptoSymmetricKey: (
-    value: SymmetricCryptoKey,
-    options?: StorageOptions
-  ) => Promise<void>;
   getDecryptedOrganizationKeys: (
     options?: StorageOptions
   ) => Promise<Map<string, SymmetricCryptoKey>>;
@@ -103,7 +195,13 @@ export abstract class StateService<T extends Account = Account> {
     value: GeneratedPasswordHistory[],
     options?: StorageOptions
   ) => Promise<void>;
+  /**
+   * @deprecated For migration purposes only, use getDecryptedUserKeyPin instead
+   */
   getDecryptedPinProtected: (options?: StorageOptions) => Promise<EncString>;
+  /**
+   * @deprecated For migration purposes only, use setDecryptedUserKeyPin instead
+   */
   setDecryptedPinProtected: (value: EncString, options?: StorageOptions) => Promise<void>;
   /**
    * @deprecated Do not call this, use PolicyService
@@ -164,7 +262,21 @@ export abstract class StateService<T extends Account = Account> {
   getDuckDuckGoSharedKey: (options?: StorageOptions) => Promise<string>;
   setDuckDuckGoSharedKey: (value: string, options?: StorageOptions) => Promise<void>;
   getDeviceKey: (options?: StorageOptions) => Promise<DeviceKey | null>;
-  setDeviceKey: (value: DeviceKey, options?: StorageOptions) => Promise<void>;
+  setDeviceKey: (value: DeviceKey | null, options?: StorageOptions) => Promise<void>;
+  getAdminAuthRequest: (options?: StorageOptions) => Promise<AdminAuthRequestStorable | null>;
+  setAdminAuthRequest: (
+    adminAuthRequest: AdminAuthRequestStorable,
+    options?: StorageOptions
+  ) => Promise<void>;
+  getShouldTrustDevice: (options?: StorageOptions) => Promise<boolean | null>;
+  setShouldTrustDevice: (value: boolean, options?: StorageOptions) => Promise<void>;
+  getAccountDecryptionOptions: (
+    options?: StorageOptions
+  ) => Promise<AccountDecryptionOptions | null>;
+  setAccountDecryptionOptions: (
+    value: AccountDecryptionOptions,
+    options?: StorageOptions
+  ) => Promise<void>;
   getEmail: (options?: StorageOptions) => Promise<string>;
   setEmail: (value: string, options?: StorageOptions) => Promise<void>;
   getEmailVerified: (options?: StorageOptions) => Promise<boolean>;
@@ -205,8 +317,6 @@ export abstract class StateService<T extends Account = Account> {
     value: { [id: string]: CollectionData },
     options?: StorageOptions
   ) => Promise<void>;
-  getEncryptedCryptoSymmetricKey: (options?: StorageOptions) => Promise<string>;
-  setEncryptedCryptoSymmetricKey: (value: string, options?: StorageOptions) => Promise<void>;
   /**
    * @deprecated Do not call this directly, use FolderService
    */
@@ -232,7 +342,13 @@ export abstract class StateService<T extends Account = Account> {
     value: GeneratedPasswordHistory[],
     options?: StorageOptions
   ) => Promise<void>;
+  /**
+   * @deprecated For migration purposes only, use getEncryptedUserKeyPin instead
+   */
   getEncryptedPinProtected: (options?: StorageOptions) => Promise<string>;
+  /**
+   * @deprecated For migration purposes only, use setEncryptedUserKeyPin instead
+   */
   setEncryptedPinProtected: (value: string, options?: StorageOptions) => Promise<void>;
   /**
    * @deprecated Do not call this directly, use PolicyService
@@ -269,6 +385,8 @@ export abstract class StateService<T extends Account = Account> {
   setEquivalentDomains: (value: string, options?: StorageOptions) => Promise<void>;
   getEventCollection: (options?: StorageOptions) => Promise<EventData[]>;
   setEventCollection: (value: EventData[], options?: StorageOptions) => Promise<void>;
+  getEverHadUserKey: (options?: StorageOptions) => Promise<boolean>;
+  setEverHadUserKey: (value: boolean, options?: StorageOptions) => Promise<void>;
   getEverBeenUnlocked: (options?: StorageOptions) => Promise<boolean>;
   setEverBeenUnlocked: (value: boolean, options?: StorageOptions) => Promise<void>;
   getForcePasswordResetReason: (options?: StorageOptions) => Promise<ForceResetPasswordReason>;
@@ -327,7 +445,13 @@ export abstract class StateService<T extends Account = Account> {
   setUsernameGenerationOptions: (value: any, options?: StorageOptions) => Promise<void>;
   getGeneratorOptions: (options?: StorageOptions) => Promise<any>;
   setGeneratorOptions: (value: any, options?: StorageOptions) => Promise<void>;
+  /**
+   * Gets the user's Pin, encrypted by the user key
+   */
   getProtectedPin: (options?: StorageOptions) => Promise<string>;
+  /**
+   * Sets the user's Pin, encrypted by the user key
+   */
   setProtectedPin: (value: string, options?: StorageOptions) => Promise<void>;
   getProviders: (options?: StorageOptions) => Promise<{ [id: string]: ProviderData }>;
   setProviders: (value: { [id: string]: ProviderData }, options?: StorageOptions) => Promise<void>;
@@ -353,6 +477,11 @@ export abstract class StateService<T extends Account = Account> {
   setSsoOrganizationIdentifier: (value: string, options?: StorageOptions) => Promise<void>;
   getSsoState: (options?: StorageOptions) => Promise<string>;
   setSsoState: (value: string, options?: StorageOptions) => Promise<void>;
+  getUserSsoOrganizationIdentifier: (options?: StorageOptions) => Promise<string>;
+  setUserSsoOrganizationIdentifier: (
+    value: string | null,
+    options?: StorageOptions
+  ) => Promise<void>;
   getTheme: (options?: StorageOptions) => Promise<ThemeType>;
   setTheme: (value: ThemeType, options?: StorageOptions) => Promise<void>;
   getTwoFactorToken: (options?: StorageOptions) => Promise<string>;
diff --git a/libs/common/src/platform/models/domain/account-keys.spec.ts b/libs/common/src/platform/models/domain/account-keys.spec.ts
index 36fdb6a276..96e30a8c6e 100644
--- a/libs/common/src/platform/models/domain/account-keys.spec.ts
+++ b/libs/common/src/platform/models/domain/account-keys.spec.ts
@@ -1,8 +1,9 @@
 import { makeStaticByteArray } from "../../../../spec";
+import { CsprngArray } from "../../../types/csprng";
 import { Utils } from "../../misc/utils";
 
 import { AccountKeys, EncryptionPair } from "./account";
-import { SymmetricCryptoKey } from "./symmetric-crypto-key";
+import { DeviceKey, SymmetricCryptoKey } from "./symmetric-crypto-key";
 
 describe("AccountKeys", () => {
   describe("toJSON", () => {
@@ -22,6 +23,23 @@ describe("AccountKeys", () => {
       const json = JSON.stringify(keys);
       expect(json).toContain('"publicKey":"hello"');
     });
+
+    // As the accountKeys.toJSON doesn't really serialize the device key
+    // this method just checks the persistence of the deviceKey
+    it("should persist deviceKey", () => {
+      // Arrange
+      const accountKeys = new AccountKeys();
+      const deviceKeyBytesLength = 64;
+      accountKeys.deviceKey = new SymmetricCryptoKey(
+        new Uint8Array(deviceKeyBytesLength).buffer as CsprngArray
+      ) as DeviceKey;
+
+      // Act
+      const serializedKeys = accountKeys.toJSON();
+
+      // Assert
+      expect(serializedKeys.deviceKey).toEqual(accountKeys.deviceKey);
+    });
   });
 
   describe("fromJSON", () => {
@@ -57,5 +75,24 @@ describe("AccountKeys", () => {
       } as any);
       expect(spy).toHaveBeenCalled();
     });
+
+    it("should deserialize deviceKey", () => {
+      // Arrange
+      const expectedKeyB64 =
+        "ZJNnhx9BbJeb2EAq1hlMjqt6GFsg9G/GzoFf6SbPKsaiMhKGDcbHcwcyEg56Lh8lfilpZz4SRM6UA7oFCg+lSg==";
+
+      const symmetricCryptoKeyFromJsonSpy = jest.spyOn(SymmetricCryptoKey, "fromJSON");
+
+      // Act
+      const accountKeys = AccountKeys.fromJSON({
+        deviceKey: {
+          keyB64: expectedKeyB64,
+        },
+      } as any);
+
+      // Assert
+      expect(symmetricCryptoKeyFromJsonSpy).toHaveBeenCalled();
+      expect(accountKeys.deviceKey.keyB64).toEqual(expectedKeyB64);
+    });
   });
 });
diff --git a/libs/common/src/platform/models/domain/account.ts b/libs/common/src/platform/models/domain/account.ts
index f40df3aa53..95a5a89912 100644
--- a/libs/common/src/platform/models/domain/account.ts
+++ b/libs/common/src/platform/models/domain/account.ts
@@ -6,8 +6,12 @@ import { PolicyData } from "../../../admin-console/models/data/policy.data";
 import { ProviderData } from "../../../admin-console/models/data/provider.data";
 import { Policy } from "../../../admin-console/models/domain/policy";
 import { AuthenticationStatus } from "../../../auth/enums/authentication-status";
+import { AdminAuthRequestStorable } from "../../../auth/models/domain/admin-auth-req-storable";
 import { EnvironmentUrls } from "../../../auth/models/domain/environment-urls";
 import { ForceResetPasswordReason } from "../../../auth/models/domain/force-reset-password-reason";
+import { KeyConnectorUserDecryptionOption } from "../../../auth/models/domain/user-decryption-options/key-connector-user-decryption-option";
+import { TrustedDeviceUserDecryptionOption } from "../../../auth/models/domain/user-decryption-options/trusted-device-user-decryption-option";
+import { UserDecryptionOptionsResponse } from "../../../auth/models/response/user-decryption-options/user-decryption-options.response";
 import { KdfType, UriMatchType } from "../../../enums";
 import { EventData } from "../../../models/data/event.data";
 import { GeneratedPasswordHistory } from "../../../tools/generator/password";
@@ -22,8 +26,8 @@ import { CollectionView } from "../../../vault/models/view/collection.view";
 import { Utils } from "../../misc/utils";
 import { ServerConfigData } from "../../models/data/server-config.data";
 
-import { EncString } from "./enc-string";
-import { DeviceKey, SymmetricCryptoKey } from "./symmetric-crypto-key";
+import { EncryptedString, EncString } from "./enc-string";
+import { MasterKey, SymmetricCryptoKey, UserKey } from "./symmetric-crypto-key";
 
 export class EncryptionPair<TEncrypted, TDecrypted> {
   encrypted?: TEncrypted;
@@ -99,15 +103,10 @@ export class AccountData {
 }
 
 export class AccountKeys {
-  cryptoMasterKey?: SymmetricCryptoKey;
-  cryptoMasterKeyAuto?: string;
-  cryptoMasterKeyB64?: string;
-  cryptoMasterKeyBiometric?: string;
-  cryptoSymmetricKey?: EncryptionPair<string, SymmetricCryptoKey> = new EncryptionPair<
-    string,
-    SymmetricCryptoKey
-  >();
-  deviceKey?: DeviceKey;
+  userKey?: UserKey;
+  masterKey?: MasterKey;
+  masterKeyEncryptedUserKey?: string;
+  deviceKey?: ReturnType<SymmetricCryptoKey["toJSON"]>;
   organizationKeys?: EncryptionPair<
     { [orgId: string]: EncryptedOrganizationKeyData },
     Record<string, SymmetricCryptoKey>
@@ -123,6 +122,18 @@ export class AccountKeys {
   publicKey?: Uint8Array;
   apiKeyClientSecret?: string;
 
+  /** @deprecated July 2023, left for migration purposes*/
+  cryptoMasterKey?: SymmetricCryptoKey;
+  /** @deprecated July 2023, left for migration purposes*/
+  cryptoMasterKeyAuto?: string;
+  /** @deprecated July 2023, left for migration purposes*/
+  cryptoMasterKeyBiometric?: string;
+  /** @deprecated July 2023, left for migration purposes*/
+  cryptoSymmetricKey?: EncryptionPair<string, SymmetricCryptoKey> = new EncryptionPair<
+    string,
+    SymmetricCryptoKey
+  >();
+
   toJSON() {
     return Utils.merge(this, {
       publicKey: Utils.fromBufferToByteString(this.publicKey),
@@ -135,6 +146,9 @@ export class AccountKeys {
     }
 
     return Object.assign(new AccountKeys(), {
+      userKey: SymmetricCryptoKey.fromJSON(obj?.userKey),
+      masterKey: SymmetricCryptoKey.fromJSON(obj?.masterKey),
+      deviceKey: obj?.deviceKey,
       cryptoMasterKey: SymmetricCryptoKey.fromJSON(obj?.cryptoMasterKey),
       cryptoSymmetricKey: EncryptionPair.fromJSON(
         obj?.cryptoSymmetricKey,
@@ -173,6 +187,7 @@ export class AccountProfile {
   emailVerified?: boolean;
   entityId?: string;
   entityType?: string;
+  everHadUserKey?: boolean;
   everBeenUnlocked?: boolean;
   forcePasswordResetReason?: ForceResetPasswordReason;
   hasPremiumPersonally?: boolean;
@@ -223,7 +238,8 @@ export class AccountSettings {
   passwordGenerationOptions?: any;
   usernameGenerationOptions?: any;
   generatorOptions?: any;
-  pinProtected?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>();
+  pinKeyEncryptedUserKey?: EncryptedString;
+  pinKeyEncryptedUserKeyEphemeral?: EncryptedString;
   protectedPin?: string;
   settings?: AccountSettingsSettings; // TODO: Merge whatever is going on here into the AccountSettings model properly
   vaultTimeout?: number;
@@ -234,6 +250,10 @@ export class AccountSettings {
   activateAutoFillOnPageLoadFromPolicy?: boolean;
   region?: string;
   smOnboardingTasks?: Record<string, Record<string, boolean>>;
+  trustDeviceChoiceForDecryption?: boolean;
+
+  /** @deprecated July 2023, left for migration purposes*/
+  pinProtected?: EncryptionPair<string, EncString> = new EncryptionPair<string, EncString>();
 
   static fromJSON(obj: Jsonify<AccountSettings>): AccountSettings {
     if (obj == null) {
@@ -269,12 +289,106 @@ export class AccountTokens {
   }
 }
 
+export class AccountDecryptionOptions {
+  hasMasterPassword: boolean;
+  trustedDeviceOption?: TrustedDeviceUserDecryptionOption;
+  keyConnectorOption?: KeyConnectorUserDecryptionOption;
+
+  constructor(init?: Partial<AccountDecryptionOptions>) {
+    if (init) {
+      Object.assign(this, init);
+    }
+  }
+
+  // TODO: these nice getters don't work because the Account object is not properly being deserialized out of
+  // JSON (the Account static fromJSON method is not running) so these getters don't exist on the
+  // account decryptions options object when pulled out of state.  This is a bug that needs to be fixed later on
+  // get hasTrustedDeviceOption(): boolean {
+  //   return this.trustedDeviceOption !== null && this.trustedDeviceOption !== undefined;
+  // }
+
+  // get hasKeyConnectorOption(): boolean {
+  //   return this.keyConnectorOption !== null && this.keyConnectorOption !== undefined;
+  // }
+
+  static fromResponse(response: UserDecryptionOptionsResponse): AccountDecryptionOptions {
+    if (response == null) {
+      return null;
+    }
+
+    const accountDecryptionOptions = new AccountDecryptionOptions();
+    accountDecryptionOptions.hasMasterPassword = response.hasMasterPassword;
+
+    if (response.trustedDeviceOption) {
+      accountDecryptionOptions.trustedDeviceOption = new TrustedDeviceUserDecryptionOption(
+        response.trustedDeviceOption.hasAdminApproval,
+        response.trustedDeviceOption.hasLoginApprovingDevice,
+        response.trustedDeviceOption.hasManageResetPasswordPermission
+      );
+    }
+
+    if (response.keyConnectorOption) {
+      accountDecryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption(
+        response.keyConnectorOption.keyConnectorUrl
+      );
+    }
+
+    return accountDecryptionOptions;
+  }
+
+  static fromJSON(obj: Jsonify<AccountDecryptionOptions>): AccountDecryptionOptions {
+    if (obj == null) {
+      return null;
+    }
+
+    const accountDecryptionOptions = Object.assign(new AccountDecryptionOptions(), obj);
+
+    if (obj.trustedDeviceOption) {
+      accountDecryptionOptions.trustedDeviceOption = new TrustedDeviceUserDecryptionOption(
+        obj.trustedDeviceOption.hasAdminApproval,
+        obj.trustedDeviceOption.hasLoginApprovingDevice,
+        obj.trustedDeviceOption.hasManageResetPasswordPermission
+      );
+    }
+
+    if (obj.keyConnectorOption) {
+      accountDecryptionOptions.keyConnectorOption = new KeyConnectorUserDecryptionOption(
+        obj.keyConnectorOption.keyConnectorUrl
+      );
+    }
+
+    return accountDecryptionOptions;
+  }
+}
+
+export class LoginState {
+  ssoOrganizationIdentifier?: string;
+
+  constructor(init?: Partial<LoginState>) {
+    if (init) {
+      Object.assign(this, init);
+    }
+  }
+
+  static fromJSON(obj: Jsonify<LoginState>): LoginState {
+    if (obj == null) {
+      return null;
+    }
+
+    const loginState = Object.assign(new LoginState(), obj);
+    return loginState;
+  }
+}
+
 export class Account {
   data?: AccountData = new AccountData();
   keys?: AccountKeys = new AccountKeys();
   profile?: AccountProfile = new AccountProfile();
   settings?: AccountSettings = new AccountSettings();
   tokens?: AccountTokens = new AccountTokens();
+  decryptionOptions?: AccountDecryptionOptions = new AccountDecryptionOptions();
+  loginState?: LoginState = new LoginState();
+  adminAuthRequest?: Jsonify<AdminAuthRequestStorable> = null;
 
   constructor(init: Partial<Account>) {
     Object.assign(this, {
@@ -298,6 +412,15 @@ export class Account {
         ...new AccountTokens(),
         ...init?.tokens,
       },
+      decryptionOptions: {
+        ...new AccountDecryptionOptions(),
+        ...init?.decryptionOptions,
+      },
+      loginState: {
+        ...new LoginState(),
+        ...init?.loginState,
+      },
+      adminAuthRequest: init?.adminAuthRequest,
     });
   }
 
@@ -311,6 +434,9 @@ export class Account {
       profile: AccountProfile.fromJSON(json?.profile),
       settings: AccountSettings.fromJSON(json?.settings),
       tokens: AccountTokens.fromJSON(json?.tokens),
+      decryptionOptions: AccountDecryptionOptions.fromJSON(json?.decryptionOptions),
+      loginState: LoginState.fromJSON(json?.loginState),
+      adminAuthRequest: AdminAuthRequestStorable.fromJSON(json?.adminAuthRequest),
     });
   }
 }
diff --git a/libs/common/src/platform/models/domain/enc-string.spec.ts b/libs/common/src/platform/models/domain/enc-string.spec.ts
index 31f515229d..2aa4f2161f 100644
--- a/libs/common/src/platform/models/domain/enc-string.spec.ts
+++ b/libs/common/src/platform/models/domain/enc-string.spec.ts
@@ -4,7 +4,11 @@ import { mock, MockProxy } from "jest-mock-extended";
 
 import { EncryptionType } from "../../../enums";
 import { EncryptService } from "../../../platform/abstractions/encrypt.service";
-import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../../platform/models/domain/symmetric-crypto-key";
 import { CryptoService } from "../../abstractions/crypto.service";
 import { ContainerService } from "../../services/container.service";
 
@@ -225,12 +229,12 @@ describe("EncString", () => {
 
       await encString.decrypt(null, key);
 
-      expect(cryptoService.getKeyForUserEncryption).not.toHaveBeenCalled();
+      expect(cryptoService.getUserKeyWithLegacySupport).not.toHaveBeenCalled();
       expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, key);
     });
 
     it("gets an organization key if required", async () => {
-      const orgKey = mock<SymmetricCryptoKey>();
+      const orgKey = mock<OrgKey>();
 
       cryptoService.getOrgKey.calledWith("orgId").mockResolvedValue(orgKey);
 
@@ -241,13 +245,13 @@ describe("EncString", () => {
     });
 
     it("gets the user's decryption key if required", async () => {
-      const userKey = mock<SymmetricCryptoKey>();
+      const userKey = mock<UserKey>();
 
-      cryptoService.getKeyForUserEncryption.mockResolvedValue(userKey);
+      cryptoService.getUserKeyWithLegacySupport.mockResolvedValue(userKey);
 
       await encString.decrypt(null, null);
 
-      expect(cryptoService.getKeyForUserEncryption).toHaveBeenCalledWith();
+      expect(cryptoService.getUserKeyWithLegacySupport).toHaveBeenCalledWith();
       expect(encryptService.decryptToUtf8).toHaveBeenCalledWith(encString, userKey);
     });
   });
diff --git a/libs/common/src/platform/models/domain/enc-string.ts b/libs/common/src/platform/models/domain/enc-string.ts
index 017e021114..60b59fa4d8 100644
--- a/libs/common/src/platform/models/domain/enc-string.ts
+++ b/libs/common/src/platform/models/domain/enc-string.ts
@@ -1,4 +1,4 @@
-import { Jsonify } from "type-fest";
+import { Jsonify, Opaque } from "type-fest";
 
 import { EncryptionType, EXPECTED_NUM_PARTS_BY_ENCRYPTION_TYPE } from "../../../enums";
 import { Utils } from "../../../platform/misc/utils";
@@ -7,7 +7,7 @@ import { Encrypted } from "../../interfaces/encrypted";
 import { SymmetricCryptoKey } from "./symmetric-crypto-key";
 
 export class EncString implements Encrypted {
-  encryptedString?: string;
+  encryptedString?: EncryptedString;
   encryptionType?: EncryptionType;
   decryptedValue?: string;
   data?: string;
@@ -53,14 +53,14 @@ export class EncString implements Encrypted {
 
   private initFromData(encType: EncryptionType, data: string, iv: string, mac: string) {
     if (iv != null) {
-      this.encryptedString = encType + "." + iv + "|" + data;
+      this.encryptedString = (encType + "." + iv + "|" + data) as EncryptedString;
     } else {
-      this.encryptedString = encType + "." + data;
+      this.encryptedString = (encType + "." + data) as EncryptedString;
     }
 
     // mac
     if (mac != null) {
-      this.encryptedString += "|" + mac;
+      this.encryptedString = (this.encryptedString + "|" + mac) as EncryptedString;
     }
 
     this.encryptionType = encType;
@@ -70,7 +70,7 @@ export class EncString implements Encrypted {
   }
 
   private initFromEncryptedString(encryptedString: string) {
-    this.encryptedString = encryptedString as string;
+    this.encryptedString = encryptedString as EncryptedString;
     if (!this.encryptedString) {
       return;
     }
@@ -162,6 +162,8 @@ export class EncString implements Encrypted {
     const cryptoService = Utils.getContainerService().getCryptoService();
     return orgId != null
       ? await cryptoService.getOrgKey(orgId)
-      : await cryptoService.getKeyForUserEncryption();
+      : await cryptoService.getUserKeyWithLegacySupport();
   }
 }
+
+export type EncryptedString = Opaque<string, "EncString">;
diff --git a/libs/common/src/platform/models/domain/symmetric-crypto-key.ts b/libs/common/src/platform/models/domain/symmetric-crypto-key.ts
index 8ba6c41127..818155ef98 100644
--- a/libs/common/src/platform/models/domain/symmetric-crypto-key.ts
+++ b/libs/common/src/platform/models/domain/symmetric-crypto-key.ts
@@ -78,3 +78,8 @@ export class SymmetricCryptoKey {
 
 // Setup all separate key types as opaque types
 export type DeviceKey = Opaque<SymmetricCryptoKey, "DeviceKey">;
+export type UserKey = Opaque<SymmetricCryptoKey, "UserKey">;
+export type MasterKey = Opaque<SymmetricCryptoKey, "MasterKey">;
+export type PinKey = Opaque<SymmetricCryptoKey, "PinKey">;
+export type OrgKey = Opaque<SymmetricCryptoKey, "OrgKey">;
+export type ProviderKey = Opaque<SymmetricCryptoKey, "ProviderKey">;
diff --git a/libs/common/src/platform/services/config/config.service.ts b/libs/common/src/platform/services/config/config.service.ts
index 54ece293a0..5b0325b68a 100644
--- a/libs/common/src/platform/services/config/config.service.ts
+++ b/libs/common/src/platform/services/config/config.service.ts
@@ -36,16 +36,25 @@ export class ConfigService implements ConfigServiceAbstraction {
     try {
       const response = await this.configApiService.get();
 
-      if (response != null) {
-        const data = new ServerConfigData(response);
-        const serverConfig = new ServerConfig(data);
-        this._serverConfig.next(serverConfig);
-        if ((await this.authService.getAuthStatus()) === AuthenticationStatus.LoggedOut) {
-          return serverConfig;
-        }
+      if (response == null) {
+        return;
+      }
+
+      const data = new ServerConfigData(response);
+      const serverConfig = new ServerConfig(data);
+      this._serverConfig.next(serverConfig);
+
+      const userAuthStatus = await this.authService.getAuthStatus();
+      if (userAuthStatus !== AuthenticationStatus.LoggedOut) {
+        // Store the config for offline use if the user is logged in
         await this.stateService.setServerConfig(data);
         this.environmentService.setCloudWebVaultUrl(data.environment?.cloudRegion);
       }
+      // Always return new server config from server to calling method
+      // to ensure up to date information
+      // This change is specifically for the getFeatureFlag > buildServerConfig flow
+      // for locked or logged in users.
+      return serverConfig;
     } catch {
       return null;
     }
diff --git a/libs/common/src/platform/services/crypto.service.spec.ts b/libs/common/src/platform/services/crypto.service.spec.ts
index 6e8e1982e9..c84b305537 100644
--- a/libs/common/src/platform/services/crypto.service.spec.ts
+++ b/libs/common/src/platform/services/crypto.service.spec.ts
@@ -1,10 +1,18 @@
 import { mock, mockReset } from "jest-mock-extended";
 
+import { CsprngArray } from "../../types/csprng";
 import { CryptoFunctionService } from "../abstractions/crypto-function.service";
 import { EncryptService } from "../abstractions/encrypt.service";
 import { LogService } from "../abstractions/log.service";
 import { PlatformUtilsService } from "../abstractions/platform-utils.service";
 import { StateService } from "../abstractions/state.service";
+import { EncString } from "../models/domain/enc-string";
+import {
+  MasterKey,
+  PinKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../models/domain/symmetric-crypto-key";
 import { CryptoService } from "../services/crypto.service";
 
 describe("cryptoService", () => {
@@ -16,6 +24,8 @@ describe("cryptoService", () => {
   const logService = mock<LogService>();
   const stateService = mock<StateService>();
 
+  const mockUserId = "mock user id";
+
   beforeEach(() => {
     mockReset(cryptoFunctionService);
     mockReset(encryptService);
@@ -35,4 +45,172 @@ describe("cryptoService", () => {
   it("instantiates", () => {
     expect(cryptoService).not.toBeFalsy();
   });
+
+  describe("getUserKey", () => {
+    let mockUserKey: UserKey;
+    let stateSvcGetUserKey: jest.SpyInstance;
+
+    beforeEach(() => {
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+
+      stateSvcGetUserKey = jest.spyOn(stateService, "getUserKey");
+    });
+
+    it("returns the User Key if available", async () => {
+      stateSvcGetUserKey.mockResolvedValue(mockUserKey);
+
+      const userKey = await cryptoService.getUserKey(mockUserId);
+
+      expect(stateSvcGetUserKey).toHaveBeenCalledWith({ userId: mockUserId });
+      expect(userKey).toEqual(mockUserKey);
+    });
+
+    it("sets the Auto key if the User Key if not set", async () => {
+      const autoKeyB64 =
+        "IT5cA1i5Hncd953pb00E58D2FqJX+fWTj4AvoI67qkGHSQPgulAqKv+LaKRAo9Bg0xzP9Nw00wk4TqjMmGSM+g==";
+      stateService.getUserKeyAutoUnlock.mockResolvedValue(autoKeyB64);
+
+      const userKey = await cryptoService.getUserKey(mockUserId);
+
+      expect(stateService.setUserKey).toHaveBeenCalledWith(expect.any(SymmetricCryptoKey), {
+        userId: mockUserId,
+      });
+      expect(userKey.keyB64).toEqual(autoKeyB64);
+    });
+  });
+
+  describe("getUserKeyWithLegacySupport", () => {
+    let mockUserKey: UserKey;
+    let mockMasterKey: MasterKey;
+    let stateSvcGetUserKey: jest.SpyInstance;
+    let stateSvcGetMasterKey: jest.SpyInstance;
+
+    beforeEach(() => {
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+      mockMasterKey = new SymmetricCryptoKey(new Uint8Array(64) as CsprngArray) as MasterKey;
+
+      stateSvcGetUserKey = jest.spyOn(stateService, "getUserKey");
+      stateSvcGetMasterKey = jest.spyOn(stateService, "getMasterKey");
+    });
+
+    it("returns the User Key if available", async () => {
+      stateSvcGetUserKey.mockResolvedValue(mockUserKey);
+
+      const userKey = await cryptoService.getUserKeyWithLegacySupport(mockUserId);
+
+      expect(stateSvcGetUserKey).toHaveBeenCalledWith({ userId: mockUserId });
+      expect(stateSvcGetMasterKey).not.toHaveBeenCalled();
+
+      expect(userKey).toEqual(mockUserKey);
+    });
+
+    it("returns the user's master key when User Key is not available", async () => {
+      stateSvcGetUserKey.mockResolvedValue(null);
+      stateSvcGetMasterKey.mockResolvedValue(mockMasterKey);
+
+      const userKey = await cryptoService.getUserKeyWithLegacySupport(mockUserId);
+
+      expect(stateSvcGetMasterKey).toHaveBeenCalledWith({ userId: mockUserId });
+      expect(userKey).toEqual(mockMasterKey);
+    });
+  });
+
+  describe("setUserKey", () => {
+    let mockUserKey: UserKey;
+
+    beforeEach(() => {
+      const mockRandomBytes = new Uint8Array(64) as CsprngArray;
+      mockUserKey = new SymmetricCryptoKey(mockRandomBytes) as UserKey;
+    });
+
+    describe("Auto Key refresh", () => {
+      it("sets an Auto key if vault timeout is set to null", async () => {
+        stateService.getVaultTimeout.mockResolvedValue(null);
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setUserKeyAutoUnlock).toHaveBeenCalledWith(mockUserKey.keyB64, {
+          userId: mockUserId,
+        });
+      });
+
+      it("clears the Auto key if vault timeout is set to anything other than null", async () => {
+        stateService.getVaultTimeout.mockResolvedValue(10);
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setUserKeyAutoUnlock).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+      });
+
+      it("clears the old deprecated Auto key whenever a User Key is set", async () => {
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setCryptoMasterKeyAuto).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+      });
+    });
+
+    describe("Pin Key refresh", () => {
+      let cryptoSvcMakePinKey: jest.SpyInstance;
+      const protectedPin =
+        "2.jcow2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg=";
+      let encPin: EncString;
+
+      beforeEach(() => {
+        cryptoSvcMakePinKey = jest.spyOn(cryptoService, "makePinKey");
+        cryptoSvcMakePinKey.mockResolvedValue(new SymmetricCryptoKey(new Uint8Array(64)) as PinKey);
+        encPin = new EncString(
+          "2.jcow2vTUePO+CCyokcIfVw==|DTBNlJ5yVsV2Bsk3UU3H6Q==|YvFBff5gxWqM+UsFB6BKimKxhC32AtjF3IStpU1Ijwg="
+        );
+        encryptService.encrypt.mockResolvedValue(encPin);
+      });
+
+      it("sets a UserKeyPin if a ProtectedPin and UserKeyPin is set", async () => {
+        stateService.getProtectedPin.mockResolvedValue(protectedPin);
+        stateService.getPinKeyEncryptedUserKey.mockResolvedValue(
+          new EncString(
+            "2.OdGNE3L23GaDZGvu9h2Brw==|/OAcNnrYwu0rjiv8+RUr3Tc+Ef8fV035Tm1rbTxfEuC+2LZtiCAoIvHIZCrM/V1PWnb/pHO2gh9+Koks04YhX8K29ED4FzjeYP8+YQD/dWo=|+12xTcIK/UVRsOyawYudPMHb6+lCHeR2Peq1pQhPm0A="
+          )
+        );
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setPinKeyEncryptedUserKey).toHaveBeenCalledWith(expect.any(EncString), {
+          userId: mockUserId,
+        });
+      });
+
+      it("sets a PinKeyEphemeral if a ProtectedPin is set, but a UserKeyPin is not set", async () => {
+        stateService.getProtectedPin.mockResolvedValue(protectedPin);
+        stateService.getPinKeyEncryptedUserKey.mockResolvedValue(null);
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setPinKeyEncryptedUserKeyEphemeral).toHaveBeenCalledWith(
+          expect.any(EncString),
+          {
+            userId: mockUserId,
+          }
+        );
+      });
+
+      it("clears the UserKeyPin and UserKeyPinEphemeral if the ProtectedPin is not set", async () => {
+        stateService.getProtectedPin.mockResolvedValue(null);
+
+        await cryptoService.setUserKey(mockUserKey, mockUserId);
+
+        expect(stateService.setPinKeyEncryptedUserKey).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+        expect(stateService.setPinKeyEncryptedUserKeyEphemeral).toHaveBeenCalledWith(null, {
+          userId: mockUserId,
+        });
+      });
+    });
+  });
 });
diff --git a/libs/common/src/platform/services/crypto.service.ts b/libs/common/src/platform/services/crypto.service.ts
index c42c7cc32a..7be0738f68 100644
--- a/libs/common/src/platform/services/crypto.service.ts
+++ b/libs/common/src/platform/services/crypto.service.ts
@@ -26,7 +26,14 @@ import { sequentialize } from "../misc/sequentialize";
 import { EFFLongWordList } from "../misc/wordlist";
 import { EncArrayBuffer } from "../models/domain/enc-array-buffer";
 import { EncString } from "../models/domain/enc-string";
-import { SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+import {
+  MasterKey,
+  OrgKey,
+  PinKey,
+  ProviderKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../models/domain/symmetric-crypto-key";
 
 export class CryptoService implements CryptoServiceAbstraction {
   constructor(
@@ -37,31 +44,248 @@ export class CryptoService implements CryptoServiceAbstraction {
     protected stateService: StateService
   ) {}
 
-  async setKey(key: SymmetricCryptoKey, userId?: string): Promise<any> {
-    await this.stateService.setCryptoMasterKey(key, { userId: userId });
-    await this.storeKey(key, userId);
+  async setUserKey(key: UserKey, userId?: string): Promise<void> {
+    if (key != null) {
+      await this.stateService.setEverHadUserKey(true, { userId: userId });
+    }
+    await this.stateService.setUserKey(key, { userId: userId });
+    await this.storeAdditionalKeys(key, userId);
   }
 
-  async setKeyHash(keyHash: string): Promise<void> {
+  async getEverHadUserKey(userId?: string): Promise<boolean> {
+    return await this.stateService.getEverHadUserKey({ userId: userId });
+  }
+
+  async refreshAdditionalKeys(): Promise<void> {
+    const key = await this.getUserKey();
+    await this.setUserKey(key);
+  }
+
+  async getUserKey(userId?: string): Promise<UserKey> {
+    let userKey = await this.stateService.getUserKey({ userId: userId });
+    if (userKey) {
+      return userKey;
+    }
+
+    // If the user has set their vault timeout to 'Never', we can load the user key from storage
+    if (await this.hasUserKeyStored(KeySuffixOptions.Auto, userId)) {
+      userKey = await this.getKeyFromStorage(KeySuffixOptions.Auto, userId);
+      if (userKey) {
+        await this.setUserKey(userKey, userId);
+        return userKey;
+      }
+    }
+  }
+
+  async getUserKeyWithLegacySupport(userId?: string): Promise<UserKey> {
+    const userKey = await this.getUserKey(userId);
+    if (userKey) {
+      return userKey;
+    }
+
+    // Legacy support: encryption used to be done with the master key (derived from master password).
+    // Users who have not migrated will have a null user key and must use the master key instead.
+    return (await this.getMasterKey(userId)) as unknown as UserKey;
+  }
+
+  async getUserKeyFromStorage(keySuffix: KeySuffixOptions, userId?: string): Promise<UserKey> {
+    const userKey = await this.getKeyFromStorage(keySuffix, userId);
+    if (userKey) {
+      if (!(await this.validateUserKey(userKey))) {
+        this.logService.warning("Invalid key, throwing away stored keys");
+        await this.clearAllStoredUserKeys(userId);
+      }
+      return userKey;
+    }
+  }
+
+  async hasUserKey(): Promise<boolean> {
+    return (
+      (await this.hasUserKeyInMemory()) || (await this.hasUserKeyStored(KeySuffixOptions.Auto))
+    );
+  }
+
+  async hasUserKeyInMemory(userId?: string): Promise<boolean> {
+    return (await this.stateService.getUserKey({ userId: userId })) != null;
+  }
+
+  async hasUserKeyStored(keySuffix: KeySuffixOptions, userId?: string): Promise<boolean> {
+    return (await this.getKeyFromStorage(keySuffix, userId)) != null;
+  }
+
+  async makeUserKey(masterKey: MasterKey): Promise<[UserKey, EncString]> {
+    masterKey ||= await this.getMasterKey();
+    if (masterKey == null) {
+      throw new Error("No Master Key found.");
+    }
+
+    const newUserKey = await this.cryptoFunctionService.randomBytes(64);
+    return this.buildProtectedSymmetricKey(masterKey, newUserKey);
+  }
+
+  async clearUserKey(clearStoredKeys = true, userId?: string): Promise<void> {
+    await this.stateService.setUserKey(null, { userId: userId });
+    if (clearStoredKeys) {
+      await this.clearAllStoredUserKeys(userId);
+    }
+  }
+
+  async clearStoredUserKey(keySuffix: KeySuffixOptions, userId?: string): Promise<void> {
+    if (keySuffix === KeySuffixOptions.Auto) {
+      this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
+      this.clearDeprecatedKeys(KeySuffixOptions.Auto, userId);
+    }
+    if (keySuffix === KeySuffixOptions.Pin) {
+      this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
+      this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
+    }
+  }
+
+  async setMasterKeyEncryptedUserKey(userKeyMasterKey: string, userId?: string): Promise<void> {
+    await this.stateService.setMasterKeyEncryptedUserKey(userKeyMasterKey, { userId: userId });
+  }
+
+  async setMasterKey(key: MasterKey, userId?: string): Promise<void> {
+    await this.stateService.setMasterKey(key, { userId: userId });
+  }
+
+  async getMasterKey(userId?: string): Promise<MasterKey> {
+    let masterKey = await this.stateService.getMasterKey({ userId: userId });
+    if (!masterKey) {
+      masterKey = (await this.stateService.getCryptoMasterKey({ userId: userId })) as MasterKey;
+      await this.setMasterKey(masterKey, userId);
+    }
+    return masterKey;
+  }
+
+  async getOrDeriveMasterKey(password: string, userId?: string) {
+    let masterKey = await this.getMasterKey(userId);
+    return (masterKey ||= await this.makeMasterKey(
+      password,
+      await this.stateService.getEmail({ userId: userId }),
+      await this.stateService.getKdfType({ userId: userId }),
+      await this.stateService.getKdfConfig({ userId: userId })
+    ));
+  }
+
+  async makeMasterKey(
+    password: string,
+    email: string,
+    kdf: KdfType,
+    KdfConfig: KdfConfig
+  ): Promise<MasterKey> {
+    return (await this.makeKey(password, email, kdf, KdfConfig)) as MasterKey;
+  }
+
+  async clearMasterKey(userId?: string): Promise<void> {
+    await this.stateService.setMasterKey(null, { userId: userId });
+  }
+
+  async encryptUserKeyWithMasterKey(
+    masterKey: MasterKey,
+    userKey?: UserKey
+  ): Promise<[UserKey, EncString]> {
+    userKey ||= await this.getUserKey();
+    return await this.buildProtectedSymmetricKey(masterKey, userKey.key);
+  }
+
+  async decryptUserKeyWithMasterKey(
+    masterKey: MasterKey,
+    userKey?: EncString,
+    userId?: string
+  ): Promise<UserKey> {
+    masterKey ||= await this.getMasterKey(userId);
+    if (masterKey == null) {
+      throw new Error("No master key found.");
+    }
+
+    if (!userKey) {
+      let masterKeyEncryptedUserKey = await this.stateService.getMasterKeyEncryptedUserKey({
+        userId: userId,
+      });
+
+      // Try one more way to get the user key if it still wasn't found.
+      if (masterKeyEncryptedUserKey == null) {
+        masterKeyEncryptedUserKey = await this.stateService.getEncryptedCryptoSymmetricKey({
+          userId: userId,
+        });
+      }
+
+      if (masterKeyEncryptedUserKey == null) {
+        throw new Error("No encrypted user key found.");
+      }
+      userKey = new EncString(masterKeyEncryptedUserKey);
+    }
+
+    let decUserKey: Uint8Array;
+    if (userKey.encryptionType === EncryptionType.AesCbc256_B64) {
+      decUserKey = await this.encryptService.decryptToBytes(userKey, masterKey);
+    } else if (userKey.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
+      const newKey = await this.stretchKey(masterKey);
+      decUserKey = await this.encryptService.decryptToBytes(userKey, newKey);
+    } else {
+      throw new Error("Unsupported encryption type.");
+    }
+    if (decUserKey == null) {
+      return null;
+    }
+
+    return new SymmetricCryptoKey(decUserKey) as UserKey;
+  }
+
+  async hashMasterKey(
+    password: string,
+    key: MasterKey,
+    hashPurpose?: HashPurpose
+  ): Promise<string> {
+    key ||= await this.getMasterKey();
+
+    if (password == null || key == null) {
+      throw new Error("Invalid parameters.");
+    }
+
+    const iterations = hashPurpose === HashPurpose.LocalAuthorization ? 2 : 1;
+    const hash = await this.cryptoFunctionService.pbkdf2(key.key, password, "sha256", iterations);
+    return Utils.fromBufferToB64(hash);
+  }
+
+  async setMasterKeyHash(keyHash: string): Promise<void> {
     await this.stateService.setKeyHash(keyHash);
   }
 
-  async setEncKey(encKey: string): Promise<void> {
-    if (encKey == null) {
-      return;
-    }
-
-    await this.stateService.setDecryptedCryptoSymmetricKey(null);
-    await this.stateService.setEncryptedCryptoSymmetricKey(encKey);
+  async getMasterKeyHash(): Promise<string> {
+    return await this.stateService.getKeyHash();
   }
 
-  async setEncPrivateKey(encPrivateKey: string): Promise<void> {
-    if (encPrivateKey == null) {
-      return;
+  async clearMasterKeyHash(userId?: string): Promise<void> {
+    return await this.stateService.setKeyHash(null, { userId: userId });
+  }
+
+  async compareAndUpdateKeyHash(masterPassword: string, masterKey: MasterKey): Promise<boolean> {
+    const storedPasswordHash = await this.getMasterKeyHash();
+    if (masterPassword != null && storedPasswordHash != null) {
+      const localKeyHash = await this.hashMasterKey(
+        masterPassword,
+        masterKey,
+        HashPurpose.LocalAuthorization
+      );
+      if (localKeyHash != null && storedPasswordHash === localKeyHash) {
+        return true;
+      }
+
+      // TODO: remove serverKeyHash check in 1-2 releases after everyone's keyHash has been updated
+      const serverKeyHash = await this.hashMasterKey(
+        masterPassword,
+        masterKey,
+        HashPurpose.ServerAuthorization
+      );
+      if (serverKeyHash != null && storedPasswordHash === serverKeyHash) {
+        await this.setMasterKeyHash(localKeyHash);
+        return true;
+      }
     }
 
-    await this.stateService.setDecryptedPrivateKey(null);
-    await this.stateService.setEncryptedPrivateKey(encPrivateKey);
+    return false;
   }
 
   async setOrgKeys(
@@ -89,6 +313,71 @@ export class CryptoService implements CryptoServiceAbstraction {
     return await this.stateService.setEncryptedOrganizationKeys(encOrgKeyData);
   }
 
+  async getOrgKey(orgId: string): Promise<OrgKey> {
+    if (orgId == null) {
+      return null;
+    }
+
+    const orgKeys = await this.getOrgKeys();
+    if (orgKeys == null || !orgKeys.has(orgId)) {
+      return null;
+    }
+
+    return orgKeys.get(orgId);
+  }
+
+  @sequentialize(() => "getOrgKeys")
+  async getOrgKeys(): Promise<Map<string, OrgKey>> {
+    const result: Map<string, OrgKey> = new Map<string, OrgKey>();
+    const decryptedOrganizationKeys = await this.stateService.getDecryptedOrganizationKeys();
+    if (decryptedOrganizationKeys != null && decryptedOrganizationKeys.size > 0) {
+      return decryptedOrganizationKeys as Map<string, OrgKey>;
+    }
+
+    const encOrgKeyData = await this.stateService.getEncryptedOrganizationKeys();
+    if (encOrgKeyData == null) {
+      return result;
+    }
+
+    let setKey = false;
+
+    for (const orgId of Object.keys(encOrgKeyData)) {
+      if (result.has(orgId)) {
+        continue;
+      }
+
+      const encOrgKey = BaseEncryptedOrganizationKey.fromData(encOrgKeyData[orgId]);
+      const decOrgKey = (await encOrgKey.decrypt(this)) as OrgKey;
+      result.set(orgId, decOrgKey);
+
+      setKey = true;
+    }
+
+    if (setKey) {
+      await this.stateService.setDecryptedOrganizationKeys(result);
+    }
+
+    return result;
+  }
+
+  async makeDataEncKey<T extends OrgKey | UserKey>(
+    key: T
+  ): Promise<[SymmetricCryptoKey, EncString]> {
+    if (key == null) {
+      throw new Error("No key provided");
+    }
+
+    const newSymKey = await this.cryptoFunctionService.randomBytes(64);
+    return this.buildProtectedSymmetricKey(key, newSymKey);
+  }
+
+  async clearOrgKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
+    await this.stateService.setDecryptedOrganizationKeys(null, { userId: userId });
+    if (!memoryOnly) {
+      await this.stateService.setEncryptedOrganizationKeys(null, { userId: userId });
+    }
+  }
+
   async setProviderKeys(providers: ProfileProviderResponse[]): Promise<void> {
     const providerKeys: any = {};
     providers.forEach((provider) => {
@@ -99,77 +388,57 @@ export class CryptoService implements CryptoServiceAbstraction {
     return await this.stateService.setEncryptedProviderKeys(providerKeys);
   }
 
-  async getKey(keySuffix?: KeySuffixOptions, userId?: string): Promise<SymmetricCryptoKey> {
-    const inMemoryKey = await this.stateService.getCryptoMasterKey({ userId: userId });
-
-    if (inMemoryKey != null) {
-      return inMemoryKey;
+  async getProviderKey(providerId: string): Promise<ProviderKey> {
+    if (providerId == null) {
+      return null;
     }
 
-    keySuffix ||= KeySuffixOptions.Auto;
-    const symmetricKey = await this.getKeyFromStorage(keySuffix, userId);
-
-    if (symmetricKey != null) {
-      // TODO: Refactor here so get key doesn't also set key
-      this.setKey(symmetricKey, userId);
+    const providerKeys = await this.getProviderKeys();
+    if (providerKeys == null || !providerKeys.has(providerId)) {
+      return null;
     }
 
-    return symmetricKey;
+    return providerKeys.get(providerId);
   }
 
-  async getKeyFromStorage(
-    keySuffix: KeySuffixOptions,
-    userId?: string
-  ): Promise<SymmetricCryptoKey> {
-    const key = await this.retrieveKeyFromStorage(keySuffix, userId);
-    if (key != null) {
-      const symmetricKey = new SymmetricCryptoKey(Utils.fromB64ToArray(key));
+  @sequentialize(() => "getProviderKeys")
+  async getProviderKeys(): Promise<Map<string, ProviderKey>> {
+    const providerKeys: Map<string, ProviderKey> = new Map<string, ProviderKey>();
+    const decryptedProviderKeys = await this.stateService.getDecryptedProviderKeys();
+    if (decryptedProviderKeys != null && decryptedProviderKeys.size > 0) {
+      return decryptedProviderKeys as Map<string, ProviderKey>;
+    }
 
-      if (!(await this.validateKey(symmetricKey))) {
-        this.logService.warning("Wrong key, throwing away stored key");
-        await this.clearSecretKeyStore(userId);
-        return null;
+    const encProviderKeys = await this.stateService.getEncryptedProviderKeys();
+    if (encProviderKeys == null) {
+      return null;
+    }
+
+    let setKey = false;
+
+    for (const orgId in encProviderKeys) {
+      // eslint-disable-next-line
+      if (!encProviderKeys.hasOwnProperty(orgId)) {
+        continue;
       }
 
-      return symmetricKey;
-    }
-    return null;
-  }
-
-  async getKeyHash(): Promise<string> {
-    return await this.stateService.getKeyHash();
-  }
-
-  async compareAndUpdateKeyHash(masterPassword: string, key: SymmetricCryptoKey): Promise<boolean> {
-    const storedKeyHash = await this.getKeyHash();
-    if (masterPassword != null && storedKeyHash != null) {
-      const localKeyHash = await this.hashPassword(
-        masterPassword,
-        key,
-        HashPurpose.LocalAuthorization
-      );
-      if (localKeyHash != null && storedKeyHash === localKeyHash) {
-        return true;
-      }
-
-      // TODO: remove serverKeyHash check in 1-2 releases after everyone's keyHash has been updated
-      const serverKeyHash = await this.hashPassword(
-        masterPassword,
-        key,
-        HashPurpose.ServerAuthorization
-      );
-      if (serverKeyHash != null && storedKeyHash === serverKeyHash) {
-        await this.setKeyHash(localKeyHash);
-        return true;
-      }
+      const decValue = await this.rsaDecrypt(encProviderKeys[orgId]);
+      providerKeys.set(orgId, new SymmetricCryptoKey(decValue) as ProviderKey);
+      setKey = true;
     }
 
-    return false;
+    if (setKey) {
+      await this.stateService.setDecryptedProviderKeys(providerKeys);
+    }
+
+    return providerKeys;
   }
 
-  @sequentialize(() => "getEncKey")
-  getEncKey(key: SymmetricCryptoKey = null): Promise<SymmetricCryptoKey> {
-    return this.getEncKeyHelper(key);
+  async clearProviderKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
+    await this.stateService.setDecryptedProviderKeys(null, { userId: userId });
+    if (!memoryOnly) {
+      await this.stateService.setEncryptedProviderKeys(null, { userId: userId });
+    }
   }
 
   async getPublicKey(): Promise<Uint8Array> {
@@ -188,6 +457,22 @@ export class CryptoService implements CryptoServiceAbstraction {
     return publicKey;
   }
 
+  async makeOrgKey<T extends OrgKey | ProviderKey>(): Promise<[EncString, T]> {
+    const shareKey = await this.cryptoFunctionService.randomBytes(64);
+    const publicKey = await this.getPublicKey();
+    const encShareKey = await this.rsaEncrypt(shareKey, publicKey);
+    return [encShareKey, new SymmetricCryptoKey(shareKey) as T];
+  }
+
+  async setPrivateKey(encPrivateKey: string): Promise<void> {
+    if (encPrivateKey == null) {
+      return;
+    }
+
+    await this.stateService.setDecryptedPrivateKey(null);
+    await this.stateService.setEncryptedPrivateKey(encPrivateKey);
+  }
+
   async getPrivateKey(): Promise<Uint8Array> {
     const decryptedPrivateKey = await this.stateService.getDecryptedPrivateKey();
     if (decryptedPrivateKey != null) {
@@ -199,7 +484,10 @@ export class CryptoService implements CryptoServiceAbstraction {
       return null;
     }
 
-    const privateKey = await this.decryptToBytes(new EncString(encPrivateKey), null);
+    const privateKey = await this.encryptService.decryptToBytes(
+      new EncString(encPrivateKey),
+      await this.getUserKeyWithLegacySupport()
+    );
     await this.stateService.setDecryptedPrivateKey(privateKey);
     return privateKey;
   }
@@ -221,151 +509,16 @@ export class CryptoService implements CryptoServiceAbstraction {
     return this.hashPhrase(userFingerprint);
   }
 
-  @sequentialize(() => "getOrgKeys")
-  async getOrgKeys(): Promise<Map<string, SymmetricCryptoKey>> {
-    const result: Map<string, SymmetricCryptoKey> = new Map<string, SymmetricCryptoKey>();
-    const decryptedOrganizationKeys = await this.stateService.getDecryptedOrganizationKeys();
-    if (decryptedOrganizationKeys != null && decryptedOrganizationKeys.size > 0) {
-      return decryptedOrganizationKeys;
-    }
+  async makeKeyPair(key?: SymmetricCryptoKey): Promise<[string, EncString]> {
+    key ||= await this.getUserKey();
 
-    const encOrgKeyData = await this.stateService.getEncryptedOrganizationKeys();
-    if (encOrgKeyData == null) {
-      return null;
-    }
-
-    let setKey = false;
-
-    for (const orgId of Object.keys(encOrgKeyData)) {
-      if (result.has(orgId)) {
-        continue;
-      }
-
-      const encOrgKey = BaseEncryptedOrganizationKey.fromData(encOrgKeyData[orgId]);
-      const decOrgKey = await encOrgKey.decrypt(this);
-      result.set(orgId, decOrgKey);
-
-      setKey = true;
-    }
-
-    if (setKey) {
-      await this.stateService.setDecryptedOrganizationKeys(result);
-    }
-
-    return result;
+    const keyPair = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
+    const publicB64 = Utils.fromBufferToB64(keyPair[0]);
+    const privateEnc = await this.encryptService.encrypt(keyPair[1], key);
+    return [publicB64, privateEnc];
   }
 
-  async getOrgKey(orgId: string): Promise<SymmetricCryptoKey> {
-    if (orgId == null) {
-      return null;
-    }
-
-    const orgKeys = await this.getOrgKeys();
-    if (orgKeys == null || !orgKeys.has(orgId)) {
-      return null;
-    }
-
-    return orgKeys.get(orgId);
-  }
-
-  @sequentialize(() => "getProviderKeys")
-  async getProviderKeys(): Promise<Map<string, SymmetricCryptoKey>> {
-    const providerKeys: Map<string, SymmetricCryptoKey> = new Map<string, SymmetricCryptoKey>();
-    const decryptedProviderKeys = await this.stateService.getDecryptedProviderKeys();
-    if (decryptedProviderKeys != null && decryptedProviderKeys.size > 0) {
-      return decryptedProviderKeys;
-    }
-
-    const encProviderKeys = await this.stateService.getEncryptedProviderKeys();
-    if (encProviderKeys == null) {
-      return null;
-    }
-
-    let setKey = false;
-
-    for (const orgId in encProviderKeys) {
-      // eslint-disable-next-line
-      if (!encProviderKeys.hasOwnProperty(orgId)) {
-        continue;
-      }
-
-      const decValue = await this.rsaDecrypt(encProviderKeys[orgId]);
-      providerKeys.set(orgId, new SymmetricCryptoKey(decValue));
-      setKey = true;
-    }
-
-    if (setKey) {
-      await this.stateService.setDecryptedProviderKeys(providerKeys);
-    }
-
-    return providerKeys;
-  }
-
-  async getProviderKey(providerId: string): Promise<SymmetricCryptoKey> {
-    if (providerId == null) {
-      return null;
-    }
-
-    const providerKeys = await this.getProviderKeys();
-    if (providerKeys == null || !providerKeys.has(providerId)) {
-      return null;
-    }
-
-    return providerKeys.get(providerId);
-  }
-
-  async hasKey(): Promise<boolean> {
-    return (
-      (await this.hasKeyInMemory()) ||
-      (await this.hasKeyStored(KeySuffixOptions.Auto)) ||
-      (await this.hasKeyStored(KeySuffixOptions.Biometric))
-    );
-  }
-
-  async hasKeyInMemory(userId?: string): Promise<boolean> {
-    return (await this.stateService.getCryptoMasterKey({ userId: userId })) != null;
-  }
-
-  async hasKeyStored(keySuffix: KeySuffixOptions, userId?: string): Promise<boolean> {
-    switch (keySuffix) {
-      case KeySuffixOptions.Auto:
-        return (await this.stateService.getCryptoMasterKeyAuto({ userId: userId })) != null;
-      case KeySuffixOptions.Biometric:
-        return (await this.stateService.hasCryptoMasterKeyBiometric({ userId: userId })) === true;
-      default:
-        return false;
-    }
-  }
-
-  async hasEncKey(): Promise<boolean> {
-    return (await this.stateService.getEncryptedCryptoSymmetricKey()) != null;
-  }
-
-  async clearKey(clearSecretStorage = true, userId?: string): Promise<any> {
-    await this.stateService.setCryptoMasterKey(null, { userId: userId });
-    if (clearSecretStorage) {
-      await this.clearSecretKeyStore(userId);
-    }
-  }
-
-  async clearStoredKey(keySuffix: KeySuffixOptions) {
-    keySuffix === KeySuffixOptions.Auto
-      ? await this.stateService.setCryptoMasterKeyAuto(null)
-      : await this.stateService.setCryptoMasterKeyBiometric(null);
-  }
-
-  async clearKeyHash(userId?: string): Promise<any> {
-    return await this.stateService.setKeyHash(null, { userId: userId });
-  }
-
-  async clearEncKey(memoryOnly?: boolean, userId?: string): Promise<void> {
-    await this.stateService.setDecryptedCryptoSymmetricKey(null, { userId: userId });
-    if (!memoryOnly) {
-      await this.stateService.setEncryptedCryptoSymmetricKey(null, { userId: userId });
-    }
-  }
-
-  async clearKeyPair(memoryOnly?: boolean, userId?: string): Promise<any> {
+  async clearKeyPair(memoryOnly?: boolean, userId?: string): Promise<void[]> {
     const keysToClear: Promise<void>[] = [
       this.stateService.setDecryptedPrivateKey(null, { userId: userId }),
       this.stateService.setPublicKey(null, { userId: userId }),
@@ -376,130 +529,53 @@ export class CryptoService implements CryptoServiceAbstraction {
     return Promise.all(keysToClear);
   }
 
-  async clearOrgKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
-    await this.stateService.setDecryptedOrganizationKeys(null, { userId: userId });
-    if (!memoryOnly) {
-      await this.stateService.setEncryptedOrganizationKeys(null, { userId: userId });
-    }
+  async makePinKey(pin: string, salt: string, kdf: KdfType, kdfConfig: KdfConfig): Promise<PinKey> {
+    const pinKey = await this.makeKey(pin, salt, kdf, kdfConfig);
+    return (await this.stretchKey(pinKey)) as PinKey;
   }
 
-  async clearProviderKeys(memoryOnly?: boolean, userId?: string): Promise<void> {
-    await this.stateService.setDecryptedProviderKeys(null, { userId: userId });
-    if (!memoryOnly) {
-      await this.stateService.setEncryptedProviderKeys(null, { userId: userId });
-    }
+  async clearPinKeys(userId?: string): Promise<void> {
+    await this.stateService.setPinKeyEncryptedUserKey(null, { userId: userId });
+    await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
+    await this.stateService.setProtectedPin(null, { userId: userId });
+    await this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
   }
 
-  async clearPinProtectedKey(userId?: string): Promise<any> {
-    return await this.stateService.setEncryptedPinProtected(null, { userId: userId });
-  }
-
-  async clearKeys(userId?: string): Promise<any> {
-    await this.clearKey(true, userId);
-    await this.clearKeyHash(userId);
-    await this.clearOrgKeys(false, userId);
-    await this.clearProviderKeys(false, userId);
-    await this.clearEncKey(false, userId);
-    await this.clearKeyPair(false, userId);
-    await this.clearPinProtectedKey(userId);
-  }
-
-  async toggleKey(): Promise<any> {
-    const key = await this.getKey();
-
-    await this.setKey(key);
-  }
-
-  async makeKey(
-    password: string,
-    salt: string,
-    kdf: KdfType,
-    kdfConfig: KdfConfig
-  ): Promise<SymmetricCryptoKey> {
-    let key: Uint8Array = null;
-    if (kdf == null || kdf === KdfType.PBKDF2_SHA256) {
-      if (kdfConfig.iterations == null) {
-        kdfConfig.iterations = 5000;
-      } else if (kdfConfig.iterations < 5000) {
-        throw new Error("PBKDF2 iteration minimum is 5000.");
-      }
-      key = await this.cryptoFunctionService.pbkdf2(password, salt, "sha256", kdfConfig.iterations);
-    } else if (kdf == KdfType.Argon2id) {
-      if (kdfConfig.iterations == null) {
-        kdfConfig.iterations = DEFAULT_ARGON2_ITERATIONS;
-      } else if (kdfConfig.iterations < 2) {
-        throw new Error("Argon2 iteration minimum is 2.");
-      }
-
-      if (kdfConfig.memory == null) {
-        kdfConfig.memory = DEFAULT_ARGON2_MEMORY;
-      } else if (kdfConfig.memory < 16) {
-        throw new Error("Argon2 memory minimum is 16 MB");
-      } else if (kdfConfig.memory > 1024) {
-        throw new Error("Argon2 memory maximum is 1024 MB");
-      }
-
-      if (kdfConfig.parallelism == null) {
-        kdfConfig.parallelism = DEFAULT_ARGON2_PARALLELISM;
-      } else if (kdfConfig.parallelism < 1) {
-        throw new Error("Argon2 parallelism minimum is 1.");
-      }
-
-      const saltHash = await this.cryptoFunctionService.hash(salt, "sha256");
-      key = await this.cryptoFunctionService.argon2(
-        password,
-        saltHash,
-        kdfConfig.iterations,
-        kdfConfig.memory * 1024, // convert to KiB from MiB
-        kdfConfig.parallelism
-      );
-    } else {
-      throw new Error("Unknown Kdf.");
-    }
-    return new SymmetricCryptoKey(key);
-  }
-
-  async makeKeyFromPin(
+  async decryptUserKeyWithPin(
     pin: string,
     salt: string,
     kdf: KdfType,
     kdfConfig: KdfConfig,
-    protectedKeyCs: EncString = null
-  ): Promise<SymmetricCryptoKey> {
-    if (protectedKeyCs == null) {
-      const pinProtectedKey = await this.stateService.getEncryptedPinProtected();
-      if (pinProtectedKey == null) {
-        throw new Error("No PIN protected key found.");
-      }
-      protectedKeyCs = new EncString(pinProtectedKey);
+    pinProtectedUserKey?: EncString
+  ): Promise<UserKey> {
+    pinProtectedUserKey ||= await this.stateService.getPinKeyEncryptedUserKey();
+    pinProtectedUserKey ||= await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
+    if (!pinProtectedUserKey) {
+      throw new Error("No PIN protected key found.");
     }
     const pinKey = await this.makePinKey(pin, salt, kdf, kdfConfig);
-    const decKey = await this.decryptToBytes(protectedKeyCs, pinKey);
-    return new SymmetricCryptoKey(decKey);
+    const userKey = await this.encryptService.decryptToBytes(pinProtectedUserKey, pinKey);
+    return new SymmetricCryptoKey(userKey) as UserKey;
   }
 
-  async makeShareKey(): Promise<[EncString, SymmetricCryptoKey]> {
-    const shareKey = await this.cryptoFunctionService.randomBytes(64);
-    const publicKey = await this.getPublicKey();
-    const encShareKey = await this.rsaEncrypt(shareKey, publicKey);
-    return [encShareKey, new SymmetricCryptoKey(shareKey)];
-  }
-
-  async makeKeyPair(key?: SymmetricCryptoKey): Promise<[string, EncString]> {
-    const keyPair = await this.cryptoFunctionService.rsaGenerateKeyPair(2048);
-    const publicB64 = Utils.fromBufferToB64(keyPair[0]);
-    const privateEnc = await this.encrypt(keyPair[1], key);
-    return [publicB64, privateEnc];
-  }
-
-  async makePinKey(
+  // only for migration purposes
+  async decryptMasterKeyWithPin(
     pin: string,
     salt: string,
     kdf: KdfType,
-    kdfConfig: KdfConfig
-  ): Promise<SymmetricCryptoKey> {
-    const pinKey = await this.makeKey(pin, salt, kdf, kdfConfig);
-    return await this.stretchKey(pinKey);
+    kdfConfig: KdfConfig,
+    pinProtectedMasterKey?: EncString
+  ): Promise<MasterKey> {
+    if (!pinProtectedMasterKey) {
+      const pinProtectedMasterKeyString = await this.stateService.getEncryptedPinProtected();
+      if (pinProtectedMasterKeyString == null) {
+        throw new Error("No PIN protected key found.");
+      }
+      pinProtectedMasterKey = new EncString(pinProtectedMasterKeyString);
+    }
+    const pinKey = await this.makePinKey(pin, salt, kdf, kdfConfig);
+    const masterKey = await this.encryptService.decryptToBytes(pinProtectedMasterKey, pinKey);
+    return new SymmetricCryptoKey(masterKey) as MasterKey;
   }
 
   async makeSendKey(keyMaterial: Uint8Array): Promise<SymmetricCryptoKey> {
@@ -513,55 +589,13 @@ export class CryptoService implements CryptoServiceAbstraction {
     return new SymmetricCryptoKey(sendKey);
   }
 
-  async hashPassword(
-    password: string,
-    key: SymmetricCryptoKey,
-    hashPurpose?: HashPurpose
-  ): Promise<string> {
-    if (key == null) {
-      key = await this.getKey();
-    }
-    if (password == null || key == null) {
-      throw new Error("Invalid parameters.");
-    }
-
-    const iterations = hashPurpose === HashPurpose.LocalAuthorization ? 2 : 1;
-    const hash = await this.cryptoFunctionService.pbkdf2(key.key, password, "sha256", iterations);
-    return Utils.fromBufferToB64(hash);
-  }
-
-  async makeEncKey(key: SymmetricCryptoKey): Promise<[SymmetricCryptoKey, EncString]> {
-    const theKey = await this.getKeyForUserEncryption(key);
-    const encKey = await this.cryptoFunctionService.randomBytes(64);
-    return this.buildEncKey(theKey, encKey);
-  }
-
-  async remakeEncKey(
-    key: SymmetricCryptoKey,
-    encKey?: SymmetricCryptoKey
-  ): Promise<[SymmetricCryptoKey, EncString]> {
-    if (encKey == null) {
-      encKey = await this.getEncKey();
-    }
-    return this.buildEncKey(key, encKey.key);
-  }
-
-  /**
-   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
-   * and then call encryptService.encrypt
-   */
-  async encrypt(plainValue: string | Uint8Array, key?: SymmetricCryptoKey): Promise<EncString> {
-    key = await this.getKeyForUserEncryption(key);
-    return await this.encryptService.encrypt(plainValue, key);
-  }
-
-  /**
-   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
-   * and then call encryptService.encryptToBytes
-   */
-  async encryptToBytes(plainValue: Uint8Array, key?: SymmetricCryptoKey): Promise<EncArrayBuffer> {
-    key = await this.getKeyForUserEncryption(key);
-    return this.encryptService.encryptToBytes(plainValue, key);
+  async clearKeys(userId?: string): Promise<any> {
+    await this.clearUserKey(true, userId);
+    await this.clearMasterKeyHash(userId);
+    await this.clearOrgKeys(false, userId);
+    await this.clearProviderKeys(false, userId);
+    await this.clearKeyPair(false, userId);
+    await this.clearPinKeys(userId);
   }
 
   async rsaEncrypt(data: Uint8Array, publicKey?: Uint8Array): Promise<EncString> {
@@ -629,38 +663,6 @@ export class CryptoService implements CryptoServiceAbstraction {
     return this.cryptoFunctionService.rsaDecrypt(data, privateKey, alg);
   }
 
-  /**
-   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
-   * and then call encryptService.decryptToBytes
-   */
-  async decryptToBytes(encString: EncString, key?: SymmetricCryptoKey): Promise<Uint8Array> {
-    const keyForEnc = await this.getKeyForUserEncryption(key);
-    return this.encryptService.decryptToBytes(encString, keyForEnc);
-  }
-
-  /**
-   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
-   * and then call encryptService.decryptToUtf8
-   */
-  async decryptToUtf8(encString: EncString, key?: SymmetricCryptoKey): Promise<string> {
-    key = await this.getKeyForUserEncryption(key);
-    return await this.encryptService.decryptToUtf8(encString, key);
-  }
-
-  /**
-   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
-   * and then call encryptService.decryptToBytes
-   */
-  async decryptFromBytes(encBuffer: EncArrayBuffer, key: SymmetricCryptoKey): Promise<Uint8Array> {
-    if (encBuffer == null) {
-      throw new Error("No buffer provided for decryption.");
-    }
-
-    key = await this.getKeyForUserEncryption(key);
-
-    return this.encryptService.decryptToBytes(encBuffer, key);
-  }
-
   // EFForg/OpenWireless
   // ref https://github.com/EFForg/OpenWireless/blob/master/app/js/diceware.js
   async randomNumber(min: number, max: number): Promise<number> {
@@ -696,15 +698,22 @@ export class CryptoService implements CryptoServiceAbstraction {
     return min + rval;
   }
 
-  async validateKey(key: SymmetricCryptoKey) {
+  // ---HELPERS---
+  protected async validateUserKey(key: UserKey): Promise<boolean> {
+    if (!key) {
+      return false;
+    }
+
     try {
       const encPrivateKey = await this.stateService.getEncryptedPrivateKey();
-      const encKey = await this.getEncKeyHelper(key);
-      if (encPrivateKey == null || encKey == null) {
+      if (encPrivateKey == null) {
         return false;
       }
 
-      const privateKey = await this.decryptToBytes(new EncString(encPrivateKey), encKey);
+      const privateKey = await this.encryptService.decryptToBytes(
+        new EncString(encPrivateKey),
+        key
+      );
       await this.cryptoFunctionService.rsaExtractPublicKey(privateKey);
     } catch (e) {
       return false;
@@ -713,53 +722,115 @@ export class CryptoService implements CryptoServiceAbstraction {
     return true;
   }
 
-  // ---HELPERS---
+  /**
+   * Initialize all necessary crypto keys needed for a new account.
+   * Warning! This completely replaces any existing keys!
+   */
+  async initAccount(): Promise<{
+    userKey: UserKey;
+    publicKey: string;
+    privateKey: EncString;
+  }> {
+    const randomBytes = await this.cryptoFunctionService.randomBytes(64);
+    const userKey = new SymmetricCryptoKey(randomBytes) as UserKey;
+    const [publicKey, privateKey] = await this.makeKeyPair(userKey);
+    await this.setUserKey(userKey);
+    await this.stateService.setEncryptedPrivateKey(privateKey.encryptedString);
 
-  protected async storeKey(key: SymmetricCryptoKey, userId?: string) {
+    return {
+      userKey,
+      publicKey,
+      privateKey,
+    };
+  }
+
+  /**
+   * Generates any additional keys if needed. Additional keys are
+   * keys such as biometrics, auto, and pin keys.
+   * Useful to make sure other keys stay in sync when the user key
+   * has been rotated.
+   * @param key The user key
+   * @param userId The desired user
+   */
+  protected async storeAdditionalKeys(key: UserKey, userId?: string) {
     const storeAuto = await this.shouldStoreKey(KeySuffixOptions.Auto, userId);
-
     if (storeAuto) {
-      await this.storeAutoKey(key, userId);
+      await this.stateService.setUserKeyAutoUnlock(key.keyB64, { userId: userId });
     } else {
-      await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
+      await this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
+    }
+    await this.clearDeprecatedKeys(KeySuffixOptions.Auto, userId);
+
+    const storePin = await this.shouldStoreKey(KeySuffixOptions.Pin, userId);
+    if (storePin) {
+      await this.storePinKey(key, userId);
+      // We can't always clear deprecated keys because the pin is only
+      // migrated once used to unlock
+      await this.clearDeprecatedKeys(KeySuffixOptions.Pin, userId);
+    } else {
+      await this.stateService.setPinKeyEncryptedUserKey(null, { userId: userId });
+      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
     }
   }
 
-  protected async storeAutoKey(key: SymmetricCryptoKey, userId?: string) {
-    await this.stateService.setCryptoMasterKeyAuto(key.keyB64, { userId: userId });
+  /**
+   * Stores the pin key if needed. If MP on Reset is enabled, stores the
+   * ephemeral version.
+   * @param key The user key
+   */
+  protected async storePinKey(key: UserKey, userId?: string) {
+    const pin = await this.encryptService.decryptToUtf8(
+      new EncString(await this.stateService.getProtectedPin({ userId: userId })),
+      key
+    );
+    const pinKey = await this.makePinKey(
+      pin,
+      await this.stateService.getEmail({ userId: userId }),
+      await this.stateService.getKdfType({ userId: userId }),
+      await this.stateService.getKdfConfig({ userId: userId })
+    );
+    const encPin = await this.encryptService.encrypt(key.key, pinKey);
+
+    if ((await this.stateService.getPinKeyEncryptedUserKey({ userId: userId })) != null) {
+      await this.stateService.setPinKeyEncryptedUserKey(encPin, { userId: userId });
+    } else {
+      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(encPin, { userId: userId });
+    }
   }
 
   protected async shouldStoreKey(keySuffix: KeySuffixOptions, userId?: string) {
     let shouldStoreKey = false;
-    if (keySuffix === KeySuffixOptions.Auto) {
-      const vaultTimeout = await this.stateService.getVaultTimeout({ userId: userId });
-      shouldStoreKey = vaultTimeout == null;
-    } else if (keySuffix === KeySuffixOptions.Biometric) {
-      const biometricUnlock = await this.stateService.getBiometricUnlock({ userId: userId });
-      shouldStoreKey = biometricUnlock && this.platformUtilService.supportsSecureStorage();
+    switch (keySuffix) {
+      case KeySuffixOptions.Auto: {
+        const vaultTimeout = await this.stateService.getVaultTimeout({ userId: userId });
+        shouldStoreKey = vaultTimeout == null;
+        break;
+      }
+      case KeySuffixOptions.Pin: {
+        const protectedPin = await this.stateService.getProtectedPin({ userId: userId });
+        shouldStoreKey = !!protectedPin;
+        break;
+      }
     }
     return shouldStoreKey;
   }
 
-  protected async retrieveKeyFromStorage(keySuffix: KeySuffixOptions, userId?: string) {
-    return keySuffix === KeySuffixOptions.Auto
-      ? await this.stateService.getCryptoMasterKeyAuto({ userId: userId })
-      : await this.stateService.getCryptoMasterKeyBiometric({ userId: userId });
+  protected async getKeyFromStorage(
+    keySuffix: KeySuffixOptions,
+    userId?: string
+  ): Promise<UserKey> {
+    if (keySuffix === KeySuffixOptions.Auto) {
+      const userKey = await this.stateService.getUserKeyAutoUnlock({ userId: userId });
+      if (userKey) {
+        return new SymmetricCryptoKey(Utils.fromB64ToArray(userKey)) as UserKey;
+      }
+    }
+    return null;
   }
 
-  async getKeyForUserEncryption(key?: SymmetricCryptoKey): Promise<SymmetricCryptoKey> {
-    if (key != null) {
-      return key;
-    }
-
-    const encKey = await this.getEncKey();
-    if (encKey != null) {
-      return encKey;
-    }
-
-    // Legacy support: encryption used to be done with the user key (derived from master password).
-    // Users who have not migrated will have a null encKey and must use the user key instead.
-    return await this.getKey();
+  protected async clearAllStoredUserKeys(userId?: string): Promise<void> {
+    await this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
+    await this.stateService.setPinKeyEncryptedUserKeyEphemeral(null, { userId: userId });
   }
 
   private async stretchKey(key: SymmetricCryptoKey): Promise<SymmetricCryptoKey> {
@@ -791,60 +862,187 @@ export class CryptoService implements CryptoServiceAbstraction {
     return phrase;
   }
 
-  private async buildEncKey(
-    key: SymmetricCryptoKey,
-    encKey: Uint8Array
-  ): Promise<[SymmetricCryptoKey, EncString]> {
-    let encKeyEnc: EncString = null;
-    if (key.key.byteLength === 32) {
-      const newKey = await this.stretchKey(key);
-      encKeyEnc = await this.encrypt(encKey, newKey);
-    } else if (key.key.byteLength === 64) {
-      encKeyEnc = await this.encrypt(encKey, key);
+  private async buildProtectedSymmetricKey<T extends SymmetricCryptoKey>(
+    encryptionKey: SymmetricCryptoKey,
+    newSymKey: Uint8Array
+  ): Promise<[T, EncString]> {
+    let protectedSymKey: EncString = null;
+    if (encryptionKey.key.byteLength === 32) {
+      const stretchedEncryptionKey = await this.stretchKey(encryptionKey);
+      protectedSymKey = await this.encryptService.encrypt(newSymKey, stretchedEncryptionKey);
+    } else if (encryptionKey.key.byteLength === 64) {
+      protectedSymKey = await this.encryptService.encrypt(newSymKey, encryptionKey);
     } else {
       throw new Error("Invalid key size.");
     }
-    return [new SymmetricCryptoKey(encKey), encKeyEnc];
+    return [new SymmetricCryptoKey(newSymKey) as T, protectedSymKey];
   }
 
-  private async clearSecretKeyStore(userId?: string): Promise<void> {
-    await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
-    await this.stateService.setCryptoMasterKeyBiometric(null, { userId: userId });
-  }
+  private async makeKey(
+    password: string,
+    salt: string,
+    kdf: KdfType,
+    kdfConfig: KdfConfig
+  ): Promise<SymmetricCryptoKey> {
+    let key: Uint8Array = null;
+    if (kdf == null || kdf === KdfType.PBKDF2_SHA256) {
+      if (kdfConfig.iterations == null) {
+        kdfConfig.iterations = 5000;
+      } else if (kdfConfig.iterations < 5000) {
+        throw new Error("PBKDF2 iteration minimum is 5000.");
+      }
+      key = await this.cryptoFunctionService.pbkdf2(password, salt, "sha256", kdfConfig.iterations);
+    } else if (kdf == KdfType.Argon2id) {
+      if (kdfConfig.iterations == null) {
+        kdfConfig.iterations = DEFAULT_ARGON2_ITERATIONS;
+      } else if (kdfConfig.iterations < 2) {
+        throw new Error("Argon2 iteration minimum is 2.");
+      }
 
-  private async getEncKeyHelper(key: SymmetricCryptoKey = null): Promise<SymmetricCryptoKey> {
-    const inMemoryKey = await this.stateService.getDecryptedCryptoSymmetricKey();
-    if (inMemoryKey != null) {
-      return inMemoryKey;
-    }
+      if (kdfConfig.memory == null) {
+        kdfConfig.memory = DEFAULT_ARGON2_MEMORY;
+      } else if (kdfConfig.memory < 16) {
+        throw new Error("Argon2 memory minimum is 16 MB");
+      } else if (kdfConfig.memory > 1024) {
+        throw new Error("Argon2 memory maximum is 1024 MB");
+      }
 
-    const encKey = await this.stateService.getEncryptedCryptoSymmetricKey();
-    if (encKey == null) {
-      return null;
-    }
+      if (kdfConfig.parallelism == null) {
+        kdfConfig.parallelism = DEFAULT_ARGON2_PARALLELISM;
+      } else if (kdfConfig.parallelism < 1) {
+        throw new Error("Argon2 parallelism minimum is 1.");
+      }
 
-    if (key == null) {
-      key = await this.getKey();
-    }
-    if (key == null) {
-      return null;
-    }
-
-    let decEncKey: Uint8Array;
-    const encKeyCipher = new EncString(encKey);
-    if (encKeyCipher.encryptionType === EncryptionType.AesCbc256_B64) {
-      decEncKey = await this.decryptToBytes(encKeyCipher, key);
-    } else if (encKeyCipher.encryptionType === EncryptionType.AesCbc256_HmacSha256_B64) {
-      const newKey = await this.stretchKey(key);
-      decEncKey = await this.decryptToBytes(encKeyCipher, newKey);
+      const saltHash = await this.cryptoFunctionService.hash(salt, "sha256");
+      key = await this.cryptoFunctionService.argon2(
+        password,
+        saltHash,
+        kdfConfig.iterations,
+        kdfConfig.memory * 1024, // convert to KiB from MiB
+        kdfConfig.parallelism
+      );
     } else {
-      throw new Error("Unsupported encKey type.");
+      throw new Error("Unknown Kdf.");
     }
-    if (decEncKey == null) {
-      return null;
+    return new SymmetricCryptoKey(key);
+  }
+
+  // --LEGACY METHODS--
+  // We previously used the master key for additional keys, but now we use the user key.
+  // These methods support migrating the old keys to the new ones.
+  // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3475)
+
+  async clearDeprecatedKeys(keySuffix: KeySuffixOptions, userId?: string) {
+    if (keySuffix === KeySuffixOptions.Auto) {
+      await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
+    } else if (keySuffix === KeySuffixOptions.Pin) {
+      await this.stateService.setEncryptedPinProtected(null, { userId: userId });
+      await this.stateService.setDecryptedPinProtected(null, { userId: userId });
     }
-    const symmetricCryptoKey = new SymmetricCryptoKey(decEncKey);
-    await this.stateService.setDecryptedCryptoSymmetricKey(symmetricCryptoKey);
-    return symmetricCryptoKey;
+  }
+
+  async migrateAutoKeyIfNeeded(userId?: string) {
+    const oldAutoKey = await this.stateService.getCryptoMasterKeyAuto({ userId: userId });
+    if (oldAutoKey) {
+      // decrypt
+      const masterKey = new SymmetricCryptoKey(Utils.fromB64ToArray(oldAutoKey)) as MasterKey;
+      const encryptedUserKey = await this.stateService.getEncryptedCryptoSymmetricKey({
+        userId: userId,
+      });
+      const userKey = await this.decryptUserKeyWithMasterKey(
+        masterKey,
+        new EncString(encryptedUserKey),
+        userId
+      );
+      // migrate
+      await this.stateService.setUserKeyAutoUnlock(userKey.keyB64, { userId: userId });
+      await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
+      // set encrypted user key in case user immediately locks without syncing
+      await this.setMasterKeyEncryptedUserKey(encryptedUserKey);
+    }
+  }
+
+  async decryptAndMigrateOldPinKey(
+    masterPasswordOnRestart: boolean,
+    pin: string,
+    email: string,
+    kdf: KdfType,
+    kdfConfig: KdfConfig,
+    oldPinKey: EncString
+  ): Promise<UserKey> {
+    // Decrypt
+    const masterKey = await this.decryptMasterKeyWithPin(pin, email, kdf, kdfConfig, oldPinKey);
+    const encUserKey = await this.stateService.getEncryptedCryptoSymmetricKey();
+    const userKey = await this.decryptUserKeyWithMasterKey(masterKey, new EncString(encUserKey));
+    // Migrate
+    const pinKey = await this.makePinKey(pin, email, kdf, kdfConfig);
+    const pinProtectedKey = await this.encryptService.encrypt(userKey.key, pinKey);
+    if (masterPasswordOnRestart) {
+      await this.stateService.setDecryptedPinProtected(null);
+      await this.stateService.setPinKeyEncryptedUserKeyEphemeral(pinProtectedKey);
+    } else {
+      await this.stateService.setEncryptedPinProtected(null);
+      await this.stateService.setPinKeyEncryptedUserKey(pinProtectedKey);
+      // We previously only set the protected pin if MP on Restart was enabled
+      // now we set it regardless
+      const encPin = await this.encryptService.encrypt(pin, userKey);
+      await this.stateService.setProtectedPin(encPin.encryptedString);
+    }
+    // This also clears the old Biometrics key since the new Biometrics key will
+    // be created when the user key is set.
+    await this.stateService.setCryptoMasterKeyBiometric(null);
+    return userKey;
+  }
+
+  // --DEPRECATED METHODS--
+
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.encrypt
+   */
+  async encrypt(plainValue: string | Uint8Array, key?: SymmetricCryptoKey): Promise<EncString> {
+    key ||= await this.getUserKeyWithLegacySupport();
+    return await this.encryptService.encrypt(plainValue, key);
+  }
+
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.encryptToBytes
+   */
+  async encryptToBytes(plainValue: Uint8Array, key?: SymmetricCryptoKey): Promise<EncArrayBuffer> {
+    key ||= await this.getUserKeyWithLegacySupport();
+    return this.encryptService.encryptToBytes(plainValue, key);
+  }
+
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToBytes
+   */
+  async decryptToBytes(encString: EncString, key?: SymmetricCryptoKey): Promise<Uint8Array> {
+    key ||= await this.getUserKeyWithLegacySupport();
+    return this.encryptService.decryptToBytes(encString, key);
+  }
+
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToUtf8
+   */
+  async decryptToUtf8(encString: EncString, key?: SymmetricCryptoKey): Promise<string> {
+    key ||= await this.getUserKeyWithLegacySupport();
+    return await this.encryptService.decryptToUtf8(encString, key);
+  }
+
+  /**
+   * @deprecated July 25 2022: Get the key you need from CryptoService (getKeyForUserEncryption or getOrgKey)
+   * and then call encryptService.decryptToBytes
+   */
+  async decryptFromBytes(encBuffer: EncArrayBuffer, key: SymmetricCryptoKey): Promise<Uint8Array> {
+    if (encBuffer == null) {
+      throw new Error("No buffer provided for decryption.");
+    }
+
+    key ||= await this.getUserKeyWithLegacySupport();
+
+    return this.encryptService.decryptToBytes(encBuffer, key);
   }
 }
diff --git a/libs/common/src/platform/services/state.service.ts b/libs/common/src/platform/services/state.service.ts
index 98525c16b0..14ba4abfd3 100644
--- a/libs/common/src/platform/services/state.service.ts
+++ b/libs/common/src/platform/services/state.service.ts
@@ -6,6 +6,7 @@ import { OrganizationData } from "../../admin-console/models/data/organization.d
 import { PolicyData } from "../../admin-console/models/data/policy.data";
 import { ProviderData } from "../../admin-console/models/data/provider.data";
 import { Policy } from "../../admin-console/models/domain/policy";
+import { AdminAuthRequestStorable } from "../../auth/models/domain/admin-auth-req-storable";
 import { EnvironmentUrls } from "../../auth/models/domain/environment-urls";
 import { ForceResetPasswordReason } from "../../auth/models/domain/force-reset-password-reason";
 import { KdfConfig } from "../../auth/models/domain/kdf-config";
@@ -43,6 +44,7 @@ import { ServerConfigData } from "../models/data/server-config.data";
 import {
   Account,
   AccountData,
+  AccountDecryptionOptions,
   AccountSettings,
   AccountSettingsSettings,
 } from "../models/domain/account";
@@ -50,7 +52,12 @@ import { EncString } from "../models/domain/enc-string";
 import { GlobalState } from "../models/domain/global-state";
 import { State } from "../models/domain/state";
 import { StorageOptions } from "../models/domain/storage-options";
-import { DeviceKey, SymmetricCryptoKey } from "../models/domain/symmetric-crypto-key";
+import {
+  DeviceKey,
+  MasterKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../models/domain/symmetric-crypto-key";
 
 const keys = {
   state: "state",
@@ -62,6 +69,9 @@ const keys = {
 };
 
 const partialKeys = {
+  userAutoKey: "_user_auto",
+  userBiometricKey: "_user_biometric",
+
   autoKey: "_masterkey_auto",
   biometricKey: "_masterkey_biometric",
   masterKey: "_masterkey",
@@ -112,7 +122,7 @@ export class StateService<
           // FIXME: This should be refactored into AuthService or a similar service,
           //  as checking for the existence of the crypto key is a low level
           //  implementation detail.
-          this.activeAccountUnlockedSubject.next((await this.getCryptoMasterKey()) != null);
+          this.activeAccountUnlockedSubject.next((await this.getUserKey()) != null);
         })
       )
       .subscribe();
@@ -515,6 +525,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Do not save the Master Key. Use the User Symmetric Key instead
+   */
   async getCryptoMasterKey(options?: StorageOptions): Promise<SymmetricCryptoKey> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultInMemoryOptions())
@@ -522,6 +535,9 @@ export class StateService<
     return account?.keys?.cryptoMasterKey;
   }
 
+  /**
+   * @deprecated Do not save the Master Key. Use the User Symmetric Key instead
+   */
   async setCryptoMasterKey(value: SymmetricCryptoKey, options?: StorageOptions): Promise<void> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultInMemoryOptions())
@@ -542,6 +558,203 @@ export class StateService<
     }
   }
 
+  /**
+   * user key used to encrypt/decrypt data
+   */
+  async getUserKey(options?: StorageOptions): Promise<UserKey> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    return account?.keys?.userKey as UserKey;
+  }
+
+  /**
+   * user key used to encrypt/decrypt data
+   */
+  async setUserKey(value: UserKey, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    account.keys.userKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+
+    if (options?.userId == this.activeAccountSubject.getValue()) {
+      const nextValue = value != null;
+
+      // Avoid emitting if we are already unlocked
+      if (this.activeAccountUnlockedSubject.getValue() != nextValue) {
+        this.activeAccountUnlockedSubject.next(nextValue);
+      }
+    }
+  }
+
+  /**
+   * User's master key derived from MP, saved only if we decrypted with MP
+   */
+  async getMasterKey(options?: StorageOptions): Promise<MasterKey> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    return account?.keys?.masterKey;
+  }
+
+  /**
+   * User's master key derived from MP, saved only if we decrypted with MP
+   */
+  async setMasterKey(value: MasterKey, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    account.keys.masterKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+  }
+
+  /**
+   * The master key encrypted User symmetric key, saved on every auth
+   * so we can unlock with MP offline
+   */
+  async getMasterKeyEncryptedUserKey(options?: StorageOptions): Promise<string> {
+    return (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.keys.masterKeyEncryptedUserKey;
+  }
+
+  /**
+   * The master key encrypted User symmetric key, saved on every auth
+   * so we can unlock with MP offline
+   */
+  async setMasterKeyEncryptedUserKey(value: string, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+    account.keys.masterKeyEncryptedUserKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+  }
+
+  /**
+   * user key when using the "never" option of vault timeout
+   */
+  async getUserKeyAutoUnlock(options?: StorageOptions): Promise<string> {
+    options = this.reconcileOptions(
+      this.reconcileOptions(options, { keySuffix: "auto" }),
+      await this.defaultSecureStorageOptions()
+    );
+    if (options?.userId == null) {
+      return null;
+    }
+    return await this.secureStorageService.get<string>(
+      `${options.userId}${partialKeys.userAutoKey}`,
+      options
+    );
+  }
+
+  /**
+   * user key when using the "never" option of vault timeout
+   */
+  async setUserKeyAutoUnlock(value: string, options?: StorageOptions): Promise<void> {
+    options = this.reconcileOptions(
+      this.reconcileOptions(options, { keySuffix: "auto" }),
+      await this.defaultSecureStorageOptions()
+    );
+    if (options?.userId == null) {
+      return;
+    }
+    await this.saveSecureStorageKey(partialKeys.userAutoKey, value, options);
+  }
+
+  /**
+   * User's encrypted symmetric key when using biometrics
+   */
+  async getUserKeyBiometric(options?: StorageOptions): Promise<string> {
+    options = this.reconcileOptions(
+      this.reconcileOptions(options, { keySuffix: "biometric" }),
+      await this.defaultSecureStorageOptions()
+    );
+    if (options?.userId == null) {
+      return null;
+    }
+    return await this.secureStorageService.get<string>(
+      `${options.userId}${partialKeys.userBiometricKey}`,
+      options
+    );
+  }
+
+  async hasUserKeyBiometric(options?: StorageOptions): Promise<boolean> {
+    options = this.reconcileOptions(
+      this.reconcileOptions(options, { keySuffix: "biometric" }),
+      await this.defaultSecureStorageOptions()
+    );
+    if (options?.userId == null) {
+      return false;
+    }
+    return await this.secureStorageService.has(
+      `${options.userId}${partialKeys.userBiometricKey}`,
+      options
+    );
+  }
+
+  async setUserKeyBiometric(value: BiometricKey, options?: StorageOptions): Promise<void> {
+    options = this.reconcileOptions(
+      this.reconcileOptions(options, { keySuffix: "biometric" }),
+      await this.defaultSecureStorageOptions()
+    );
+    if (options?.userId == null) {
+      return;
+    }
+    await this.saveSecureStorageKey(partialKeys.userBiometricKey, value, options);
+  }
+
+  async getPinKeyEncryptedUserKey(options?: StorageOptions): Promise<EncString> {
+    return EncString.fromJSON(
+      (await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions())))
+        ?.settings?.pinKeyEncryptedUserKey
+    );
+  }
+
+  async setPinKeyEncryptedUserKey(value: EncString, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+    account.settings.pinKeyEncryptedUserKey = value?.encryptedString;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+  }
+
+  async getPinKeyEncryptedUserKeyEphemeral(options?: StorageOptions): Promise<EncString> {
+    return EncString.fromJSON(
+      (await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions())))
+        ?.settings?.pinKeyEncryptedUserKeyEphemeral
+    );
+  }
+
+  async setPinKeyEncryptedUserKeyEphemeral(
+    value: EncString,
+    options?: StorageOptions
+  ): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+    account.settings.pinKeyEncryptedUserKeyEphemeral = value?.encryptedString;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultInMemoryOptions())
+    );
+  }
+
+  /**
+   * @deprecated Use UserKeyAuto instead
+   */
   async getCryptoMasterKeyAuto(options?: StorageOptions): Promise<string> {
     options = this.reconcileOptions(
       this.reconcileOptions(options, { keySuffix: "auto" }),
@@ -556,6 +769,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use UserKeyAuto instead
+   */
   async setCryptoMasterKeyAuto(value: string, options?: StorageOptions): Promise<void> {
     options = this.reconcileOptions(
       this.reconcileOptions(options, { keySuffix: "auto" }),
@@ -567,6 +783,9 @@ export class StateService<
     await this.saveSecureStorageKey(partialKeys.autoKey, value, options);
   }
 
+  /**
+   * @deprecated I don't see where this is even used
+   */
   async getCryptoMasterKeyB64(options?: StorageOptions): Promise<string> {
     options = this.reconcileOptions(options, await this.defaultSecureStorageOptions());
     if (options?.userId == null) {
@@ -578,6 +797,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated I don't see where this is even used
+   */
   async setCryptoMasterKeyB64(value: string, options?: StorageOptions): Promise<void> {
     options = this.reconcileOptions(options, await this.defaultSecureStorageOptions());
     if (options?.userId == null) {
@@ -586,6 +808,9 @@ export class StateService<
     await this.saveSecureStorageKey(partialKeys.masterKey, value, options);
   }
 
+  /**
+   * @deprecated Use UserKeyBiometric instead
+   */
   async getCryptoMasterKeyBiometric(options?: StorageOptions): Promise<string> {
     options = this.reconcileOptions(
       this.reconcileOptions(options, { keySuffix: "biometric" }),
@@ -600,6 +825,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use UserKeyBiometric instead
+   */
   async hasCryptoMasterKeyBiometric(options?: StorageOptions): Promise<boolean> {
     options = this.reconcileOptions(
       this.reconcileOptions(options, { keySuffix: "biometric" }),
@@ -614,6 +842,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use UserKeyBiometric instead
+   */
   async setCryptoMasterKeyBiometric(value: BiometricKey, options?: StorageOptions): Promise<void> {
     options = this.reconcileOptions(
       this.reconcileOptions(options, { keySuffix: "biometric" }),
@@ -661,6 +892,9 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use UserKey instead
+   */
   async getDecryptedCryptoSymmetricKey(options?: StorageOptions): Promise<SymmetricCryptoKey> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultInMemoryOptions())
@@ -668,6 +902,9 @@ export class StateService<
     return account?.keys?.cryptoSymmetricKey?.decrypted;
   }
 
+  /**
+   * @deprecated Use UserKey instead
+   */
   async setDecryptedCryptoSymmetricKey(
     value: SymmetricCryptoKey,
     options?: StorageOptions
@@ -728,12 +965,18 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use getPinKeyEncryptedUserKeyEphemeral instead
+   */
   async getDecryptedPinProtected(options?: StorageOptions): Promise<EncString> {
     return (
       await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions()))
     )?.settings?.pinProtected?.decrypted;
   }
 
+  /**
+   * @deprecated Use setPinKeyEncryptedUserKeyEphemeral instead
+   */
   async setDecryptedPinProtected(value: EncString, options?: StorageOptions): Promise<void> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultInMemoryOptions())
@@ -1069,10 +1312,17 @@ export class StateService<
 
     const account = await this.getAccount(options);
 
-    return account?.keys?.deviceKey as DeviceKey;
+    const existingDeviceKey = account?.keys?.deviceKey;
+
+    // Must manually instantiate the SymmetricCryptoKey class from the JSON object
+    if (existingDeviceKey != null) {
+      return SymmetricCryptoKey.fromJSON(existingDeviceKey) as DeviceKey;
+    } else {
+      return null;
+    }
   }
 
-  async setDeviceKey(value: DeviceKey, options?: StorageOptions): Promise<void> {
+  async setDeviceKey(value: DeviceKey | null, options?: StorageOptions): Promise<void> {
     options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
 
     if (options?.userId == null) {
@@ -1081,7 +1331,94 @@ export class StateService<
 
     const account = await this.getAccount(options);
 
-    account.keys.deviceKey = value;
+    account.keys.deviceKey = value?.toJSON() ?? null;
+
+    await this.saveAccount(account, options);
+  }
+
+  async getAdminAuthRequest(options?: StorageOptions): Promise<AdminAuthRequestStorable | null> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+
+    if (options?.userId == null) {
+      return null;
+    }
+
+    const account = await this.getAccount(options);
+
+    return account?.adminAuthRequest
+      ? AdminAuthRequestStorable.fromJSON(account.adminAuthRequest)
+      : null;
+  }
+
+  async setAdminAuthRequest(
+    adminAuthRequest: AdminAuthRequestStorable,
+    options?: StorageOptions
+  ): Promise<void> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+
+    if (options?.userId == null) {
+      return;
+    }
+
+    const account = await this.getAccount(options);
+
+    account.adminAuthRequest = adminAuthRequest?.toJSON();
+
+    await this.saveAccount(account, options);
+  }
+
+  async getShouldTrustDevice(options?: StorageOptions): Promise<boolean | null> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+
+    if (options?.userId == null) {
+      return null;
+    }
+
+    const account = await this.getAccount(options);
+
+    return account?.settings?.trustDeviceChoiceForDecryption ?? null;
+  }
+
+  async setShouldTrustDevice(value: boolean, options?: StorageOptions): Promise<void> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+    if (options?.userId == null) {
+      return;
+    }
+
+    const account = await this.getAccount(options);
+
+    account.settings.trustDeviceChoiceForDecryption = value;
+
+    await this.saveAccount(account, options);
+  }
+
+  async getAccountDecryptionOptions(
+    options?: StorageOptions
+  ): Promise<AccountDecryptionOptions | null> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+
+    if (options?.userId == null) {
+      return null;
+    }
+
+    const account = await this.getAccount(options);
+
+    return account?.decryptionOptions as AccountDecryptionOptions;
+  }
+
+  async setAccountDecryptionOptions(
+    value: AccountDecryptionOptions,
+    options?: StorageOptions
+  ): Promise<void> {
+    options = this.reconcileOptions(options, await this.defaultOnDiskLocalOptions());
+
+    if (options?.userId == null) {
+      return;
+    }
+
+    const account = await this.getAccount(options);
+
+    account.decryptionOptions = value;
 
     await this.saveAccount(account, options);
   }
@@ -1366,12 +1703,18 @@ export class StateService<
     );
   }
 
+  /**
+   * @deprecated Use UserKey instead
+   */
   async getEncryptedCryptoSymmetricKey(options?: StorageOptions): Promise<string> {
     return (
       await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
     )?.keys.cryptoSymmetricKey.encrypted;
   }
 
+  /**
+   * @deprecated Use UserKey instead
+   */
   async setEncryptedCryptoSymmetricKey(value: string, options?: StorageOptions): Promise<void> {
     const account = await this.getAccount(
       this.reconcileOptions(options, await this.defaultOnDiskOptions())
@@ -1655,6 +1998,24 @@ export class StateService<
     );
   }
 
+  async getEverHadUserKey(options?: StorageOptions): Promise<boolean> {
+    return (
+      (await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions())))
+        ?.profile?.everHadUserKey ?? false
+    );
+  }
+
+  async setEverHadUserKey(value: boolean, options?: StorageOptions): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+    account.profile.everHadUserKey = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+  }
+
   async getEverBeenUnlocked(options?: StorageOptions): Promise<boolean> {
     return (
       (await this.getAccount(this.reconcileOptions(options, await this.defaultInMemoryOptions())))
@@ -2229,6 +2590,26 @@ export class StateService<
     );
   }
 
+  async getUserSsoOrganizationIdentifier(options?: StorageOptions): Promise<string> {
+    return (
+      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
+    )?.loginState?.ssoOrganizationIdentifier;
+  }
+
+  async setUserSsoOrganizationIdentifier(
+    value: string | null,
+    options?: StorageOptions
+  ): Promise<void> {
+    const account = await this.getAccount(
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+    account.loginState.ssoOrganizationIdentifier = value;
+    await this.saveAccount(
+      account,
+      this.reconcileOptions(options, await this.defaultOnDiskOptions())
+    );
+  }
+
   async getTheme(options?: StorageOptions): Promise<ThemeType> {
     return (
       await this.getGlobals(this.reconcileOptions(options, await this.defaultOnDiskLocalOptions()))
@@ -2783,6 +3164,8 @@ export class StateService<
 
   protected async removeAccountFromSecureStorage(userId: string = null): Promise<void> {
     userId = userId ?? (await this.state())?.activeUserId;
+    await this.setUserKeyAutoUnlock(null, { userId: userId });
+    await this.setUserKeyBiometric(null, { userId: userId });
     await this.setCryptoMasterKeyAuto(null, { userId: userId });
     await this.setCryptoMasterKeyBiometric(null, { userId: userId });
     await this.setCryptoMasterKeyB64(null, { userId: userId });
@@ -2808,11 +3191,12 @@ export class StateService<
     }
   }
 
-  // settings persist even on reset, and are not effected by this method
+  // settings persist even on reset, and are not affected by this method
   protected resetAccount(account: TAccount) {
     const persistentAccountInformation = {
       settings: account.settings,
       keys: { deviceKey: account.keys.deviceKey },
+      adminAuthRequest: account.adminAuthRequest,
     };
     return Object.assign(this.createAccount(), persistentAccountInformation);
   }
@@ -2940,7 +3324,7 @@ export class StateService<
     }
   }
 
-  private deleteDiskCache(key: string) {
+  protected deleteDiskCache(key: string) {
     if (this.useAccountCache) {
       delete this.accountDiskCache.value[key];
       this.accountDiskCache.next(this.accountDiskCache.value);
diff --git a/libs/common/src/platform/services/system.service.ts b/libs/common/src/platform/services/system.service.ts
index 90a382e5ab..ac7e46948e 100644
--- a/libs/common/src/platform/services/system.service.ts
+++ b/libs/common/src/platform/services/system.service.ts
@@ -39,8 +39,8 @@ export class SystemService implements SystemServiceAbstraction {
     }
 
     // User has set a PIN, with ask for master password on restart, to protect their vault
-    const decryptedPinProtected = await this.stateService.getDecryptedPinProtected();
-    if (decryptedPinProtected != null) {
+    const ephemeralPin = await this.stateService.getPinKeyEncryptedUserKeyEphemeral();
+    if (ephemeralPin != null) {
       return;
     }
 
diff --git a/libs/common/src/services/api.service.ts b/libs/common/src/services/api.service.ts
index 0e03231652..9f658a0955 100644
--- a/libs/common/src/services/api.service.ts
+++ b/libs/common/src/services/api.service.ts
@@ -251,10 +251,15 @@ export class ApiService implements ApiServiceAbstraction {
     }
   }
 
+  // TODO: PM-3519: Create and move to AuthRequest Api service
   async postAuthRequest(request: PasswordlessCreateAuthRequest): Promise<AuthRequestResponse> {
     const r = await this.send("POST", "/auth-requests/", request, false, true);
     return new AuthRequestResponse(r);
   }
+  async postAdminAuthRequest(request: PasswordlessCreateAuthRequest): Promise<AuthRequestResponse> {
+    const r = await this.send("POST", "/auth-requests/admin-request", request, true, true);
+    return new AuthRequestResponse(r);
+  }
 
   async getAuthResponse(id: string, accessCode: string): Promise<AuthRequestResponse> {
     const path = `/auth-requests/${id}/response?code=${accessCode}`;
@@ -1580,7 +1585,9 @@ export class ApiService implements ApiServiceAbstraction {
 
   // Key Connector
 
-  async getUserKeyFromKeyConnector(keyConnectorUrl: string): Promise<KeyConnectorUserKeyResponse> {
+  async getMasterKeyFromKeyConnector(
+    keyConnectorUrl: string
+  ): Promise<KeyConnectorUserKeyResponse> {
     const authHeader = await this.getActiveBearerToken();
 
     const response = await this.fetch(
diff --git a/libs/common/src/services/device-crypto.service.implementation.ts b/libs/common/src/services/device-crypto.service.implementation.ts
deleted file mode 100644
index e2179e6e52..0000000000
--- a/libs/common/src/services/device-crypto.service.implementation.ts
+++ /dev/null
@@ -1,85 +0,0 @@
-import { DeviceCryptoServiceAbstraction } from "../abstractions/device-crypto.service.abstraction";
-import { DevicesApiServiceAbstraction } from "../abstractions/devices/devices-api.service.abstraction";
-import { DeviceResponse } from "../abstractions/devices/responses/device.response";
-import { AppIdService } from "../platform/abstractions/app-id.service";
-import { CryptoFunctionService } from "../platform/abstractions/crypto-function.service";
-import { CryptoService } from "../platform/abstractions/crypto.service";
-import { EncryptService } from "../platform/abstractions/encrypt.service";
-import { StateService } from "../platform/abstractions/state.service";
-import { SymmetricCryptoKey, DeviceKey } from "../platform/models/domain/symmetric-crypto-key";
-import { CsprngArray } from "../types/csprng";
-
-export class DeviceCryptoService implements DeviceCryptoServiceAbstraction {
-  constructor(
-    protected cryptoFunctionService: CryptoFunctionService,
-    protected cryptoService: CryptoService,
-    protected encryptService: EncryptService,
-    protected stateService: StateService,
-    protected appIdService: AppIdService,
-    protected devicesApiService: DevicesApiServiceAbstraction
-  ) {}
-
-  async trustDevice(): Promise<DeviceResponse> {
-    // Attempt to get user symmetric key
-    const userSymKey: SymmetricCryptoKey = await this.cryptoService.getEncKey();
-
-    // If user symmetric key is not found, throw error
-    if (!userSymKey) {
-      throw new Error("User symmetric key not found");
-    }
-
-    // Generate deviceKey
-    const deviceKey = await this.makeDeviceKey();
-
-    // Generate asymmetric RSA key pair: devicePrivateKey, devicePublicKey
-    const [devicePublicKey, devicePrivateKey] = await this.cryptoFunctionService.rsaGenerateKeyPair(
-      2048
-    );
-
-    const [
-      devicePublicKeyEncryptedUserSymKey,
-      userSymKeyEncryptedDevicePublicKey,
-      deviceKeyEncryptedDevicePrivateKey,
-    ] = await Promise.all([
-      // Encrypt user symmetric key with the DevicePublicKey
-      this.cryptoService.rsaEncrypt(userSymKey.encKey, devicePublicKey),
-
-      // Encrypt devicePublicKey with user symmetric key
-      this.encryptService.encrypt(devicePublicKey, userSymKey),
-
-      // Encrypt devicePrivateKey with deviceKey
-      this.encryptService.encrypt(devicePrivateKey, deviceKey),
-    ]);
-
-    // Send encrypted keys to server
-    const deviceIdentifier = await this.appIdService.getAppId();
-    return this.devicesApiService.updateTrustedDeviceKeys(
-      deviceIdentifier,
-      devicePublicKeyEncryptedUserSymKey.encryptedString,
-      userSymKeyEncryptedDevicePublicKey.encryptedString,
-      deviceKeyEncryptedDevicePrivateKey.encryptedString
-    );
-  }
-
-  async getDeviceKey(): Promise<DeviceKey> {
-    // Check if device key is already stored
-    const existingDeviceKey = await this.stateService.getDeviceKey();
-
-    if (existingDeviceKey != null) {
-      return existingDeviceKey;
-    } else {
-      return this.makeDeviceKey();
-    }
-  }
-
-  private async makeDeviceKey(): Promise<DeviceKey> {
-    // Create 512-bit device key
-    const randomBytes: CsprngArray = await this.cryptoFunctionService.randomBytes(64);
-    const deviceKey = new SymmetricCryptoKey(randomBytes) as DeviceKey;
-
-    // Save device key in secure storage
-    await this.stateService.setDeviceKey(deviceKey);
-
-    return deviceKey;
-  }
-}
diff --git a/libs/common/src/services/device-crypto.service.spec.ts b/libs/common/src/services/device-crypto.service.spec.ts
deleted file mode 100644
index cf01f00837..0000000000
--- a/libs/common/src/services/device-crypto.service.spec.ts
+++ /dev/null
@@ -1,317 +0,0 @@
-import { mock, mockReset } from "jest-mock-extended";
-
-import { DevicesApiServiceAbstraction } from "../abstractions/devices/devices-api.service.abstraction";
-import { DeviceResponse } from "../abstractions/devices/responses/device.response";
-import { EncryptionType } from "../enums/encryption-type.enum";
-import { AppIdService } from "../platform/abstractions/app-id.service";
-import { CryptoFunctionService } from "../platform/abstractions/crypto-function.service";
-import { EncryptService } from "../platform/abstractions/encrypt.service";
-import { StateService } from "../platform/abstractions/state.service";
-import { EncString } from "../platform/models/domain/enc-string";
-import { SymmetricCryptoKey, DeviceKey } from "../platform/models/domain/symmetric-crypto-key";
-import { CryptoService } from "../platform/services/crypto.service";
-import { CsprngArray } from "../types/csprng";
-
-import { DeviceCryptoService } from "./device-crypto.service.implementation";
-
-describe("deviceCryptoService", () => {
-  let deviceCryptoService: DeviceCryptoService;
-
-  const cryptoFunctionService = mock<CryptoFunctionService>();
-  const cryptoService = mock<CryptoService>();
-  const encryptService = mock<EncryptService>();
-  const stateService = mock<StateService>();
-  const appIdService = mock<AppIdService>();
-  const devicesApiService = mock<DevicesApiServiceAbstraction>();
-
-  beforeEach(() => {
-    mockReset(cryptoFunctionService);
-    mockReset(encryptService);
-    mockReset(stateService);
-    mockReset(appIdService);
-    mockReset(devicesApiService);
-
-    deviceCryptoService = new DeviceCryptoService(
-      cryptoFunctionService,
-      cryptoService,
-      encryptService,
-      stateService,
-      appIdService,
-      devicesApiService
-    );
-  });
-
-  it("instantiates", () => {
-    expect(deviceCryptoService).not.toBeFalsy();
-  });
-
-  describe("Trusted Device Encryption", () => {
-    const deviceKeyBytesLength = 64;
-    const userSymKeyBytesLength = 64;
-
-    describe("getDeviceKey", () => {
-      let mockRandomBytes: CsprngArray;
-      let mockDeviceKey: SymmetricCryptoKey;
-      let existingDeviceKey: DeviceKey;
-      let stateSvcGetDeviceKeySpy: jest.SpyInstance;
-      let makeDeviceKeySpy: jest.SpyInstance;
-
-      beforeEach(() => {
-        mockRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
-        mockDeviceKey = new SymmetricCryptoKey(mockRandomBytes);
-        existingDeviceKey = new SymmetricCryptoKey(
-          new Uint8Array(deviceKeyBytesLength) as CsprngArray
-        ) as DeviceKey;
-
-        stateSvcGetDeviceKeySpy = jest.spyOn(stateService, "getDeviceKey");
-        makeDeviceKeySpy = jest.spyOn(deviceCryptoService as any, "makeDeviceKey");
-      });
-
-      it("gets a device key when there is not an existing device key", async () => {
-        stateSvcGetDeviceKeySpy.mockResolvedValue(null);
-        makeDeviceKeySpy.mockResolvedValue(mockDeviceKey);
-
-        const deviceKey = await deviceCryptoService.getDeviceKey();
-
-        expect(stateSvcGetDeviceKeySpy).toHaveBeenCalledTimes(1);
-        expect(makeDeviceKeySpy).toHaveBeenCalledTimes(1);
-
-        expect(deviceKey).not.toBeNull();
-        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
-        expect(deviceKey).toEqual(mockDeviceKey);
-      });
-
-      it("returns the existing device key without creating a new one when there is an existing device key", async () => {
-        stateSvcGetDeviceKeySpy.mockResolvedValue(existingDeviceKey);
-
-        const deviceKey = await deviceCryptoService.getDeviceKey();
-
-        expect(stateSvcGetDeviceKeySpy).toHaveBeenCalledTimes(1);
-        expect(makeDeviceKeySpy).not.toHaveBeenCalled();
-
-        expect(deviceKey).not.toBeNull();
-        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
-        expect(deviceKey).toEqual(existingDeviceKey);
-      });
-    });
-
-    describe("makeDeviceKey", () => {
-      it("creates a new non-null 64 byte device key, securely stores it, and returns it", async () => {
-        const mockRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
-
-        const cryptoFuncSvcRandomBytesSpy = jest
-          .spyOn(cryptoFunctionService, "randomBytes")
-          .mockResolvedValue(mockRandomBytes);
-
-        const stateSvcSetDeviceKeySpy = jest.spyOn(stateService, "setDeviceKey");
-
-        // TypeScript will allow calling private methods if the object is of type 'any'
-        // This is a hacky workaround, but it allows for cleaner tests
-        const deviceKey = await (deviceCryptoService as any).makeDeviceKey();
-
-        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledTimes(1);
-        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledWith(deviceKeyBytesLength);
-
-        expect(deviceKey).not.toBeNull();
-        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
-
-        expect(stateSvcSetDeviceKeySpy).toHaveBeenCalledTimes(1);
-        expect(stateSvcSetDeviceKeySpy).toHaveBeenCalledWith(deviceKey);
-      });
-    });
-
-    describe("trustDevice", () => {
-      let mockDeviceKeyRandomBytes: CsprngArray;
-      let mockDeviceKey: DeviceKey;
-
-      let mockUserSymKeyRandomBytes: CsprngArray;
-      let mockUserSymKey: SymmetricCryptoKey;
-
-      const deviceRsaKeyLength = 2048;
-      let mockDeviceRsaKeyPair: [Uint8Array, Uint8Array];
-      let mockDevicePrivateKey: Uint8Array;
-      let mockDevicePublicKey: Uint8Array;
-      let mockDevicePublicKeyEncryptedUserSymKey: EncString;
-      let mockUserSymKeyEncryptedDevicePublicKey: EncString;
-      let mockDeviceKeyEncryptedDevicePrivateKey: EncString;
-
-      const mockDeviceResponse: DeviceResponse = new DeviceResponse({
-        Id: "mockId",
-        Name: "mockName",
-        Identifier: "mockIdentifier",
-        Type: "mockType",
-        CreationDate: "mockCreationDate",
-      });
-
-      const mockDeviceId = "mockDeviceId";
-
-      let makeDeviceKeySpy: jest.SpyInstance;
-      let rsaGenerateKeyPairSpy: jest.SpyInstance;
-      let cryptoSvcGetEncKeySpy: jest.SpyInstance;
-      let cryptoSvcRsaEncryptSpy: jest.SpyInstance;
-      let encryptServiceEncryptSpy: jest.SpyInstance;
-      let appIdServiceGetAppIdSpy: jest.SpyInstance;
-      let devicesApiServiceUpdateTrustedDeviceKeysSpy: jest.SpyInstance;
-
-      beforeEach(() => {
-        // Setup all spies and default return values for the happy path
-
-        mockDeviceKeyRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;
-        mockDeviceKey = new SymmetricCryptoKey(mockDeviceKeyRandomBytes) as DeviceKey;
-
-        mockUserSymKeyRandomBytes = new Uint8Array(userSymKeyBytesLength) as CsprngArray;
-        mockUserSymKey = new SymmetricCryptoKey(mockUserSymKeyRandomBytes);
-
-        mockDeviceRsaKeyPair = [
-          new Uint8Array(deviceRsaKeyLength),
-          new Uint8Array(deviceRsaKeyLength),
-        ];
-
-        mockDevicePublicKey = mockDeviceRsaKeyPair[0];
-        mockDevicePrivateKey = mockDeviceRsaKeyPair[1];
-
-        mockDevicePublicKeyEncryptedUserSymKey = new EncString(
-          EncryptionType.Rsa2048_OaepSha1_B64,
-          "mockDevicePublicKeyEncryptedUserSymKey"
-        );
-
-        mockUserSymKeyEncryptedDevicePublicKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
-          "mockUserSymKeyEncryptedDevicePublicKey"
-        );
-
-        mockDeviceKeyEncryptedDevicePrivateKey = new EncString(
-          EncryptionType.AesCbc256_HmacSha256_B64,
-          "mockDeviceKeyEncryptedDevicePrivateKey"
-        );
-
-        // TypeScript will allow calling private methods if the object is of type 'any'
-        makeDeviceKeySpy = jest
-          .spyOn(deviceCryptoService as any, "makeDeviceKey")
-          .mockResolvedValue(mockDeviceKey);
-
-        rsaGenerateKeyPairSpy = jest
-          .spyOn(cryptoFunctionService, "rsaGenerateKeyPair")
-          .mockResolvedValue(mockDeviceRsaKeyPair);
-
-        cryptoSvcGetEncKeySpy = jest
-          .spyOn(cryptoService, "getEncKey")
-          .mockResolvedValue(mockUserSymKey);
-
-        cryptoSvcRsaEncryptSpy = jest
-          .spyOn(cryptoService, "rsaEncrypt")
-          .mockResolvedValue(mockDevicePublicKeyEncryptedUserSymKey);
-
-        encryptServiceEncryptSpy = jest
-          .spyOn(encryptService, "encrypt")
-          .mockImplementation((plainValue, key) => {
-            if (plainValue === mockDevicePublicKey && key === mockUserSymKey) {
-              return Promise.resolve(mockUserSymKeyEncryptedDevicePublicKey);
-            }
-            if (plainValue === mockDevicePrivateKey && key === mockDeviceKey) {
-              return Promise.resolve(mockDeviceKeyEncryptedDevicePrivateKey);
-            }
-          });
-
-        appIdServiceGetAppIdSpy = jest
-          .spyOn(appIdService, "getAppId")
-          .mockResolvedValue(mockDeviceId);
-
-        devicesApiServiceUpdateTrustedDeviceKeysSpy = jest
-          .spyOn(devicesApiService, "updateTrustedDeviceKeys")
-          .mockResolvedValue(mockDeviceResponse);
-      });
-
-      it("calls the required methods with the correct arguments and returns a DeviceResponse", async () => {
-        const response = await deviceCryptoService.trustDevice();
-
-        expect(makeDeviceKeySpy).toHaveBeenCalledTimes(1);
-        expect(rsaGenerateKeyPairSpy).toHaveBeenCalledTimes(1);
-        expect(cryptoSvcGetEncKeySpy).toHaveBeenCalledTimes(1);
-
-        expect(cryptoSvcRsaEncryptSpy).toHaveBeenCalledTimes(1);
-        expect(encryptServiceEncryptSpy).toHaveBeenCalledTimes(2);
-
-        expect(appIdServiceGetAppIdSpy).toHaveBeenCalledTimes(1);
-        expect(devicesApiServiceUpdateTrustedDeviceKeysSpy).toHaveBeenCalledTimes(1);
-        expect(devicesApiServiceUpdateTrustedDeviceKeysSpy).toHaveBeenCalledWith(
-          mockDeviceId,
-          mockDevicePublicKeyEncryptedUserSymKey.encryptedString,
-          mockUserSymKeyEncryptedDevicePublicKey.encryptedString,
-          mockDeviceKeyEncryptedDevicePrivateKey.encryptedString
-        );
-
-        expect(response).toBeInstanceOf(DeviceResponse);
-        expect(response).toEqual(mockDeviceResponse);
-      });
-
-      it("throws specific error if user symmetric key is not found", async () => {
-        // setup the spy to return null
-        cryptoSvcGetEncKeySpy.mockResolvedValue(null);
-        // check if the expected error is thrown
-        await expect(deviceCryptoService.trustDevice()).rejects.toThrow(
-          "User symmetric key not found"
-        );
-
-        // reset the spy
-        cryptoSvcGetEncKeySpy.mockReset();
-
-        // setup the spy to return undefined
-        cryptoSvcGetEncKeySpy.mockResolvedValue(undefined);
-        // check if the expected error is thrown
-        await expect(deviceCryptoService.trustDevice()).rejects.toThrow(
-          "User symmetric key not found"
-        );
-      });
-
-      const methodsToTestForErrorsOrInvalidReturns = [
-        {
-          method: "makeDeviceKey",
-          spy: () => makeDeviceKeySpy,
-          errorText: "makeDeviceKey error",
-        },
-        {
-          method: "rsaGenerateKeyPair",
-          spy: () => rsaGenerateKeyPairSpy,
-          errorText: "rsaGenerateKeyPair error",
-        },
-        {
-          method: "getEncKey",
-          spy: () => cryptoSvcGetEncKeySpy,
-          errorText: "getEncKey error",
-        },
-        {
-          method: "rsaEncrypt",
-          spy: () => cryptoSvcRsaEncryptSpy,
-          errorText: "rsaEncrypt error",
-        },
-        {
-          method: "encryptService.encrypt",
-          spy: () => encryptServiceEncryptSpy,
-          errorText: "encryptService.encrypt error",
-        },
-      ];
-
-      describe.each(methodsToTestForErrorsOrInvalidReturns)(
-        "trustDevice error handling and invalid return testing",
-        ({ method, spy, errorText }) => {
-          // ensures that error propagation works correctly
-          it(`throws an error if ${method} fails`, async () => {
-            const methodSpy = spy();
-            methodSpy.mockRejectedValue(new Error(errorText));
-            await expect(deviceCryptoService.trustDevice()).rejects.toThrow(errorText);
-          });
-
-          test.each([null, undefined])(
-            `throws an error if ${method} returns %s`,
-            async (invalidValue) => {
-              const methodSpy = spy();
-              methodSpy.mockResolvedValue(invalidValue);
-              await expect(deviceCryptoService.trustDevice()).rejects.toThrow();
-            }
-          );
-        }
-      );
-    });
-  });
-});
diff --git a/libs/common/src/services/devices/devices-api.service.implementation.ts b/libs/common/src/services/devices/devices-api.service.implementation.ts
deleted file mode 100644
index 3121ace6f8..0000000000
--- a/libs/common/src/services/devices/devices-api.service.implementation.ts
+++ /dev/null
@@ -1,64 +0,0 @@
-import { DevicesApiServiceAbstraction } from "../../abstractions/devices/devices-api.service.abstraction";
-import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
-import { Utils } from "../../platform/misc/utils";
-import { ApiService } from "../api.service";
-
-import { TrustedDeviceKeysRequest } from "./requests/trusted-device-keys.request";
-
-export class DevicesApiServiceImplementation implements DevicesApiServiceAbstraction {
-  constructor(private apiService: ApiService) {}
-
-  async getKnownDevice(email: string, deviceIdentifier: string): Promise<boolean> {
-    const r = await this.apiService.send(
-      "GET",
-      "/devices/knowndevice",
-      null,
-      false,
-      true,
-      null,
-      (headers) => {
-        headers.set("X-Device-Identifier", deviceIdentifier);
-        headers.set("X-Request-Email", Utils.fromUtf8ToUrlB64(email));
-      }
-    );
-    return r as boolean;
-  }
-
-  /**
-   * Get device by identifier
-   * @param deviceIdentifier - client generated id (not device id in DB)
-   */
-  async getDeviceByIdentifier(deviceIdentifier: string): Promise<DeviceResponse> {
-    const r = await this.apiService.send(
-      "GET",
-      `/devices/identifier/${deviceIdentifier}`,
-      null,
-      true,
-      true
-    );
-    return new DeviceResponse(r);
-  }
-
-  async updateTrustedDeviceKeys(
-    deviceIdentifier: string,
-    devicePublicKeyEncryptedUserSymKey: string,
-    userSymKeyEncryptedDevicePublicKey: string,
-    deviceKeyEncryptedDevicePrivateKey: string
-  ): Promise<DeviceResponse> {
-    const request = new TrustedDeviceKeysRequest(
-      devicePublicKeyEncryptedUserSymKey,
-      userSymKeyEncryptedDevicePublicKey,
-      deviceKeyEncryptedDevicePrivateKey
-    );
-
-    const result = await this.apiService.send(
-      "PUT",
-      `/devices/${deviceIdentifier}/keys`,
-      request,
-      true,
-      true
-    );
-
-    return new DeviceResponse(result);
-  }
-}
diff --git a/libs/common/src/services/devices/devices.service.implementation.ts b/libs/common/src/services/devices/devices.service.implementation.ts
new file mode 100644
index 0000000000..fe6e2a37d2
--- /dev/null
+++ b/libs/common/src/services/devices/devices.service.implementation.ts
@@ -0,0 +1,68 @@
+import { Observable, defer, map } from "rxjs";
+
+import { DevicesServiceAbstraction } from "../../abstractions/devices/devices.service.abstraction";
+import { DeviceResponse } from "../../abstractions/devices/responses/device.response";
+import { DeviceView } from "../../abstractions/devices/views/device.view";
+import { DevicesApiServiceAbstraction } from "../../auth/abstractions/devices-api.service.abstraction";
+import { ListResponse } from "../../models/response/list.response";
+
+/**
+ * @class DevicesServiceImplementation
+ * @implements {DevicesServiceAbstraction}
+ * @description Observable based data store service for Devices.
+ * note: defer is used to convert the promises to observables and to ensure
+ * that observables are created for each subscription
+ * (i.e., promsise --> observables are cold until subscribed to)
+ */
+export class DevicesServiceImplementation implements DevicesServiceAbstraction {
+  constructor(private devicesApiService: DevicesApiServiceAbstraction) {}
+
+  /**
+   * @description Gets the list of all devices.
+   */
+  getDevices$(): Observable<Array<DeviceView>> {
+    return defer(() => this.devicesApiService.getDevices()).pipe(
+      map((deviceResponses: ListResponse<DeviceResponse>) => {
+        return deviceResponses.data.map((deviceResponse: DeviceResponse) => {
+          return new DeviceView(deviceResponse);
+        });
+      })
+    );
+  }
+
+  /**
+   * @description Gets the device with the specified identifier.
+   */
+  getDeviceByIdentifier$(deviceIdentifier: string): Observable<DeviceView> {
+    return defer(() => this.devicesApiService.getDeviceByIdentifier(deviceIdentifier)).pipe(
+      map((deviceResponse: DeviceResponse) => new DeviceView(deviceResponse))
+    );
+  }
+
+  /**
+   * @description Checks if a device is known for a user by user's email and device's identifier.
+   */
+  isDeviceKnownForUser$(email: string, deviceIdentifier: string): Observable<boolean> {
+    return defer(() => this.devicesApiService.getKnownDevice(email, deviceIdentifier));
+  }
+
+  /**
+   * @description Updates the keys for the specified device.
+   */
+
+  updateTrustedDeviceKeys$(
+    deviceIdentifier: string,
+    devicePublicKeyEncryptedUserKey: string,
+    userKeyEncryptedDevicePublicKey: string,
+    deviceKeyEncryptedDevicePrivateKey: string
+  ): Observable<DeviceView> {
+    return defer(() =>
+      this.devicesApiService.updateTrustedDeviceKeys(
+        deviceIdentifier,
+        devicePublicKeyEncryptedUserKey,
+        userKeyEncryptedDevicePublicKey,
+        deviceKeyEncryptedDevicePrivateKey
+      )
+    ).pipe(map((deviceResponse: DeviceResponse) => new DeviceView(deviceResponse)));
+  }
+}
diff --git a/libs/common/src/services/vault-timeout/vault-timeout-settings.service.spec.ts b/libs/common/src/services/vault-timeout/vault-timeout-settings.service.spec.ts
new file mode 100644
index 0000000000..0e2c915186
--- /dev/null
+++ b/libs/common/src/services/vault-timeout/vault-timeout-settings.service.spec.ts
@@ -0,0 +1,146 @@
+import { mock, MockProxy } from "jest-mock-extended";
+import { firstValueFrom } from "rxjs";
+
+import { PolicyService } from "../../admin-console/abstractions/policy/policy.service.abstraction";
+import { Policy } from "../../admin-console/models/domain/policy";
+import { TokenService } from "../../auth/abstractions/token.service";
+import { UserVerificationService } from "../../auth/abstractions/user-verification/user-verification.service.abstraction";
+import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
+import { CryptoService } from "../../platform/abstractions/crypto.service";
+import { StateService } from "../../platform/abstractions/state.service";
+import { EncString } from "../../platform/models/domain/enc-string";
+
+import { VaultTimeoutSettingsService } from "./vault-timeout-settings.service";
+
+describe("VaultTimeoutSettingsService", () => {
+  let cryptoService: MockProxy<CryptoService>;
+  let tokenService: MockProxy<TokenService>;
+  let policyService: MockProxy<PolicyService>;
+  let stateService: MockProxy<StateService>;
+  let userVerificationService: MockProxy<UserVerificationService>;
+  let service: VaultTimeoutSettingsService;
+
+  beforeEach(() => {
+    cryptoService = mock<CryptoService>();
+    tokenService = mock<TokenService>();
+    policyService = mock<PolicyService>();
+    stateService = mock<StateService>();
+    userVerificationService = mock<UserVerificationService>();
+    service = new VaultTimeoutSettingsService(
+      cryptoService,
+      tokenService,
+      policyService,
+      stateService,
+      userVerificationService
+    );
+  });
+
+  describe("availableVaultTimeoutActions$", () => {
+    it("always returns LogOut", async () => {
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).toContain(VaultTimeoutAction.LogOut);
+    });
+
+    it("contains Lock when the user has a master password", async () => {
+      userVerificationService.hasMasterPassword.mockResolvedValue(true);
+
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).toContain(VaultTimeoutAction.Lock);
+    });
+
+    it("contains Lock when the user has a persistent PIN configured", async () => {
+      stateService.getPinKeyEncryptedUserKey.mockResolvedValue(createEncString());
+
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).toContain(VaultTimeoutAction.Lock);
+    });
+
+    it("contains Lock when the user has a transient/ephemeral PIN configured", async () => {
+      stateService.getProtectedPin.mockResolvedValue("some-key");
+
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).toContain(VaultTimeoutAction.Lock);
+    });
+
+    it("contains Lock when the user has biometrics configured", async () => {
+      stateService.getBiometricUnlock.mockResolvedValue(true);
+
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).toContain(VaultTimeoutAction.Lock);
+    });
+
+    it("not contains Lock when the user does not have a master password, PIN, or biometrics", async () => {
+      userVerificationService.hasMasterPassword.mockResolvedValue(false);
+      stateService.getPinKeyEncryptedUserKey.mockResolvedValue(null);
+      stateService.getProtectedPin.mockResolvedValue(null);
+      stateService.getBiometricUnlock.mockResolvedValue(false);
+
+      const result = await firstValueFrom(service.availableVaultTimeoutActions$());
+
+      expect(result).not.toContain(VaultTimeoutAction.Lock);
+    });
+  });
+
+  describe("vaultTimeoutAction$", () => {
+    describe("given the user has a master password", () => {
+      it.each`
+        policy                       | userPreference               | expected
+        ${null}                      | ${null}                      | ${VaultTimeoutAction.Lock}
+        ${null}                      | ${VaultTimeoutAction.LogOut} | ${VaultTimeoutAction.LogOut}
+        ${VaultTimeoutAction.LogOut} | ${null}                      | ${VaultTimeoutAction.LogOut}
+        ${VaultTimeoutAction.LogOut} | ${VaultTimeoutAction.Lock}   | ${VaultTimeoutAction.LogOut}
+      `(
+        "returns $expected when policy is $policy, and user preference is $userPreference",
+        async ({ policy, userPreference, expected }) => {
+          userVerificationService.hasMasterPassword.mockResolvedValue(true);
+          policyService.policyAppliesToUser.mockResolvedValue(policy === null ? false : true);
+          policyService.getAll.mockResolvedValue(
+            policy === null ? [] : ([{ data: { action: policy } }] as unknown as Policy[])
+          );
+          stateService.getVaultTimeoutAction.mockResolvedValue(userPreference);
+
+          const result = await firstValueFrom(service.vaultTimeoutAction$());
+
+          expect(result).toBe(expected);
+        }
+      );
+    });
+
+    describe("given the user does not have a master password", () => {
+      it.each`
+        unlockMethod | policy                     | userPreference               | expected
+        ${false}     | ${null}                    | ${null}                      | ${VaultTimeoutAction.LogOut}
+        ${false}     | ${null}                    | ${VaultTimeoutAction.Lock}   | ${VaultTimeoutAction.LogOut}
+        ${false}     | ${VaultTimeoutAction.Lock} | ${null}                      | ${VaultTimeoutAction.LogOut}
+        ${true}      | ${null}                    | ${null}                      | ${VaultTimeoutAction.LogOut}
+        ${true}      | ${null}                    | ${VaultTimeoutAction.Lock}   | ${VaultTimeoutAction.Lock}
+        ${true}      | ${VaultTimeoutAction.Lock} | ${null}                      | ${VaultTimeoutAction.Lock}
+        ${true}      | ${VaultTimeoutAction.Lock} | ${VaultTimeoutAction.LogOut} | ${VaultTimeoutAction.Lock}
+      `(
+        "returns $expected when policy is $policy, has unlock method is $unlockMethod, and user preference is $userPreference",
+        async ({ unlockMethod, policy, userPreference, expected }) => {
+          stateService.getBiometricUnlock.mockResolvedValue(unlockMethod);
+          userVerificationService.hasMasterPassword.mockResolvedValue(false);
+          policyService.policyAppliesToUser.mockResolvedValue(policy === null ? false : true);
+          policyService.getAll.mockResolvedValue(
+            policy === null ? [] : ([{ data: { action: policy } }] as unknown as Policy[])
+          );
+          stateService.getVaultTimeoutAction.mockResolvedValue(userPreference);
+
+          const result = await firstValueFrom(service.vaultTimeoutAction$());
+
+          expect(result).toBe(expected);
+        }
+      );
+    });
+  });
+});
+
+function createEncString() {
+  return Symbol() as unknown as EncString;
+}
diff --git a/libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts b/libs/common/src/services/vault-timeout/vault-timeout-settings.service.ts
similarity index 50%
rename from libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts
rename to libs/common/src/services/vault-timeout/vault-timeout-settings.service.ts
index ae3c16e586..f34983b910 100644
--- a/libs/common/src/services/vaultTimeout/vaultTimeoutSettings.service.ts
+++ b/libs/common/src/services/vault-timeout/vault-timeout-settings.service.ts
@@ -1,17 +1,28 @@
-import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "../../abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { defer } from "rxjs";
+
+import { VaultTimeoutSettingsService as VaultTimeoutSettingsServiceAbstraction } from "../../abstractions/vault-timeout/vault-timeout-settings.service";
 import { PolicyService } from "../../admin-console/abstractions/policy/policy.service.abstraction";
 import { PolicyType } from "../../admin-console/enums";
 import { TokenService } from "../../auth/abstractions/token.service";
+import { UserVerificationService } from "../../auth/abstractions/user-verification/user-verification.service.abstraction";
 import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
 import { StateService } from "../../platform/abstractions/state.service";
 
+/**
+ * - DISABLED: No Pin set
+ * - PERSISTENT: Pin is set and survives client reset
+ * - TRANSIENT: Pin is set and requires password unlock after client reset
+ */
+export type PinLockType = "DISABLED" | "PERSISTANT" | "TRANSIENT";
+
 export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceAbstraction {
   constructor(
     private cryptoService: CryptoService,
     private tokenService: TokenService,
     private policyService: PolicyService,
-    private stateService: StateService
+    private stateService: StateService,
+    private userVerificationService: UserVerificationService
   ) {}
 
   async setVaultTimeoutOptions(timeout: number, action: VaultTimeoutAction): Promise<void> {
@@ -41,21 +52,35 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
     await this.tokenService.setClientId(clientId);
     await this.tokenService.setClientSecret(clientSecret);
 
-    await this.cryptoService.toggleKey();
+    await this.cryptoService.refreshAdditionalKeys();
   }
 
-  async isPinLockSet(): Promise<[boolean, boolean]> {
-    const protectedPin = await this.stateService.getProtectedPin();
-    const pinProtectedKey = await this.stateService.getEncryptedPinProtected();
-    return [protectedPin != null, pinProtectedKey != null];
+  availableVaultTimeoutActions$(userId?: string) {
+    return defer(() => this.getAvailableVaultTimeoutActions(userId));
   }
 
-  async isBiometricLockSet(): Promise<boolean> {
-    return await this.stateService.getBiometricUnlock();
+  async isPinLockSet(userId?: string): Promise<PinLockType> {
+    // we can't check the protected pin for both because old accounts only
+    // used it for MP on Restart
+    const pinIsEnabled = !!(await this.stateService.getProtectedPin({ userId }));
+    const aUserKeyPinIsSet = !!(await this.stateService.getPinKeyEncryptedUserKey({ userId }));
+    const anOldUserKeyPinIsSet = !!(await this.stateService.getEncryptedPinProtected({ userId }));
+
+    if (aUserKeyPinIsSet || anOldUserKeyPinIsSet) {
+      return "PERSISTANT";
+    } else if (pinIsEnabled && !aUserKeyPinIsSet && !anOldUserKeyPinIsSet) {
+      return "TRANSIENT";
+    } else {
+      return "DISABLED";
+    }
+  }
+
+  async isBiometricLockSet(userId?: string): Promise<boolean> {
+    return await this.stateService.getBiometricUnlock({ userId });
   }
 
   async getVaultTimeout(userId?: string): Promise<number> {
-    const vaultTimeout = await this.stateService.getVaultTimeout({ userId: userId });
+    const vaultTimeout = await this.stateService.getVaultTimeout({ userId });
 
     if (
       await this.policyService.policyAppliesToUser(PolicyType.MaximumVaultTimeout, null, userId)
@@ -68,9 +93,11 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
         timeout = policy[0].data.minutes;
       }
 
+      // TODO @jlf0dev: Can we move this somwhere else? Maybe add it to the initialization process?
+      // ( Apparently I'm the one that reviewed the original PR that added this :) )
       // We really shouldn't need to set the value here, but multiple services relies on this value being correct.
       if (vaultTimeout !== timeout) {
-        await this.stateService.setVaultTimeout(timeout, { userId: userId });
+        await this.stateService.setVaultTimeout(timeout, { userId });
       }
 
       return timeout;
@@ -79,22 +106,40 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
     return vaultTimeout;
   }
 
+  vaultTimeoutAction$(userId?: string) {
+    return defer(() => this.getVaultTimeoutAction(userId));
+  }
+
   async getVaultTimeoutAction(userId?: string): Promise<VaultTimeoutAction> {
-    let vaultTimeoutAction = await this.stateService.getVaultTimeoutAction({ userId: userId });
+    const availableActions = await this.getAvailableVaultTimeoutActions();
+    if (availableActions.length === 1) {
+      return availableActions[0];
+    }
+
+    const vaultTimeoutAction = await this.stateService.getVaultTimeoutAction({ userId: userId });
 
     if (
       await this.policyService.policyAppliesToUser(PolicyType.MaximumVaultTimeout, null, userId)
     ) {
       const policy = await this.policyService.getAll(PolicyType.MaximumVaultTimeout, userId);
       const action = policy[0].data.action;
-
-      if (action) {
-        // We really shouldn't need to set the value here, but multiple services relies on this value being correct.
-        if (action && vaultTimeoutAction !== action) {
-          await this.stateService.setVaultTimeoutAction(action, { userId: userId });
-        }
-        vaultTimeoutAction = action;
+      // We really shouldn't need to set the value here, but multiple services relies on this value being correct.
+      if (action && vaultTimeoutAction !== action) {
+        await this.stateService.setVaultTimeoutAction(action, { userId: userId });
       }
+      if (action && availableActions.includes(action)) {
+        return action;
+      }
+    }
+
+    if (vaultTimeoutAction == null) {
+      // Depends on whether or not the user has a master password
+      const defaultValue = (await this.userVerificationService.hasMasterPassword())
+        ? VaultTimeoutAction.Lock
+        : VaultTimeoutAction.LogOut;
+      // We really shouldn't need to set the value here, but multiple services relies on this value being correct.
+      await this.stateService.setVaultTimeoutAction(defaultValue, { userId: userId });
+      return defaultValue;
     }
 
     return vaultTimeoutAction === VaultTimeoutAction.LogOut
@@ -102,9 +147,23 @@ export class VaultTimeoutSettingsService implements VaultTimeoutSettingsServiceA
       : VaultTimeoutAction.Lock;
   }
 
+  private async getAvailableVaultTimeoutActions(userId?: string): Promise<VaultTimeoutAction[]> {
+    const availableActions = [VaultTimeoutAction.LogOut];
+
+    const canLock =
+      (await this.userVerificationService.hasMasterPassword(userId)) ||
+      (await this.isPinLockSet(userId)) !== "DISABLED" ||
+      (await this.isBiometricLockSet(userId));
+
+    if (canLock) {
+      availableActions.push(VaultTimeoutAction.Lock);
+    }
+
+    return availableActions;
+  }
+
   async clear(userId?: string): Promise<void> {
     await this.stateService.setEverBeenUnlocked(false, { userId: userId });
-    await this.stateService.setDecryptedPinProtected(null, { userId: userId });
-    await this.stateService.setProtectedPin(null, { userId: userId });
+    await this.cryptoService.clearPinKeys(userId);
   }
 }
diff --git a/libs/common/src/services/vaultTimeout/vaultTimeout.service.ts b/libs/common/src/services/vault-timeout/vault-timeout.service.ts
similarity index 79%
rename from libs/common/src/services/vaultTimeout/vaultTimeout.service.ts
rename to libs/common/src/services/vault-timeout/vault-timeout.service.ts
index 169273bdfd..0fbbf51bd6 100644
--- a/libs/common/src/services/vaultTimeout/vaultTimeout.service.ts
+++ b/libs/common/src/services/vault-timeout/vault-timeout.service.ts
@@ -1,10 +1,9 @@
 import { firstValueFrom } from "rxjs";
 
 import { SearchService } from "../../abstractions/search.service";
-import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "../../abstractions/vaultTimeout/vaultTimeout.service";
-import { VaultTimeoutSettingsService } from "../../abstractions/vaultTimeout/vaultTimeoutSettings.service";
+import { VaultTimeoutSettingsService } from "../../abstractions/vault-timeout/vault-timeout-settings.service";
+import { VaultTimeoutService as VaultTimeoutServiceAbstraction } from "../../abstractions/vault-timeout/vault-timeout.service";
 import { AuthService } from "../../auth/abstractions/auth.service";
-import { KeyConnectorService } from "../../auth/abstractions/key-connector.service";
 import { AuthenticationStatus } from "../../auth/enums/authentication-status";
 import { VaultTimeoutAction } from "../../enums/vault-timeout-action.enum";
 import { CryptoService } from "../../platform/abstractions/crypto.service";
@@ -26,7 +25,6 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
     protected platformUtilsService: PlatformUtilsService,
     private messagingService: MessagingService,
     private searchService: SearchService,
-    private keyConnectorService: KeyConnectorService,
     private stateService: StateService,
     private authService: AuthService,
     private vaultTimeoutSettingsService: VaultTimeoutSettingsService,
@@ -34,10 +32,12 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
     private loggedOutCallback: (expired: boolean, userId?: string) => Promise<void> = null
   ) {}
 
-  init(checkOnInterval: boolean) {
+  async init(checkOnInterval: boolean) {
     if (this.inited) {
       return;
     }
+    // TODO: Remove after 2023.10 release (https://bitwarden.atlassian.net/browse/PM-3483)
+    await this.migrateKeyForNeverLockIfNeeded();
 
     this.inited = true;
     if (checkOnInterval) {
@@ -69,14 +69,12 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
       return;
     }
 
-    if (await this.keyConnectorService.getUsesKeyConnector()) {
-      const pinSet = await this.vaultTimeoutSettingsService.isPinLockSet();
-      const pinLock =
-        (pinSet[0] && (await this.stateService.getDecryptedPinProtected()) != null) || pinSet[1];
-
-      if (!pinLock && !(await this.vaultTimeoutSettingsService.isBiometricLockSet())) {
-        await this.logOut(userId);
-      }
+    const availableActions = await firstValueFrom(
+      this.vaultTimeoutSettingsService.availableVaultTimeoutActions$()
+    );
+    const supportsLock = availableActions.includes(VaultTimeoutAction.Lock);
+    if (!supportsLock) {
+      await this.logOut(userId);
     }
 
     if (userId == null || userId === (await this.stateService.getUserId())) {
@@ -85,12 +83,13 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
     }
 
     await this.stateService.setEverBeenUnlocked(true, { userId: userId });
+    await this.stateService.setUserKeyAutoUnlock(null, { userId: userId });
     await this.stateService.setCryptoMasterKeyAuto(null, { userId: userId });
 
-    await this.cryptoService.clearKey(false, userId);
+    await this.cryptoService.clearUserKey(false, userId);
+    await this.cryptoService.clearMasterKey(userId);
     await this.cryptoService.clearOrgKeys(true, userId);
     await this.cryptoService.clearKeyPair(true, userId);
-    await this.cryptoService.clearEncKey(true, userId);
 
     await this.cipherService.clearCache(userId);
     await this.collectionService.clearCache(userId);
@@ -133,9 +132,20 @@ export class VaultTimeoutService implements VaultTimeoutServiceAbstraction {
   }
 
   private async executeTimeoutAction(userId: string): Promise<void> {
-    const timeoutAction = await this.vaultTimeoutSettingsService.getVaultTimeoutAction(userId);
+    const timeoutAction = await firstValueFrom(
+      this.vaultTimeoutSettingsService.vaultTimeoutAction$(userId)
+    );
     timeoutAction === VaultTimeoutAction.LogOut
       ? await this.logOut(userId)
       : await this.lock(userId);
   }
+
+  private async migrateKeyForNeverLockIfNeeded(): Promise<void> {
+    const accounts = await firstValueFrom(this.stateService.accounts$);
+    for (const userId in accounts) {
+      if (userId != null) {
+        await this.cryptoService.migrateAutoKeyIfNeeded(userId);
+      }
+    }
+  }
 }
diff --git a/libs/common/src/tools/generator/password/password-generation.service.ts b/libs/common/src/tools/generator/password/password-generation.service.ts
index 079d455c46..55bab173ce 100644
--- a/libs/common/src/tools/generator/password/password-generation.service.ts
+++ b/libs/common/src/tools/generator/password/password-generation.service.ts
@@ -336,7 +336,7 @@ export class PasswordGenerationService implements PasswordGenerationServiceAbstr
   }
 
   async getHistory(): Promise<GeneratedPasswordHistory[]> {
-    const hasKey = await this.cryptoService.hasKey();
+    const hasKey = await this.cryptoService.hasUserKey();
     if (!hasKey) {
       return new Array<GeneratedPasswordHistory>();
     }
@@ -356,7 +356,7 @@ export class PasswordGenerationService implements PasswordGenerationServiceAbstr
 
   async addHistory(password: string): Promise<void> {
     // Cannot add new history if no key is available
-    const hasKey = await this.cryptoService.hasKey();
+    const hasKey = await this.cryptoService.hasUserKey();
     if (!hasKey) {
       return;
     }
diff --git a/libs/common/src/tools/send/services/send.service.ts b/libs/common/src/tools/send/services/send.service.ts
index 2b4a268403..e1ddeae708 100644
--- a/libs/common/src/tools/send/services/send.service.ts
+++ b/libs/common/src/tools/send/services/send.service.ts
@@ -143,9 +143,9 @@ export class SendService implements InternalSendServiceAbstraction {
     }
 
     decSends = [];
-    const hasKey = await this.cryptoService.hasKey();
+    const hasKey = await this.cryptoService.hasUserKey();
     if (!hasKey) {
-      throw new Error("No key.");
+      throw new Error("No user key found.");
     }
 
     const promises: Promise<any>[] = [];
@@ -249,7 +249,7 @@ export class SendService implements InternalSendServiceAbstraction {
     const sends = Object.values(sendsMap || {}).map((f) => new Send(f));
     this._sends.next(sends);
 
-    if (await this.cryptoService.hasKey()) {
+    if (await this.cryptoService.hasUserKey()) {
       this._sendViews.next(await this.decryptSends(sends));
     }
   }
diff --git a/libs/common/src/vault/models/domain/attachment.spec.ts b/libs/common/src/vault/models/domain/attachment.spec.ts
index 2d58118959..0af7df73e1 100644
--- a/libs/common/src/vault/models/domain/attachment.spec.ts
+++ b/libs/common/src/vault/models/domain/attachment.spec.ts
@@ -3,8 +3,12 @@ import { mock, MockProxy } from "jest-mock-extended";
 import { makeStaticByteArray, mockEnc, mockFromJson } from "../../../../spec";
 import { CryptoService } from "../../../platform/abstractions/crypto.service";
 import { EncryptService } from "../../../platform/abstractions/encrypt.service";
-import { EncString } from "../../../platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "../../../platform/models/domain/symmetric-crypto-key";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../../platform/models/domain/symmetric-crypto-key";
 import { ContainerService } from "../../../platform/services/container.service";
 import { AttachmentData } from "../../models/data/attachment.data";
 import { Attachment } from "../../models/domain/attachment";
@@ -105,12 +109,12 @@ describe("Attachment", () => {
 
         await attachment.decrypt(null, providedKey);
 
-        expect(cryptoService.getKeyForUserEncryption).not.toHaveBeenCalled();
+        expect(cryptoService.getUserKeyWithLegacySupport).not.toHaveBeenCalled();
         expect(encryptService.decryptToBytes).toHaveBeenCalledWith(attachment.key, providedKey);
       });
 
       it("gets an organization key if required", async () => {
-        const orgKey = mock<SymmetricCryptoKey>();
+        const orgKey = mock<OrgKey>();
         cryptoService.getOrgKey.calledWith("orgId").mockResolvedValue(orgKey);
 
         await attachment.decrypt("orgId", null);
@@ -120,12 +124,12 @@ describe("Attachment", () => {
       });
 
       it("gets the user's decryption key if required", async () => {
-        const userKey = mock<SymmetricCryptoKey>();
-        cryptoService.getKeyForUserEncryption.mockResolvedValue(userKey);
+        const userKey = mock<UserKey>();
+        cryptoService.getUserKeyWithLegacySupport.mockResolvedValue(userKey);
 
         await attachment.decrypt(null, null);
 
-        expect(cryptoService.getKeyForUserEncryption).toHaveBeenCalled();
+        expect(cryptoService.getUserKeyWithLegacySupport).toHaveBeenCalled();
         expect(encryptService.decryptToBytes).toHaveBeenCalledWith(attachment.key, userKey);
       });
     });
@@ -136,8 +140,8 @@ describe("Attachment", () => {
       jest.spyOn(EncString, "fromJSON").mockImplementation(mockFromJson);
 
       const actual = Attachment.fromJSON({
-        key: "myKey",
-        fileName: "myFileName",
+        key: "myKey" as EncryptedString,
+        fileName: "myFileName" as EncryptedString,
       });
 
       expect(actual).toEqual({
diff --git a/libs/common/src/vault/models/domain/attachment.ts b/libs/common/src/vault/models/domain/attachment.ts
index a5e0aa9d4e..1caa290fd6 100644
--- a/libs/common/src/vault/models/domain/attachment.ts
+++ b/libs/common/src/vault/models/domain/attachment.ts
@@ -71,7 +71,7 @@ export class Attachment extends Domain {
     const cryptoService = Utils.getContainerService().getCryptoService();
     return orgId != null
       ? await cryptoService.getOrgKey(orgId)
-      : await cryptoService.getKeyForUserEncryption();
+      : await cryptoService.getUserKeyWithLegacySupport();
   }
 
   toAttachmentData(): AttachmentData {
diff --git a/libs/common/src/vault/models/domain/card.spec.ts b/libs/common/src/vault/models/domain/card.spec.ts
index b84e868353..a7011966d9 100644
--- a/libs/common/src/vault/models/domain/card.spec.ts
+++ b/libs/common/src/vault/models/domain/card.spec.ts
@@ -1,5 +1,5 @@
 import { mockEnc, mockFromJson } from "../../../../spec";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { CardData } from "../../../vault/models/data/card.data";
 import { Card } from "../../models/domain/card";
 
@@ -76,12 +76,12 @@ describe("Card", () => {
       jest.spyOn(EncString, "fromJSON").mockImplementation(mockFromJson);
 
       const actual = Card.fromJSON({
-        cardholderName: "mockCardHolder",
-        brand: "mockBrand",
-        number: "mockNumber",
-        expMonth: "mockExpMonth",
-        expYear: "mockExpYear",
-        code: "mockCode",
+        cardholderName: "mockCardHolder" as EncryptedString,
+        brand: "mockBrand" as EncryptedString,
+        number: "mockNumber" as EncryptedString,
+        expMonth: "mockExpMonth" as EncryptedString,
+        expYear: "mockExpYear" as EncryptedString,
+        code: "mockCode" as EncryptedString,
       });
 
       expect(actual).toEqual({
diff --git a/libs/common/src/vault/models/domain/field.spec.ts b/libs/common/src/vault/models/domain/field.spec.ts
index aab8d933a3..8aa77b78a5 100644
--- a/libs/common/src/vault/models/domain/field.spec.ts
+++ b/libs/common/src/vault/models/domain/field.spec.ts
@@ -1,6 +1,6 @@
 import { mockEnc, mockFromJson } from "../../../../spec";
 import { FieldType } from "../../../enums";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { FieldData } from "../../models/data/field.data";
 import { Field } from "../../models/domain/field";
 
@@ -67,8 +67,8 @@ describe("Field", () => {
       jest.spyOn(EncString, "fromJSON").mockImplementation(mockFromJson);
 
       const actual = Field.fromJSON({
-        name: "myName",
-        value: "myValue",
+        name: "myName" as EncryptedString,
+        value: "myValue" as EncryptedString,
       });
 
       expect(actual).toEqual({
diff --git a/libs/common/src/vault/models/domain/folder.spec.ts b/libs/common/src/vault/models/domain/folder.spec.ts
index 686a8b886e..69134d19cf 100644
--- a/libs/common/src/vault/models/domain/folder.spec.ts
+++ b/libs/common/src/vault/models/domain/folder.spec.ts
@@ -1,5 +1,5 @@
 import { mockEnc, mockFromJson } from "../../../../spec";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { FolderData } from "../../models/data/folder.data";
 import { Folder } from "../../models/domain/folder";
 
@@ -47,7 +47,7 @@ describe("Folder", () => {
       const revisionDate = new Date("2022-08-04T01:06:40.441Z");
       const actual = Folder.fromJSON({
         revisionDate: revisionDate.toISOString(),
-        name: "name",
+        name: "name" as EncryptedString,
         id: "id",
       });
 
diff --git a/libs/common/src/vault/models/domain/identity.spec.ts b/libs/common/src/vault/models/domain/identity.spec.ts
index 929124fd87..3a95138998 100644
--- a/libs/common/src/vault/models/domain/identity.spec.ts
+++ b/libs/common/src/vault/models/domain/identity.spec.ts
@@ -1,5 +1,5 @@
 import { mockEnc, mockFromJson } from "../../../../spec";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { IdentityData } from "../../models/data/identity.data";
 import { Identity } from "../../models/domain/identity";
 
@@ -137,24 +137,24 @@ describe("Identity", () => {
       jest.spyOn(EncString, "fromJSON").mockImplementation(mockFromJson);
 
       const actual = Identity.fromJSON({
-        firstName: "mockFirstName",
-        lastName: "mockLastName",
-        address1: "mockAddress1",
-        address2: "mockAddress2",
-        address3: "mockAddress3",
-        city: "mockCity",
-        company: "mockCompany",
-        country: "mockCountry",
-        email: "mockEmail",
-        licenseNumber: "mockLicenseNumber",
-        middleName: "mockMiddleName",
-        passportNumber: "mockPassportNumber",
-        phone: "mockPhone",
-        postalCode: "mockPostalCode",
-        ssn: "mockSsn",
-        state: "mockState",
-        title: "mockTitle",
-        username: "mockUsername",
+        firstName: "mockFirstName" as EncryptedString,
+        lastName: "mockLastName" as EncryptedString,
+        address1: "mockAddress1" as EncryptedString,
+        address2: "mockAddress2" as EncryptedString,
+        address3: "mockAddress3" as EncryptedString,
+        city: "mockCity" as EncryptedString,
+        company: "mockCompany" as EncryptedString,
+        country: "mockCountry" as EncryptedString,
+        email: "mockEmail" as EncryptedString,
+        licenseNumber: "mockLicenseNumber" as EncryptedString,
+        middleName: "mockMiddleName" as EncryptedString,
+        passportNumber: "mockPassportNumber" as EncryptedString,
+        phone: "mockPhone" as EncryptedString,
+        postalCode: "mockPostalCode" as EncryptedString,
+        ssn: "mockSsn" as EncryptedString,
+        state: "mockState" as EncryptedString,
+        title: "mockTitle" as EncryptedString,
+        username: "mockUsername" as EncryptedString,
       });
 
       expect(actual).toEqual({
diff --git a/libs/common/src/vault/models/domain/login.spec.ts b/libs/common/src/vault/models/domain/login.spec.ts
index 0ed847d596..4d35d0971d 100644
--- a/libs/common/src/vault/models/domain/login.spec.ts
+++ b/libs/common/src/vault/models/domain/login.spec.ts
@@ -3,7 +3,7 @@ import { Substitute, Arg } from "@fluffy-spoon/substitute";
 
 import { mockEnc, mockFromJson } from "../../../../spec";
 import { UriMatchType } from "../../../enums";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { LoginData } from "../../models/data/login.data";
 import { Login } from "../../models/domain/login";
 import { LoginUri } from "../../models/domain/login-uri";
@@ -108,10 +108,10 @@ describe("Login DTO", () => {
 
       const actual = Login.fromJSON({
         uris: ["loginUri1", "loginUri2"] as any,
-        username: "myUsername",
-        password: "myPassword",
+        username: "myUsername" as EncryptedString,
+        password: "myPassword" as EncryptedString,
         passwordRevisionDate: passwordRevisionDate.toISOString(),
-        totp: "myTotp",
+        totp: "myTotp" as EncryptedString,
       });
 
       expect(actual).toEqual({
diff --git a/libs/common/src/vault/models/domain/password.spec.ts b/libs/common/src/vault/models/domain/password.spec.ts
index ccd2e77576..614b9639e5 100644
--- a/libs/common/src/vault/models/domain/password.spec.ts
+++ b/libs/common/src/vault/models/domain/password.spec.ts
@@ -1,5 +1,5 @@
 import { mockEnc, mockFromJson } from "../../../../spec";
-import { EncString } from "../../../platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "../../../platform/models/domain/enc-string";
 import { PasswordHistoryData } from "../../models/data/password-history.data";
 import { Password } from "../../models/domain/password";
 
@@ -55,7 +55,7 @@ describe("Password", () => {
       const lastUsedDate = new Date("2022-01-31T12:00:00.000Z");
 
       const actual = Password.fromJSON({
-        password: "myPassword",
+        password: "myPassword" as EncryptedString,
         lastUsedDate: lastUsedDate.toISOString(),
       });
 
diff --git a/libs/common/src/vault/services/cipher.service.spec.ts b/libs/common/src/vault/services/cipher.service.spec.ts
index d6e631cfae..daaa6fbc91 100644
--- a/libs/common/src/vault/services/cipher.service.spec.ts
+++ b/libs/common/src/vault/services/cipher.service.spec.ts
@@ -9,7 +9,7 @@ import { CryptoService } from "../../platform/abstractions/crypto.service";
 import { EncryptService } from "../../platform/abstractions/encrypt.service";
 import { I18nService } from "../../platform/abstractions/i18n.service";
 import { StateService } from "../../platform/abstractions/state.service";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import { OrgKey, SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
 import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service";
 import { CipherRepromptType } from "../enums/cipher-reprompt-type";
 import { CipherType } from "../enums/cipher-type";
@@ -118,11 +118,11 @@ describe("Cipher Service", () => {
   describe("saveAttachmentRawWithServer()", () => {
     it("should upload encrypted file contents with save attachments", async () => {
       const fileName = "filename";
-      const fileData = new Uint8Array(10).buffer;
+      const fileData = new Uint8Array(10);
       cryptoService.getOrgKey.mockReturnValue(
-        Promise.resolve<any>(new SymmetricCryptoKey(new Uint8Array(32)))
+        Promise.resolve<any>(new SymmetricCryptoKey(new Uint8Array(32)) as OrgKey)
       );
-      cryptoService.makeEncKey.mockReturnValue(
+      cryptoService.makeDataEncKey.mockReturnValue(
         Promise.resolve<any>(new SymmetricCryptoKey(new Uint8Array(32)))
       );
       const spy = jest.spyOn(cipherFileUploadService, "upload");
diff --git a/libs/common/src/vault/services/cipher.service.ts b/libs/common/src/vault/services/cipher.service.ts
index 3da3752702..52ca151dc5 100644
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@@ -13,7 +13,11 @@ import { Utils } from "../../platform/misc/utils";
 import Domain from "../../platform/models/domain/domain-base";
 import { EncArrayBuffer } from "../../platform/models/domain/enc-array-buffer";
 import { EncString } from "../../platform/models/domain/enc-string";
-import { SymmetricCryptoKey } from "../../platform/models/domain/symmetric-crypto-key";
+import {
+  OrgKey,
+  SymmetricCryptoKey,
+  UserKey,
+} from "../../platform/models/domain/symmetric-crypto-key";
 import { CipherService as CipherServiceAbstraction } from "../abstractions/cipher.service";
 import { CipherFileUploadService } from "../abstractions/file-upload/cipher-file-upload.service";
 import { CipherType } from "../enums/cipher-type";
@@ -325,14 +329,14 @@ export class CipherService implements CipherServiceAbstraction {
       return await this.getDecryptedCipherCache();
     }
 
-    const hasKey = await this.cryptoService.hasKey();
+    const hasKey = await this.cryptoService.hasUserKey();
     if (!hasKey) {
-      throw new Error("No key.");
+      throw new Error("No user key found.");
     }
 
     const ciphers = await this.getAll();
     const orgKeys = await this.cryptoService.getOrgKeys();
-    const userKey = await this.cryptoService.getKeyForUserEncryption();
+    const userKey = await this.cryptoService.getUserKeyWithLegacySupport();
 
     // Group ciphers by orgId or under 'null' for the user's ciphers
     const grouped = ciphers.reduce((agg, c) => {
@@ -636,14 +640,17 @@ export class CipherService implements CipherServiceAbstraction {
   async saveAttachmentRawWithServer(
     cipher: Cipher,
     filename: string,
-    data: ArrayBuffer,
+    data: Uint8Array,
     admin = false
   ): Promise<Cipher> {
-    const key = await this.cryptoService.getOrgKey(cipher.organizationId);
-    const encFileName = await this.cryptoService.encrypt(filename, key);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(cipher.organizationId);
+    encKey ||= await this.cryptoService.getUserKeyWithLegacySupport();
 
-    const dataEncKey = await this.cryptoService.makeEncKey(key);
-    const encData = await this.cryptoService.encryptToBytes(new Uint8Array(data), dataEncKey[0]);
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(filename, encKey);
+    const encData = await this.encryptService.encryptToBytes(data, dataEncKey[0]);
 
     const response = await this.cipherFileUploadService.upload(
       cipher,
@@ -970,11 +977,15 @@ export class CipherService implements CipherServiceAbstraction {
 
     const encBuf = await EncArrayBuffer.fromResponse(attachmentResponse);
     const decBuf = await this.cryptoService.decryptFromBytes(encBuf, null);
-    const key = await this.cryptoService.getOrgKey(organizationId);
-    const encFileName = await this.cryptoService.encrypt(attachmentView.fileName, key);
 
-    const dataEncKey = await this.cryptoService.makeEncKey(key);
-    const encData = await this.cryptoService.encryptToBytes(decBuf, dataEncKey[0]);
+    let encKey: UserKey | OrgKey;
+    encKey = await this.cryptoService.getOrgKey(organizationId);
+    encKey ||= (await this.cryptoService.getUserKeyWithLegacySupport()) as UserKey;
+
+    const dataEncKey = await this.cryptoService.makeDataEncKey(encKey);
+
+    const encFileName = await this.encryptService.encrypt(attachmentView.fileName, encKey);
+    const encData = await this.encryptService.encryptToBytes(new Uint8Array(decBuf), dataEncKey[0]);
 
     const fd = new FormData();
     try {
diff --git a/libs/common/src/vault/services/collection.service.ts b/libs/common/src/vault/services/collection.service.ts
index c0148bddd7..277d40cc88 100644
--- a/libs/common/src/vault/services/collection.service.ts
+++ b/libs/common/src/vault/services/collection.service.ts
@@ -79,7 +79,7 @@ export class CollectionService implements CollectionServiceAbstraction {
       return decryptedCollections;
     }
 
-    const hasKey = await this.cryptoService.hasKey();
+    const hasKey = await this.cryptoService.hasUserKey();
     if (!hasKey) {
       throw new Error("No key.");
     }
diff --git a/libs/common/src/vault/services/folder/folder.service.ts b/libs/common/src/vault/services/folder/folder.service.ts
index 9f8645e87a..2244d7a458 100644
--- a/libs/common/src/vault/services/folder/folder.service.ts
+++ b/libs/common/src/vault/services/folder/folder.service.ts
@@ -173,7 +173,7 @@ export class FolderService implements InternalFolderServiceAbstraction {
 
     this._folders.next(folders);
 
-    if (await this.cryptoService.hasKey()) {
+    if (await this.cryptoService.hasUserKey()) {
       this._folderViews.next(await this.decryptFolders(folders));
     }
   }
diff --git a/libs/common/src/vault/services/sync/sync.service.ts b/libs/common/src/vault/services/sync/sync.service.ts
index b2c203b4e7..c8bd274a4d 100644
--- a/libs/common/src/vault/services/sync/sync.service.ts
+++ b/libs/common/src/vault/services/sync/sync.service.ts
@@ -303,8 +303,8 @@ export class SyncService implements SyncServiceAbstraction {
       throw new Error("Stamp has changed");
     }
 
-    await this.cryptoService.setEncKey(response.key);
-    await this.cryptoService.setEncPrivateKey(response.privateKey);
+    await this.cryptoService.setMasterKeyEncryptedUserKey(response.key);
+    await this.cryptoService.setPrivateKey(response.privateKey);
     await this.cryptoService.setProviderKeys(response.providers);
     await this.cryptoService.setOrgKeys(response.organizations, response.providerOrganizations);
     await this.stateService.setAvatarColor(response.avatarColor);
diff --git a/libs/exporter/src/vault-export/services/vault-export.service.spec.ts b/libs/exporter/src/vault-export/services/vault-export.service.spec.ts
index aa4a32805d..6b3224c865 100644
--- a/libs/exporter/src/vault-export/services/vault-export.service.spec.ts
+++ b/libs/exporter/src/vault-export/services/vault-export.service.spec.ts
@@ -8,7 +8,7 @@ import { CipherWithIdExport } from "@bitwarden/common/models/export/cipher-with-
 import { CryptoFunctionService } from "@bitwarden/common/platform/abstractions/crypto-function.service";
 import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
-import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { EncryptedString, EncString } from "@bitwarden/common/platform/models/domain/enc-string";
 import { StateService } from "@bitwarden/common/platform/services/state.service";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
@@ -94,7 +94,7 @@ function generateFolderView() {
 function generateFolder() {
   const actual = Folder.fromJSON({
     revisionDate: new Date("2022-08-04T01:06:40.441Z").toISOString(),
-    name: "name",
+    name: "name" as EncryptedString,
     id: "id",
   });
   return actual;
@@ -217,8 +217,8 @@ describe("VaultExportService", () => {
         mac = Substitute.for<EncString>();
         data = Substitute.for<EncString>();
 
-        mac.encryptedString.returns("mac");
-        data.encryptedString.returns("encData");
+        mac.encryptedString.returns("mac" as EncryptedString);
+        data.encryptedString.returns("encData" as EncryptedString);
 
         jest.spyOn(Utils, "fromBufferToB64").mockReturnValue(salt);
         cipherService.getAllDecrypted().resolves(UserCipherViews.slice(0, 1));