I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc.
