diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -25,8 +25,8 @@
   RegistrationFinishRequest, RegistrationStartRequest,
   RegistrationStartResponse, RemoveReservedUsernameRequest,
   ReservedRegistrationStartRequest, ReservedWalletRegistrationRequest,
-  VerifyUserAccessTokenRequest, VerifyUserAccessTokenResponse,
-  WalletLoginRequest,
+  SecondaryDeviceKeysUploadRequest, VerifyUserAccessTokenRequest,
+  VerifyUserAccessTokenResponse, WalletLoginRequest,
 };
 use crate::grpc_services::shared::get_value;
 use crate::grpc_utils::DeviceKeyUploadActions;
@@ -590,6 +590,13 @@
     Ok(Response::new(response))
   }
 
+  async fn upload_keys_for_registered_device_and_log_in(
+    &self,
+    request: tonic::Request<SecondaryDeviceKeysUploadRequest>,
+  ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
+    Err(tonic::Status::unimplemented("unimplemented"))
+  }
+
   async fn generate_nonce(
     &self,
     _request: tonic::Request<Empty>,
diff --git a/services/identity/src/grpc_utils.rs b/services/identity/src/grpc_utils.rs
--- a/services/identity/src/grpc_utils.rs
+++ b/services/identity/src/grpc_utils.rs
@@ -10,7 +10,7 @@
     unauth::{
       DeviceKeyUpload, OpaqueLoginStartRequest, RegistrationStartRequest,
       ReservedRegistrationStartRequest, ReservedWalletRegistrationRequest,
-      WalletLoginRequest,
+      SecondaryDeviceKeysUploadRequest, WalletLoginRequest,
     },
   },
 };
@@ -93,6 +93,12 @@
   }
 }
 
+impl DeviceKeyUploadData for SecondaryDeviceKeysUploadRequest {
+  fn device_key_upload(&self) -> Option<&DeviceKeyUpload> {
+    self.device_key_upload.as_ref()
+  }
+}
+
 pub trait DeviceKeyUploadActions {
   fn payload(&self) -> Result<String, Status>;
   fn payload_signature(&self) -> Result<String, Status>;
diff --git a/shared/protos/identity_unauth.proto b/shared/protos/identity_unauth.proto
--- a/shared/protos/identity_unauth.proto
+++ b/shared/protos/identity_unauth.proto
@@ -26,6 +26,9 @@
   rpc RegisterReservedWalletUser(ReservedWalletRegistrationRequest) returns
     (AuthResponse) {}
 
+  rpc UploadKeysForRegisteredDeviceAndLogIn(SecondaryDeviceKeysUploadRequest)
+    returns (AuthResponse) {}
+
   // Sign-In with Ethereum actions
 
   // Called by clients to get a nonce for a Sign-In with Ethereum message
@@ -198,6 +201,16 @@
   string keyserver_signature = 5;
 }
 
+// UploadKeysForRegisteredDeviceAndLogIn
+
+message SecondaryDeviceKeysUploadRequest {
+  string user_id = 1;
+  string challenge_response = 2;
+  // Information specific to a user's device needed to open a new channel of
+  // communication with this user
+  DeviceKeyUpload device_key_upload = 3;
+}
+
 // GenerateNonce
 
 message GenerateNonceResponse{
diff --git a/web/protobufs/identity-unauth-structs.cjs b/web/protobufs/identity-unauth-structs.cjs
--- a/web/protobufs/identity-unauth-structs.cjs
+++ b/web/protobufs/identity-unauth-structs.cjs
@@ -42,6 +42,7 @@
 goog.exportSymbol('proto.identity.unauth.RemoveReservedUsernameRequest', null, global);
 goog.exportSymbol('proto.identity.unauth.ReservedRegistrationStartRequest', null, global);
 goog.exportSymbol('proto.identity.unauth.ReservedWalletRegistrationRequest', null, global);
+goog.exportSymbol('proto.identity.unauth.SecondaryDeviceKeysUploadRequest', null, global);
 goog.exportSymbol('proto.identity.unauth.VerifyUserAccessTokenRequest', null, global);
 goog.exportSymbol('proto.identity.unauth.VerifyUserAccessTokenResponse', null, global);
 goog.exportSymbol('proto.identity.unauth.WalletLoginRequest', null, global);
@@ -339,6 +340,27 @@
    */
   proto.identity.unauth.ReservedWalletRegistrationRequest.displayName = 'proto.identity.unauth.ReservedWalletRegistrationRequest';
 }
+/**
+ * Generated by JsPbCodeGenerator.
+ * @param {Array=} opt_data Optional initial data array, typically from a
+ * server response, or constructed directly in Javascript. The array is used
+ * in place and becomes part of the constructed object. It is not cloned.
+ * If no data is provided, the constructed object will be empty, but still
+ * valid.
+ * @extends {jspb.Message}
+ * @constructor
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest = function(opt_data) {
+  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
+};
+goog.inherits(proto.identity.unauth.SecondaryDeviceKeysUploadRequest, jspb.Message);
+if (goog.DEBUG && !COMPILED) {
+  /**
+   * @public
+   * @override
+   */
+  proto.identity.unauth.SecondaryDeviceKeysUploadRequest.displayName = 'proto.identity.unauth.SecondaryDeviceKeysUploadRequest';
+}
 /**
  * Generated by JsPbCodeGenerator.
  * @param {Array=} opt_data Optional initial data array, typically from a
@@ -3489,6 +3511,217 @@
 
 
 
+if (jspb.Message.GENERATE_TO_OBJECT) {
+/**
+ * Creates an object representation of this proto.
+ * Field names that are reserved in JavaScript and will be renamed to pb_name.
+ * Optional fields that are not set will be set to undefined.
+ * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
+ * For the list of reserved names please see:
+ *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
+ * @param {boolean=} opt_includeInstance Deprecated. whether to include the
+ *     JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @return {!Object}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.toObject = function(opt_includeInstance) {
+  return proto.identity.unauth.SecondaryDeviceKeysUploadRequest.toObject(opt_includeInstance, this);
+};
+
+
+/**
+ * Static version of the {@see toObject} method.
+ * @param {boolean|undefined} includeInstance Deprecated. Whether to include
+ *     the JSPB instance for transitional soy proto support:
+ *     http://goto/soy-param-migration
+ * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} msg The msg instance to transform.
+ * @return {!Object}
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.toObject = function(includeInstance, msg) {
+  var f, obj = {
+    userId: jspb.Message.getFieldWithDefault(msg, 1, ""),
+    challengeResponse: jspb.Message.getFieldWithDefault(msg, 2, ""),
+    deviceKeyUpload: (f = msg.getDeviceKeyUpload()) && proto.identity.unauth.DeviceKeyUpload.toObject(includeInstance, f)
+  };
+
+  if (includeInstance) {
+    obj.$jspbMessageInstance = msg;
+  }
+  return obj;
+};
+}
+
+
+/**
+ * Deserializes binary data (in protobuf wire format).
+ * @param {jspb.ByteSource} bytes The bytes to deserialize.
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.deserializeBinary = function(bytes) {
+  var reader = new jspb.BinaryReader(bytes);
+  var msg = new proto.identity.unauth.SecondaryDeviceKeysUploadRequest;
+  return proto.identity.unauth.SecondaryDeviceKeysUploadRequest.deserializeBinaryFromReader(msg, reader);
+};
+
+
+/**
+ * Deserializes binary data (in protobuf wire format) from the
+ * given reader into the given message object.
+ * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} msg The message object to deserialize into.
+ * @param {!jspb.BinaryReader} reader The BinaryReader to use.
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.deserializeBinaryFromReader = function(msg, reader) {
+  while (reader.nextField()) {
+    if (reader.isEndGroup()) {
+      break;
+    }
+    var field = reader.getFieldNumber();
+    switch (field) {
+    case 1:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setUserId(value);
+      break;
+    case 2:
+      var value = /** @type {string} */ (reader.readString());
+      msg.setChallengeResponse(value);
+      break;
+    case 3:
+      var value = new proto.identity.unauth.DeviceKeyUpload;
+      reader.readMessage(value,proto.identity.unauth.DeviceKeyUpload.deserializeBinaryFromReader);
+      msg.setDeviceKeyUpload(value);
+      break;
+    default:
+      reader.skipField();
+      break;
+    }
+  }
+  return msg;
+};
+
+
+/**
+ * Serializes the message to binary data (in protobuf wire format).
+ * @return {!Uint8Array}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.serializeBinary = function() {
+  var writer = new jspb.BinaryWriter();
+  proto.identity.unauth.SecondaryDeviceKeysUploadRequest.serializeBinaryToWriter(this, writer);
+  return writer.getResultBuffer();
+};
+
+
+/**
+ * Serializes the given message to binary data (in protobuf wire
+ * format), writing to the given BinaryWriter.
+ * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} message
+ * @param {!jspb.BinaryWriter} writer
+ * @suppress {unusedLocalVariables} f is only used for nested messages
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.serializeBinaryToWriter = function(message, writer) {
+  var f = undefined;
+  f = message.getUserId();
+  if (f.length > 0) {
+    writer.writeString(
+      1,
+      f
+    );
+  }
+  f = message.getChallengeResponse();
+  if (f.length > 0) {
+    writer.writeString(
+      2,
+      f
+    );
+  }
+  f = message.getDeviceKeyUpload();
+  if (f != null) {
+    writer.writeMessage(
+      3,
+      f,
+      proto.identity.unauth.DeviceKeyUpload.serializeBinaryToWriter
+    );
+  }
+};
+
+
+/**
+ * optional string user_id = 1;
+ * @return {string}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.getUserId = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} returns this
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.setUserId = function(value) {
+  return jspb.Message.setProto3StringField(this, 1, value);
+};
+
+
+/**
+ * optional string challenge_response = 2;
+ * @return {string}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.getChallengeResponse = function() {
+  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
+};
+
+
+/**
+ * @param {string} value
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} returns this
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.setChallengeResponse = function(value) {
+  return jspb.Message.setProto3StringField(this, 2, value);
+};
+
+
+/**
+ * optional DeviceKeyUpload device_key_upload = 3;
+ * @return {?proto.identity.unauth.DeviceKeyUpload}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.getDeviceKeyUpload = function() {
+  return /** @type{?proto.identity.unauth.DeviceKeyUpload} */ (
+    jspb.Message.getWrapperField(this, proto.identity.unauth.DeviceKeyUpload, 3));
+};
+
+
+/**
+ * @param {?proto.identity.unauth.DeviceKeyUpload|undefined} value
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} returns this
+*/
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.setDeviceKeyUpload = function(value) {
+  return jspb.Message.setWrapperField(this, 3, value);
+};
+
+
+/**
+ * Clears the message field making it undefined.
+ * @return {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} returns this
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.clearDeviceKeyUpload = function() {
+  return this.setDeviceKeyUpload(undefined);
+};
+
+
+/**
+ * Returns whether this field is set.
+ * @return {boolean}
+ */
+proto.identity.unauth.SecondaryDeviceKeysUploadRequest.prototype.hasDeviceKeyUpload = function() {
+  return jspb.Message.getField(this, 3) != null;
+};
+
+
+
+
+
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
  * Creates an object representation of this proto.
diff --git a/web/protobufs/identity-unauth-structs.cjs.flow b/web/protobufs/identity-unauth-structs.cjs.flow
--- a/web/protobufs/identity-unauth-structs.cjs.flow
+++ b/web/protobufs/identity-unauth-structs.cjs.flow
@@ -368,6 +368,31 @@
   keyserverSignature: string,
 };
 
+declare export class SecondaryDeviceKeysUploadRequest extends Message {
+  getUserId(): string;
+  setUserId(value: string): SecondaryDeviceKeysUploadRequest;
+
+  getChallengeResponse(): string;
+  setChallengeResponse(value: string): SecondaryDeviceKeysUploadRequest;
+
+  getDeviceKeyUpload(): DeviceKeyUpload | void;
+  setDeviceKeyUpload(value?: DeviceKeyUpload): SecondaryDeviceKeysUploadRequest;
+  hasDeviceKeyUpload(): boolean;
+  clearDeviceKeyUpload(): SecondaryDeviceKeysUploadRequest;
+
+  serializeBinary(): Uint8Array;
+  toObject(includeInstance?: boolean): SecondaryDeviceKeysUploadRequestObject;
+  static toObject(includeInstance: boolean, msg: SecondaryDeviceKeysUploadRequest): SecondaryDeviceKeysUploadRequestObject;
+  static serializeBinaryToWriter(message: SecondaryDeviceKeysUploadRequest, writer: BinaryWriter): void;
+  static deserializeBinary(bytes: Uint8Array): SecondaryDeviceKeysUploadRequest;
+  static deserializeBinaryFromReader(message: SecondaryDeviceKeysUploadRequest, reader: BinaryReader): SecondaryDeviceKeysUploadRequest;
+}
+
+export type SecondaryDeviceKeysUploadRequestObject = {
+  userId: string,
+  deviceKeyUpload?: DeviceKeyUploadObject,
+}
+
 declare export class GenerateNonceResponse extends Message {
   getNonce(): string;
   setNonce(value: string): GenerateNonceResponse;
diff --git a/web/protobufs/identity-unauth.cjs b/web/protobufs/identity-unauth.cjs
--- a/web/protobufs/identity-unauth.cjs
+++ b/web/protobufs/identity-unauth.cjs
@@ -503,6 +503,67 @@
 };
 
 
+/**
+ * @const
+ * @type {!grpc.web.MethodDescriptor<
+ *   !proto.identity.unauth.SecondaryDeviceKeysUploadRequest,
+ *   !proto.identity.unauth.AuthResponse>}
+ */
+const methodDescriptor_IdentityClientService_UploadKeysForRegisteredDeviceAndLogIn = new grpc.web.MethodDescriptor(
+  '/identity.unauth.IdentityClientService/UploadKeysForRegisteredDeviceAndLogIn',
+  grpc.web.MethodType.UNARY,
+  proto.identity.unauth.SecondaryDeviceKeysUploadRequest,
+  proto.identity.unauth.AuthResponse,
+  /**
+   * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} request
+   * @return {!Uint8Array}
+   */
+  function(request) {
+    return request.serializeBinary();
+  },
+  proto.identity.unauth.AuthResponse.deserializeBinary
+);
+
+
+/**
+ * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} request The
+ *     request proto
+ * @param {?Object<string, string>} metadata User defined
+ *     call metadata
+ * @param {function(?grpc.web.RpcError, ?proto.identity.unauth.AuthResponse)}
+ *     callback The callback function(error, response)
+ * @return {!grpc.web.ClientReadableStream<!proto.identity.unauth.AuthResponse>|undefined}
+ *     The XHR Node Readable Stream
+ */
+proto.identity.unauth.IdentityClientServiceClient.prototype.uploadKeysForRegisteredDeviceAndLogIn =
+    function(request, metadata, callback) {
+  return this.client_.rpcCall(this.hostname_ +
+      '/identity.unauth.IdentityClientService/UploadKeysForRegisteredDeviceAndLogIn',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_UploadKeysForRegisteredDeviceAndLogIn,
+      callback);
+};
+
+
+/**
+ * @param {!proto.identity.unauth.SecondaryDeviceKeysUploadRequest} request The
+ *     request proto
+ * @param {?Object<string, string>=} metadata User defined
+ *     call metadata
+ * @return {!Promise<!proto.identity.unauth.AuthResponse>}
+ *     Promise that resolves to the response
+ */
+proto.identity.unauth.IdentityClientServicePromiseClient.prototype.uploadKeysForRegisteredDeviceAndLogIn =
+    function(request, metadata) {
+  return this.client_.unaryCall(this.hostname_ +
+      '/identity.unauth.IdentityClientService/UploadKeysForRegisteredDeviceAndLogIn',
+      request,
+      metadata || {},
+      methodDescriptor_IdentityClientService_UploadKeysForRegisteredDeviceAndLogIn);
+};
+
+
 /**
  * @const
  * @type {!grpc.web.MethodDescriptor<
@@ -870,3 +931,4 @@
 
 
 module.exports = proto.identity.unauth;
+
diff --git a/web/protobufs/identity-unauth.cjs.flow b/web/protobufs/identity-unauth.cjs.flow
--- a/web/protobufs/identity-unauth.cjs.flow
+++ b/web/protobufs/identity-unauth.cjs.flow
@@ -58,6 +58,13 @@
                response: identityStructs.AuthResponse) => void
   ): grpcWeb.ClientReadableStream<identityStructs.AuthResponse>;
 
+  uploadKeysForRegisteredDeviceAndLogIn(
+    request: identityStructs.SecondaryDeviceKeysUploadRequest,
+    metadata: grpcWeb.Metadata | void,
+    callback: (err: grpcWeb.RpcError,
+               response: identityStructs.AuthResponse) => void
+  ): grpcWeb.ClientReadableStream<identityStructs.AuthResponse>;
+
   generateNonce(
     request: identityStructs.Empty,
     metadata: grpcWeb.Metadata | void,
@@ -116,8 +123,7 @@
     request: identityStructs.ReservedRegistrationStartRequest,
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.RegistrationStartResponse>;
-
-  registerPasswordUserFinish(
+registerPasswordUserFinish(
     request: identityStructs.RegistrationFinishRequest,
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.AuthResponse>;
@@ -142,6 +148,11 @@
     metadata?: grpcWeb.Metadata
   ): Promise<identityStructs.AuthResponse>;
 
+  uploadKeysForRegisteredDeviceAndLogIn(
+    request: identityStructs.SecondaryDeviceKeysUploadRequest,
+    metadata?: grpcWeb.Metadata
+  ): Promise<identityStructs.AuthResponse>;
+
   generateNonce(
     request: identityStructs.Empty,
     metadata?: grpcWeb.Metadata