diff --git a/services/identity/src/service.rs b/services/identity/src/service.rs
--- a/services/identity/src/service.rs
+++ b/services/identity/src/service.rs
@@ -48,7 +48,8 @@
   GetUserIdResponse, LoginRequest, LoginResponse,
   PakeLoginRequest as PakeLoginRequestStruct,
   PakeLoginResponse as PakeLoginResponseStruct, RegistrationRequest,
-  RegistrationResponse, VerifyUserTokenRequest, VerifyUserTokenResponse,
+  RegistrationResponse, UpdateUserRequest, UpdateUserResponse,
+  VerifyUserTokenRequest, VerifyUserTokenResponse,
   WalletLoginRequest as WalletLoginRequestStruct,
   WalletLoginResponse as WalletLoginResponseStruct,
 };
@@ -269,6 +270,18 @@
       Err(e) => Err(handle_db_error(e)),
     }
   }
+
+  #[instrument(skip(self))]
+  async fn update_user(
+    &self,
+    request: Request<tonic::Streaming<UpdateUserRequest>>,
+  ) -> Result<Response<Self::UpdateUserStream>, Status> {
+    unimplemented!();
+  }
+
+  type UpdateUserStream = Pin<
+    Box<dyn Stream<Item = Result<UpdateUserResponse, Status>> + Send + 'static>,
+  >;
 }
 
 async fn put_token_helper(
diff --git a/shared/protos/identity.proto b/shared/protos/identity.proto
--- a/shared/protos/identity.proto
+++ b/shared/protos/identity.proto
@@ -22,6 +22,9 @@
   rpc CompareUsers(CompareUsersRequest) returns (CompareUsersResponse) {}
   // Called by clients to get a nonce for a Sign-In with Ethereum message
   rpc GenerateNonce(GenerateNonceRequest) returns (GenerateNonceResponse) {}
+
+  rpc UpdateUser(stream UpdateUserRequest) returns
+    (stream UpdateUserResponse) {}
 }
 
 // Helper types
@@ -177,3 +180,37 @@
 message GenerateNonceResponse{
   string nonce = 1;
 }
+
+// UpdateUser
+
+// For password updates, we need to redo the PAKE registration, then login the user
+// using the new credentials.
+message UpdatePasswordPakeRegistrationRequestAndToken {
+  // Used to authenticate user
+  string userID = 1;
+  string accessToken = 2;
+  // Message sent to initiate PAKE registration (step 1)
+  bytes pakeRegistrationRequest = 3;
+}
+
+// Messages sent from a client to identity service
+message UpdateUserRequest {
+  oneof data {
+    // Only need user information on initial call, subsequent PAKE commands
+    // can infer parameters from first Request + userID
+    UpdatePasswordPakeRegistrationRequestAndToken request = 1;
+    // We combine the last step of PAKE registration with the first step of PAKE
+    // login here to reduce the number of messages sent
+    PakeRegistrationUploadAndCredentialRequest
+      pakeRegistrationUploadAndCredentialRequest = 2;
+    bytes pakeLoginFinalizationMessage = 4;
+  }
+}
+
+// Messages sent from identity service to a client
+message UpdateUserResponse {
+  oneof data {
+    bytes pakeRegistrationResponse = 1;
+    PakeLoginResponse pakeLoginResponse = 2;
+  }
+}