diff --git a/client/auth/authenticate.vue b/client/auth/authenticate.vue
deleted file mode 100644
index f28b806..0000000
--- a/client/auth/authenticate.vue
+++ /dev/null
@@ -1,137 +0,0 @@
-
-<template>
-<div>
-    <div class="ui main text container" style="margin-top: 80px;">
-        <div v-show="!global.passwordSet" class="ui container center aligned">
-            <div class="ui basic segment huge">
-                <h1 class="ui header"><i class="circular icon lock"></i>Secure This Website?</h1>
-                We recommend setting a strong password <br />
-                if this website will ever be visible to others.
-            </div>
-            <div class="ui centered grid">
-                <div class="ten wide column middle aligned">
-                    <router-link :to="gotoSetPassword" class="ui huge primary submit button">Set Site Password</router-link>
-                    <button @click="establishSession" class="ui huge submit button">Not Now</button>
-                </div>
-            </div>
-        </div>
-        <div v-show="global.passwordSet" class="ui container center aligned">
-            <div class="ui basic segment huge">
-                <h1 class="ui header"><i class="circular icon lock"></i>Verify Site Access</h1>
-            </div>
-            <div class="ui centered grid">
-                <div class="ui ten wide column left aligned t0">
-                    <form class="ui huge form authenticate" :class="{loading: loading}">
-                        <div class="field">
-                            <label>Site Password</label>
-                            <div class="ui left icon input">
-                                <input v-focus.lazy="true" type="password" v-model='password' name="password" placeholder="enter password" autocomplete="off">
-                                <i class="lock icon" />
-                            </div>
-                        </div>
-                        <button class="ui large primary submit button" type="submit">Submit</button>
-                        <div class="ui mini error message" />
-                    </form>
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-</template>
-
-<script>
-util = require('../util');
-shared = require('../globalState');
-focus = require('vue-focus');
-var jwtDecode = require('jwt-decode');
-
-function init() {
-    const apiToken = this.global.apiToken;
-    const forwardTo = this.$route.query.forwardTo;
-    if (apiToken && forwardTo) {
-        const decoded = jwtDecode(apiToken);
-        const expires = new Date(decoded.exp * 1000);
-        const now = new Date();
-
-        if (now < expires) {
-            this.$router.replace(forwardTo);
-            return;
-        }
-    }
-
-    // ensure that global.passwordSet is up-to-date
-    util.fetch.call(this, '/api/auth/status/v1')
-    .then(result => { this.global.passwordSet = result.ok; });
-
-    $('form.ui.form.authenticate').form({
-        on: 'blur',
-        fields: {
-            password: {
-                identifier: 'password',
-                rules: [
-                    {
-                        type   : 'empty',
-                        prompt : 'Please enter a password'
-                    }
-                ]
-            }
-        },
-        onSuccess: (event) => {
-            event.preventDefault();
-            tryPassword.call(this)
-        }
-    });
-}
-
-async function tryPassword() {
-    var password = this.password;
-    this.loading = true;
-    let result;
-    try {
-        result = await util.fetch.call(this, '/api/auth/login/v1/', { method: 'post', body: { password }});
-    } catch (err) {
-        console.error(err);
-        return false;
-    }
-    this.loading = false;
-    if (result.ok) {
-        const { token } = result.theJson;
-        this.global.apiToken = token;
-        const forwardTo = this.$route.query.forwardTo;
-        this.$router.replace(forwardTo || { name: 'welcome' });
-        return false;
-    } else {
-        console.log('unhappy result is', result)
-        util.addFormErrors('authenticate', { password: 'Incorrect password, please try again.'});
-    }
-    return false;
-}
-
-module.exports = {
-    data: () => ({
-        global: shared.state,
-        password: '',
-        loading: false
-    }),
-    computed: {
-        globalPasswordSet: function () { return this.global.passwordSet; },
-        gotoSetPassword: function () {
-            return {
-                name: 'setPassword',
-                query: { forwardTo: this.$route.query.forwardTo }
-            };
-        }
-    },
-    mounted: function () {
-        init.call(this);
-    },
-    methods: {
-        establishSession: function () {
-            tryPassword.call(this);
-        }
-    },
-    directives: {
-        focus: focus.focus
-    }
-}
-</script>
\ No newline at end of file
diff --git a/client/auth/loginCode.vue b/client/auth/loginCode.vue
new file mode 100644
index 0000000..e9897ff
--- /dev/null
+++ b/client/auth/loginCode.vue
@@ -0,0 +1,111 @@
+<style>
+</style>
+
+<template>
+    <div class="ui main text container" style="margin-top: 80px;">
+        <div class="ui container center aligned">
+            <div class="ui basic segment huge">
+                <h1 class="ui header">
+                    <i class="circular sign in icon"></i>
+                    Message Vault Login
+                </h1>
+            </div>
+            <div class="ui centered grid">
+                <div class="ui nine wide column basic segment left aligned t0 b1">
+                    <form class="ui huge form enter-code" :class="{loading: loading}">
+                        <div class="field">
+                            <label>Login Code</label>
+                            <div class="ui left icon input">
+                                <input v-focus.lazy="true" type="text" name="code" placeholder="000000" autocomplete="off" v-model='code'>
+                                <i class="lock icon"></i>
+                            </div>
+                        </div>
+                        <button class="ui large primary submit button" type="submit">Submit</button>
+                        <router-link :to="{name: 'loginTag'}" class="ui large button right floated code-cancel">Cancel</router-link>
+                        <div class="ui mini error message" />
+                    </form>
+                </div>
+            </div>
+            <div class="ui basic segment">
+                <p>Please enter the site login code that was sent to you.</p>
+            </div>
+        </div>
+    </div>
+</template>
+
+<script>
+util = require('../util');
+shared = require('../globalState');
+focus = require('vue-focus');
+
+function setup() {
+    if (!this.global.userId) {
+        this.$router.push({ name: 'loginTag', query: this.$route.query });
+        return;
+    }
+
+    util.fetch.call(this, '/api/onboard/status/v1')
+    .then(result => { 
+        this.global.onboardStatus = result.theJson.status;
+        if (this.global.onboardStatus !== 'complete') {
+            this.$router.push({ name: 'welcome' });
+        }
+    });
+
+    $('form.ui.form.enter-code').form({
+        fields: {
+            code: {
+                identifier: 'code',
+                rules: [{
+                    type: 'regExp',
+                    value: /^\d{6}$/,
+                    prompt: 'please enter the six-digit code you were just sent'
+                }]
+            }
+        },
+        onSuccess: (event) => {
+            event.preventDefault();
+            tryAuthCode.call(this)
+        }
+    });
+}
+
+async function tryAuthCode() {
+    var password = this.password;
+    this.loading = true;
+    let result;
+    try {
+        result = await util.fetch.call(this, '/api/auth/login/v1', { method: 'post', body: { id: this.global.userId, code: this.code }})
+    } catch (err) {
+        console.error(err);
+        return false;
+    }
+    this.loading = false;
+    if (result.ok) {
+        const { token } = result.theJson;
+        this.global.apiToken = token;
+        const forwardTo = this.$route.query.forwardTo;
+        this.$router.replace(forwardTo || { name: 'welcome' });
+        return false;
+    } else {
+        util.addFormErrors('enter-code', { code: util.mergeErrors(result.theJson) });
+    }
+    return false;
+}
+
+module.exports = {
+    data: () => ({
+        code: '',
+        loading: false,
+        global: shared.state
+    }),
+    mounted: function() {
+        setup.call(this)
+    },
+    methods: {
+    },
+    directives: {
+        focus: focus.focus
+    }
+}
+</script>
\ No newline at end of file
diff --git a/client/auth/loginTag.vue b/client/auth/loginTag.vue
new file mode 100644
index 0000000..0b07579
--- /dev/null
+++ b/client/auth/loginTag.vue
@@ -0,0 +1,124 @@
+<style>
+</style>
+
+<template>
+    <div class="ui main text container" style="margin-top: 80px;">
+        <div class="ui container center aligned">
+            <div class="ui basic segment huge">
+                <h1 class="ui header">
+                    <i class="circular icon user"></i>
+                    Message Vault Login
+                </h1>
+            </div>
+            <div class="ui centered grid">
+                <div class="ui nine wide column basic segment left aligned t0 b1">
+                    <form class="ui huge form enter-tag" :class="{loading: loading}">
+                        <div class="field">
+                            <label>Authorized User</label>
+                            <div class="ui left icon input">
+                                <input v-focus.lazy="true" type="text" v-model='tag' name="tag" placeholder="user:org" autocomplete="off">
+                                <i class="at icon"></i>
+                            </div>
+                        </div>
+                        <button class="ui large primary submit button" type="submit">Submit</button>
+                        <div class="ui mini error message" />
+                    </form>
+                </div>
+            </div>
+            <div class="ui basic segment">
+                <p>Please enter your Forsta address so this site can send you a login code.</p>
+            </div>
+        </div>
+    </div>
+</template>
+
+<script>
+util = require('../util');
+focus = require('vue-focus');
+shared = require('../globalState');
+jwtDecode = require('jwt-decode');
+
+function setup() {
+    const apiToken = this.global.apiToken;
+    const forwardTo = this.$route.query.forwardTo;
+    if (apiToken && forwardTo) {
+        const decoded = jwtDecode(apiToken);
+        const expires = new Date(decoded.exp * 1000);
+        const now = new Date();
+
+        if (now < expires) {
+            this.$router.replace(forwardTo);
+            return;
+        }
+    }
+
+    util.fetch.call(this, '/api/onboard/status/v1')
+    .then(result => { 
+        this.global.onboardStatus = result.theJson.status;
+        if (this.global.onboardStatus !== 'complete') {
+            this.$router.push({ name: 'welcome' });
+        }
+    });
+
+    this.tag = this.global.loginTag;
+
+    $('form.ui.form.enter-tag').form({
+        fields: {
+            tag: {
+                identifier: 'tag',
+                rules: [{
+                    type: 'regExp',
+                    value: /^([\da-z_]([.][\da-z_]|[\da-z_])*)(:([\da-z_]([.]+[\da-z_]|[\da-z_])*))?$/,
+                    prompt: 'please enter full @your.name:your.org'
+                }]
+            }
+        },
+        onSuccess: (event) => {
+            event.preventDefault();
+            requestAuth.call(this)
+        }
+    });
+}
+
+function requestAuth() {
+    var tag = this.tag;
+    this.loading = true;
+    util.fetch.call(this, '/api/auth/login/v1/' + tag)
+    .then(result => {
+        this.loading = false;
+        if (result.ok) {
+            const { id } = result.theJson;
+            this.global.userId = id;
+            this.global.loginTag = tag;
+            this.$router.push({ name: 'loginCode', query: this.$route.query });
+            return false;
+        } else {
+            util.addFormErrors('enter-tag', { tag: util.mergeErrors(result.theJson) });
+            return false;
+        }
+    })
+    .catch(err => {
+        console.log('got an err in requestAuth', err);
+        this.loading = false;
+    });
+    return false;
+}
+
+module.exports = {
+    data: () => ({
+        global: shared.state,
+        tag: '',
+        loading: false
+    }),
+    computed: {
+    },
+    mounted: function () {
+        setup.call(this)
+    },
+    methods: {
+    },
+    directives: {
+        focus: focus.focus
+    }
+}
+</script>
\ No newline at end of file
diff --git a/client/auth/setPassword.vue b/client/auth/setPassword.vue
deleted file mode 100644
index 71d4ab3..0000000
--- a/client/auth/setPassword.vue
+++ /dev/null
@@ -1,114 +0,0 @@
-
-<template>
-    <div class="ui main text container" style="margin-top: 80px;">
-        <div class="ui container center aligned">
-            <div class="ui basic segment huge">
-                <h1 class="ui header"><i class="circular icon lock"></i>Set Site Password</h1>
-            </div>
-            <div class="ui centered grid">
-                <div class="ui ten wide column left aligned t0">
-                    <form class="ui huge form set-password" :class="{loading: loading}">
-                        <div class="field">
-                            <label>Password</label>
-                            <div class="ui left icon input">
-                                <input v-focus.lazy="true" type="password" v-model='password' name="password" placeholder="enter password" autocomplete="off">
-                                <i class="icon lock"></i>
-                            </div>
-                        </div>
-                        <div class="field">
-                            <label>Confirm</label>
-                            <div class="ui left icon input">
-                                <input type="password" v-model='confirm' name="confirm" placeholder="confirm password" autocomplete="off">
-                                <i class="icon lock"></i>
-                            </div>
-                        </div>
-                        <button class="ui large primary submit button" type="submit">Submit</button>
-                        <div class="ui mini error message" />
-                    </form>
-                </div>
-            </div>
-        </div>
-    </div>
-</template>
-
-<script>
-util = require('../util');
-shared = require('../globalState');
-focus = require('vue-focus');
-
-function setup() {
-    $('form.ui.form.set-password').form({
-        on: 'blur',
-        fields: {
-            password: {
-                identifier: 'password',
-                rules: [
-                    {
-                        type   : 'empty',
-                        prompt : 'Please enter a password'
-                    },
-                    {
-                        type   : 'minLength[6]',
-                        prompt : 'Your password must be at least {ruleValue} characters'
-                    }
-                ]
-            },
-            confirm: {
-                identifier: 'confirm',
-                rules: [
-                    {
-                        type   : 'empty',
-                        prompt : 'Please repeat the password'
-                    },
-                    {
-                        type   : 'match[password]',
-                        prompt : 'Passwords must match'
-                    }
-                ]
-            },
-           
-        },
-        onSuccess: (event) => {
-            event.preventDefault();
-            setPassword.call(this)
-        }
-    });
-}
-
-async function setPassword() {
-    var password = this.password;
-    this.loading = true;
-    let result;
-    try {
-        result = await util.fetch.call(this, '/api/auth/password/v1', { method: 'post', body: { password } })
-    } catch (err) {
-        console.error(err);
-        return;
-    }
-    this.loading = false;
-    if (result.ok) {
-        const { token } = result.theJson;
-        shared.state.apiToken = token;
-        const forwardTo = this.$route.query.forwardTo;
-        this.$router.push(forwardTo || { name: 'welcome' });
-    } else {
-        console.log('internal error, password already set (wrong method to change it)');
-    }
-}
-
-module.exports = {
-    data: () => ({
-        password: '',
-        confirm: '',
-        loading: false
-    }),
-    mounted: function () {
-        setup.call(this)
-    },
-    methods: {
-    },
-    directives: {
-        focus: focus.focus
-    }
-}
-</script>
\ No newline at end of file
diff --git a/client/dashboard/dashboard.vue b/client/dashboard/dashboard.vue
index db392da..5f0742b 100644
--- a/client/dashboard/dashboard.vue
+++ b/client/dashboard/dashboard.vue
@@ -79,7 +79,7 @@
         user-select: none;
     }
     div.pager .active-page {
-        color: #FF8888;
+        color: #FF6666;
     }
 
     div.zero {
@@ -115,7 +115,7 @@
                     <a class="icobut" data-tooltip='filter SINCE this time' @click="addTimeFilter(m, 'Since')"><i class="chevron right icon"></i></a>
                 </div>
                 <div class="header">
-                    <a data-tooltip='filter for this THREAD ID' @click="addThreadFilter(m)"><i class="large comments icon" :style="threadColor(m.threadId)"></i></a>
+                    <a data-tooltip='filter for this thread ID' @click="addThreadFilter(m)"><i class="large comments icon" :style="threadColor(m.threadId)"></i></a>
                     <span class="thread-title" :class="{obscured: obscured}" @click="flipscure">{{threadTitle(m)}}</span>
                 </div>
                 <div class="meta">{{m.distribution.pretty}}</div>
@@ -193,7 +193,7 @@
             </div>
             <div class="filter-section" v-if="Object.keys(filters).length">
                 <h3>Current Filters</h3>
-                <a v-for="(v,k) in filters" @click="removeFilter(k)" data-tooltip="click to remove filter" class="butspacer ui compact blue button">
+                <a v-for="(v,k) in filters" @click="removeFilter(k)" data-tooltip="click to remove filter" class="butspacer ui compact primary basic button">
                     <i class="remove icon"></i> {{v.presentation}}
                 </a>
             </div>
@@ -392,14 +392,14 @@ module.exports = {
             const q = this.queryString;
             util.fetch.call(this, '/api/vault/messages/v1?' + q)
             .then(result => {
-                this.messages = result.theJson.messages.forEach(m => {
+                this.messages = result.theJson.messages;
+                this.messages.forEach(m => {
                     m.receivedMoment = moment(m.received);
                     m.receivedText = m.receivedMoment.format('llll');
                     if (m.recipientIds.length <= 5 && !(m.messageId in this.showDist)) {
                         this.$set(this.showDist, m.messageId, true);
                     }
                 });
-                this.messages = result.theJson.messages;
                 this.fullCount = (this.messages.length && this.messages[0].fullCount) || 0;
             });
         },
@@ -441,22 +441,7 @@ module.exports = {
         }
     },
     mounted: function() {
-        if (this.global.onboardStatus !== 'complete') {
-            this.$router.push({ name: 'welcome' });
-            return;
-        }
-        util.fetch.call(this, '/api/onboard/status/v1')
-        .then(result => { 
-            this.global.onboardStatus = result.theJson.status;
-            if (this.global.onboardStatus !== 'complete') {
-                this.$router.push({ name: 'welcome' });
-            }
-        });
-
-        if (!this.global.apiToken) {
-            this.$router.push({ name: 'authenticate', query: { forwardTo: this.$router.path }});
-            return;
-        }
+        util.checkPrerequisites.call(this);
 
         this.getMessages();
         this.interval = setInterval(() => this.getMessages(), REFRESH_POLL_RATE); 
diff --git a/client/globalState.js b/client/globalState.js
index 487ed93..7b449a2 100644
--- a/client/globalState.js
+++ b/client/globalState.js
@@ -3,6 +3,14 @@ var jwtDecode = require('jwt-decode');
 var state = {
     onboardStatus: undefined,
     passwordSet: undefined,
+    userId: undefined,
+    get loginTag() {
+        return localStorage.getItem('loginTag') || '';
+    },
+    set loginTag(value) {
+        if (value) localStorage.setItem('loginTag', value);
+        else localStorage.removeItem('loginTag');
+    },
     get apiToken() {
         const retval = localStorage.getItem('apiToken') || '';
         if (retval != this.prev) autoexpire(retval);
diff --git a/client/main.js b/client/main.js
index 47a6b40..9dacf58 100644
--- a/client/main.js
+++ b/client/main.js
@@ -7,11 +7,12 @@ function main() {
     const Root = require('./root.vue');
     const routes = [
         { path: '/welcome', name: 'welcome', component: require('./welcome/welcome.vue') },
-        { path: '/auth/login', name: 'authenticate', component: require('./auth/authenticate.vue') },
-        { path: '/auth/password', name: 'setPassword', component: require('./auth/setPassword.vue') },
-        { path: '/onboard/tag', name: 'enterTag', component: require('./onboard/enterTag.vue') },
-        { path: '/onboard/code/:tag', name: 'enterCode', component: require('./onboard/enterCode.vue') },
+        { path: '/auth/tag', name: 'loginTag', component: require('./auth/loginTag.vue') },
+        { path: '/auth/code', name: 'loginCode', component: require('./auth/loginCode.vue') },
+        { path: '/onboard/tag', name: 'onboardTag', component: require('./onboard/enterTag.vue') },
+        { path: '/onboard/code/:tag', name: 'onboardCode', component: require('./onboard/enterCode.vue') },
         { path: '/dashboard', name: 'dashboard', component: require('./dashboard/dashboard.vue') },
+        { path: '/settings', name: 'settings', component: require('./settings/settings.vue') },
         { path: '*', redirect: '/welcome' },
     ];
 
diff --git a/client/menu/top.vue b/client/menu/top.vue
index 0fbda68..fcdbffb 100644
--- a/client/menu/top.vue
+++ b/client/menu/top.vue
@@ -1,6 +1,3 @@
-<style>
-</style>
-
 <template>
     <div class="ui fixed inverted menu" style="z-index: 1;">
         <div class="ui container">
@@ -8,35 +5,39 @@
                 <img class="logo" src="/static/images/forsta-logo-invert.svg"/>
                 &nbsp;&nbsp;Forsta Message Vault
             </router-link>
-            <a v-if="global.apiToken" class="header item float right" @click.prevent="logout">
-                sign out
-            </a>
+            <div v-if="global.apiToken" class="header item float right" style="padding:0;">
+                <div class="ui simple dropdown item">
+                    <i class="large user icon"></i>
+                    <i class="dropdown icon"></i>
+                    <div class="menu left">
+                    <div class="item" @click="logout">sign out</div>
+                    <div class="item" @click="settings">settings</div>
+                    <div class="item" @click="dashboard">dashboard</div>
+                    </div>
+                </div>
+            </div>
         </div>
     </div>
 </template>
 
 <script>
 shared = require('../globalState');
-util = require('../util');
 
 module.exports = {
     data: () => ({ 
         global: shared.state,
         loggedIn: false
     }),
-    computed: {
-    },
     methods: {
         logout: function () {
-            if (this.global.apiToken) {
-                console.log('signing out');
-                this.global.apiToken = null;
-            }
+            this.global.apiToken = null;
+        },
+        settings: function () {
+            this.$router.push({ name: 'settings' });
+        },
+        dashboard: function () {
+            this.$router.push({ name: 'dashboard' });
         }
-    },
-    watch: {
-    },
-    mounted: function() {
-    },
+    }
 }
 </script>
\ No newline at end of file
diff --git a/client/onboard/enterCode.vue b/client/onboard/enterCode.vue
index 4fd6c7c..78aca11 100644
--- a/client/onboard/enterCode.vue
+++ b/client/onboard/enterCode.vue
@@ -7,7 +7,7 @@
             <div class="ui basic segment huge">
                 <h1 class="ui header">
                     <i class="large circular sign in icon"></i>
-                    Enter Login Code
+                    Enter Forsta Login Code
                 </h1>
             </div>
             <div class="ui centered grid">
@@ -21,7 +21,7 @@
                             </div>
                         </div>
                         <button class="ui large primary submit button" type="submit">Submit</button>
-                        <router-link :to="{name: 'enterTag'}" class="ui large button right floated code-cancel">Cancel</router-link>
+                        <router-link :to="{name: 'onboardTag'}" class="ui large button right floated code-cancel">Cancel</router-link>
                         <div class="ui mini error message" />
                     </form>
                 </div>
diff --git a/client/onboard/enterTag.vue b/client/onboard/enterTag.vue
index 55224e7..1e30328 100644
--- a/client/onboard/enterTag.vue
+++ b/client/onboard/enterTag.vue
@@ -85,7 +85,7 @@ function requestAuth() {
     .then(result => {
         this.loading = false;
         if (result.ok) {
-            this.$router.push({ name: 'enterCode', params: { tag: this.tag }});
+            this.$router.push({ name: 'onboardCode', params: { tag: this.tag }});
             return false;
         } else {
             util.addFormErrors('enter-tag', { tag: util.mergeErrors(result.theJson) });
diff --git a/client/root.vue b/client/root.vue
index b3eaec4..91a734a 100644
--- a/client/root.vue
+++ b/client/root.vue
@@ -30,7 +30,7 @@ module.exports = {
         globalApiToken: function (next, prev) {
             if (!next && prev) {
                 console.log('reauthenticating for', this.$route.path)
-                this.$router.push({ name: 'authenticate', query: { forwardTo: this.$route.path }});
+                this.$router.push({ name: 'loginTag', query: { forwardTo: this.$route.path }});
             }
         }
     },
diff --git a/client/settings/settings.vue b/client/settings/settings.vue
new file mode 100644
index 0000000..2b83f2b
--- /dev/null
+++ b/client/settings/settings.vue
@@ -0,0 +1,129 @@
+
+<style>
+div.listgap {
+    margin-bottom:3em!important;
+}
+</style>
+
+<template>
+    <div class="ui main text container" style="margin-top: 80px;">
+        <div class="ui container center aligned">
+            <div class="ui basic segment huge">
+                <h1 class="ui header">
+                    <i class="large circular setting icon"></i>
+                    Message Vault Settings
+                </h1>
+            </div>
+            <div class="ui centered grid">
+                <div class="ui nine wide column basic segment left aligned b1" :class="{loading: loading}" style="margin-top:-1em;">
+                    <h3 style="margin-bottom: 3px;">Site Administrators</h3>
+                    <div class="ui list listgap">
+                        <div v-for="a in admins" :key="a.id" class="item">
+                            <a v-if="admins.length > 1" @click="removeAdmin(a.id)" data-tooltip="remove this administrator"><i class="large remove circle icon"></i></a> 
+                            <span v-else data-tooltip="cannot remove last administrator"><i style="color: lightgray;" class="large remove circle icon"></i></span> 
+                            {{a.label}}
+                        </div>
+                    </div>
+                    <form class="ui large form enter-tag" @submit.prevent="addAdmin">
+                        <div class="field" :class="{error:!!tagError}">
+                            <div data-tooltip="add an administrator" class="ui left icon action input">
+                                <i class="at icon"></i>
+                                <input type="text" v-model='tag' name="tag" placeholder="user:org" autocomplete="off">
+                                <button class="ui icon button" :disabled="!tag" :class="{primary:!!tag}"><i class="plus icon"></i></button>
+                            </div>
+                        </div>
+                    </form>
+                    <div v-if="tagError" class="ui small error message">{{tagError}}</div>
+                </div>
+            </div>
+        </div>
+    </div>
+</template>
+
+<script>
+
+const util = require('../util');
+const REFRESH_POLL_RATE = 15000;
+
+
+async function addAdmin() {
+    this.loading = true;
+    let result;
+    try {
+        result = await util.fetch.call(this, '/api/auth/admins/v1', { method: 'post', body: { op: 'add', tag: this.tag }})
+        this.loading = false;
+    } catch (err) {
+        console.error(err);
+        this.loading = false;
+        return false;
+    }
+    if (result.ok) {
+        const { administrators } = result.theJson;
+        this.admins = administrators;
+        this.tag = '';
+        this.tagError = '';
+    } else {
+        this.tagError = util.mergeErrors(result.theJson);
+    }
+}
+
+async function removeAdmin(id) {
+    this.loading = true;
+    let result;
+    try {
+        result = await util.fetch.call(this, '/api/auth/admins/v1', { method: 'post', body: { op: 'remove', id }})
+        this.loading = false;
+    } catch (err) {
+        console.error(err);
+        this.loading = false;
+        return false;
+    }
+    if (result.ok) {
+        const { administrators } = result.theJson;
+        this.admins = administrators;
+    } else {
+        this.removeError = util.mergeErrors(result.theJson);
+    }
+}
+
+
+module.exports = {
+    data: () => ({ 
+        global: shared.state,
+        loading: false,
+        interval: null,
+        tag: '',
+        tagError: '',
+        removeError: '',
+        admins: []
+    }),
+    computed: {
+    },
+    watch: {
+    },
+    methods: {
+        getAdmins: function() {
+            util.fetch.call(this, '/api/auth/admins/v1')
+            .then(result => {
+                if (result.ok) {
+                    this.admins = result.theJson.administrators;
+                }
+            });
+        },
+        removeAdmin: function(id) {
+            removeAdmin.call(this, id);
+        },
+        addAdmin: function() {
+            addAdmin.call(this);
+        }
+    },
+    mounted: function() {
+        util.checkPrerequisites.call(this);
+        this.getAdmins();
+        this.interval = setInterval(() => this.getAdmins(), REFRESH_POLL_RATE); 
+    },
+    beforeDestroy: function() {
+        clearInterval(this.interval);
+    }
+}
+</script>
\ No newline at end of file
diff --git a/client/util.js b/client/util.js
index 79d0bf5..519df5c 100644
--- a/client/util.js
+++ b/client/util.js
@@ -45,15 +45,31 @@ async function _fetch(url, { method='get', headers={}, body={} }={}, noBodyAwait
     }
     if (resp.status === 401) {
         console.log('401 from bot api, so we will visit bot authentication...');
-        this.$router.push({ name: 'authenticate', query: { forwardTo: this.$route.fullPath }});
+        this.$router.push({ name: 'loginTag', query: { forwardTo: this.$route.fullPath }});
         // throw Error('not authenticated with bot server -- looping through authentication');
     }
     return resp;
 }
 
+function checkPrerequisites() {
+    _fetch.call(this, '/api/onboard/status/v1')
+    .then(result => { 
+        this.global.onboardStatus = result.theJson.status;
+        if (this.global.onboardStatus !== 'complete') {
+            this.$router.push({ name: 'welcome' });
+        }
+    });
+
+    if (!this.global.apiToken) {
+        this.$router.push({ name: 'loginTag', query: { forwardTo: this.$router.path }});
+        return;
+    }
+}
+
 module.exports = {
     addFormErrors,
     mergeErrors,
     RequestError,
-    fetch: _fetch
+    fetch: _fetch,
+    checkPrerequisites
 };
diff --git a/client/welcome/welcome.vue b/client/welcome/welcome.vue
index 239830e..c114ca1 100644
--- a/client/welcome/welcome.vue
+++ b/client/welcome/welcome.vue
@@ -19,7 +19,7 @@
         <div class="ui two column centered grid">
             <div class="middle aligned row">
                 <div class="five wide column centered">
-                    <router-link :to="{name: 'authenticate', query: { forwardTo: '/onboard/tag' }}"
+                    <router-link :to="{name: 'loginTag'}"
                                 class="ui huge primary button">
                     CONNECT <i class="right arrow icon"></i>
                     </router-link>
@@ -47,7 +47,7 @@ module.exports = {
         global: shared.state
     }),
     mounted: function() {
-        const authDash = { name: 'authenticate', query: { forwardTo: '/dashboard' }};
+        const authDash = { name: 'loginTag', query: { forwardTo: '/dashboard' }};
         if (this.global.onboardStatus === 'complete') {
             this.$router.push(authDash);
             return;
diff --git a/package.json b/package.json
index 39b1097..cd1bc28 100644
--- a/package.json
+++ b/package.json
@@ -25,7 +25,6 @@
   },
   "dependencies": {
     "adm-zip": "^0.4.7",
-    "bcrypt": "^1.0.3",
     "browserify": "^14.5.0",
     "csv-stringify": "2.0.0",
     "envify": "^4.1.0",
diff --git a/server/atlas_client.js b/server/atlas_client.js
index 10c70ce..adce530 100644
--- a/server/atlas_client.js
+++ b/server/atlas_client.js
@@ -20,6 +20,7 @@ class BotAtlasClient extends relay.AtlasClient {
         );
         const creator = `@${botUser.tag.slug}:${botUser.org.slug}`;
         console.info(`Bot onboarding performed by: ${creator}`);
+        await relay.storage.set('authentication', 'adminIds', [botUser.id]);
         await relay.storage.putState("onboardUser", botUser.id);
         if (this.onboardingCreatedUser) {
             try {
diff --git a/server/forsta_bot.js b/server/forsta_bot.js
index 458c726..32edb01 100644
--- a/server/forsta_bot.js
+++ b/server/forsta_bot.js
@@ -8,6 +8,10 @@ const relay = require("librelay");
 const PGStore = require("./pgstore");
 const uuid4 = require("uuid/v4");
 
+async function sleep(ms) { 
+    return await new Promise(resolve => setTimeout(resolve, ms)); 
+}
+
 class ForstaBot {
     async start() {
         const ourId = await relay.storage.getState('addr');
@@ -15,6 +19,7 @@ class ForstaBot {
             console.warn('bot is not yet registered');
             return;
         }
+        await this.migrate();
         console.info('Starting message receiver for:', ourId);
         this.pgStore = new PGStore('message_vault');
         await this.pgStore.initialize();
@@ -41,6 +46,17 @@ class ForstaBot {
         await this.msgReceiver.connect();
     }
 
+    async migrate() {
+        const adminIds = await relay.storage.get('authentication', 'adminIds');
+        if (!adminIds) {
+            // need to convert from a password-auth sort of bot to the new auth-code system
+            const onboardUser = await relay.storage.getState("onboardUser");
+            if (!onboardUser) return; // should never happen, but just in case..
+            await relay.storage.set('authentication', 'adminIds', [onboardUser]);
+            await relay.storage.remove('authentication', 'pwhash');
+        }
+    }
+
     async stop() {
         if (this.msgReceiver) {
             console.warn('Stopping message receiver');
@@ -70,6 +86,7 @@ class ForstaBot {
     }
     fqLabel(user) { return `${this.fqTag(user)} (${this.fqName(user)})`; }
 
+
     async onMessage(ev) {
         const received = new Date(ev.data.timestamp);
         const envelope = JSON.parse(ev.data.message.body);
@@ -127,6 +144,161 @@ class ForstaBot {
             });
         }
     }
+
+    async getSoloAuthThreadId() {
+        let id = await relay.storage.get('authentication', 'soloThreadId');
+        if (!id) {
+            id = uuid4();
+            relay.storage.set('authentication', 'soloThreadId', id);
+        }
+
+        return id;
+    }
+
+    async getGroupAuthThreadId() {
+        let id = await relay.storage.get('authentication', 'groupThreadId');
+        if (!id) {
+            id = uuid4();
+            relay.storage.set('authentication', 'groupThreadId', id);
+        }
+
+        return id;
+    }
+
+    genAuthCode(expirationMinutes) {
+        const code = ('000000' + Math.floor(Math.random() * 1000000)).slice(-6);
+        const expires = new Date();
+        expires.setMinutes(expires.getMinutes() + expirationMinutes);
+        return { code, expires };
+    }
+
+    removeExpiredAuthCodes(pending) {
+        const now = new Date();
+
+        Object.keys(pending).forEach(uid => {
+            pending[uid].expires = new Date(pending[uid].expires); // todo: fix store encoding...
+            if (pending[uid].expires < now) {
+                delete pending[uid];
+            }
+        });
+
+        return pending;
+    }
+
+    async sendAuthCode(tag) {
+        tag = (tag && tag[0] === '@') ? tag : '@' + tag;
+        const resolved = await this.resolveTags(tag);
+        if (resolved.userids.length === 1 && resolved.warnings.length === 0) {
+            const uid = resolved.userids[0];
+            const adminIds = await relay.storage.get('authentication', 'adminIds');
+            if (!adminIds.includes(uid)) {
+                throw { statusCode: 403, info: { tag: ['not an approved administrator'] } }; 
+            }
+
+            const auth = this.genAuthCode(1);
+            this.msgSender.send({
+                distribution: resolved,
+                threadId: await this.getGroupAuthThreadId(),
+                text: `${auth.code} is your authentication code, valid for one minute`
+            });
+            const pending = await relay.storage.get('authentication', 'pending', {});
+            pending[uid] = auth;
+            await relay.storage.set('authentication', 'pending', pending);
+            
+            return resolved.userids[0];
+        } else {
+            throw { statusCode: 400, info: { tag: ['not a recognized tag, please try again'] } }; 
+        }
+    }
+
+    async validateAuthCode(userId, code) {
+        let pending = await relay.storage.get('authentication', 'pending', {});
+        pending = this.removeExpiredAuthCodes(pending);
+        const auth = pending[userId];
+        if (!auth) {
+            throw { statusCode: 403, info: { code: ['no authentication pending, please start over'] } }; 
+        }
+        if (auth.code != code) {
+            await sleep(500); // throttle guessers
+            throw { statusCode: 403, info: { code: ['incorrect code, please try again'] } }; 
+        }
+
+        delete pending[userId];
+        relay.storage.set('authentication', 'pending', pending);
+
+        await this.broadcastNotice('has successfully authenticated as an administrator', userId);
+        return true;
+    }
+
+    async getAdministrators() {
+        const adminIds = await relay.storage.get('authentication', 'adminIds', []);
+        const adminUsers = await this.getUsers(adminIds);
+        const admins = adminUsers.map(u => {
+            return {
+                id: u.id,
+                label: this.fqLabel(u)
+            };
+        });
+        return admins;
+    }
+
+    async broadcastNotice(action, actorUserId) {
+        const adminIds = await relay.storage.get('authentication', 'adminIds', []);
+        let added = false;
+        if (!adminIds.includes(actorUserId)) {
+            adminIds.push(actorUserId);
+            added = true;
+        }
+        const adminUsers = await this.getUsers(adminIds);
+        const actor = adminUsers.find(u => u.id === actorUserId);
+        const actorLabel = actor ? this.fqLabel(actor) : '<unknown>';
+        const expression = adminUsers.map(u => this.fqTag(u)).join(' + ');
+        const distribution = await this.resolveTags(expression);
+
+        const adminList = adminUsers.filter(u => !(added && u.id === actorUserId)).map(u => this.fqLabel(u)).join('\n');
+
+        const fullMessage = `Note: ${actorLabel} ${action}.\n\nCurrent administrators are:\n${adminList}`;
+        const subbedFullMessage = fullMessage.replace(/<<([^>]*)>>/g, (_, id) => {
+            const user = adminUsers.find(x => x.id === id);
+            return this.fqLabel(user);
+        });
+
+        this.msgSender.send({
+            distribution,
+            threadId: await this.getSoloAuthThreadId(),
+            text: subbedFullMessage
+        });
+    }
+
+    async addAdministrator({addTag, actorUserId}) {
+        const tag = (addTag && addTag[0] === '@') ? addTag : '@' + addTag;
+        const resolved = await this.resolveTags(tag);
+        if (resolved.userids.length === 1 && resolved.warnings.length === 0) {
+            const uid = resolved.userids[0];
+            const adminIds = await relay.storage.get('authentication', 'adminIds');
+            if (!adminIds.includes(uid)) {
+                adminIds.push(uid);
+                await relay.storage.set('authentication', 'adminIds', adminIds);
+            }
+            await this.broadcastNotice(`has added <<${uid}>> to the administrator list`, actorUserId);
+            return this.getAdministrators();
+        }
+        throw { statusCode: 400, info: { tag: ['not a recognized tag, please try again'] } }; 
+    }
+
+    async removeAdministrator({removeId, actorUserId}) {
+        const adminIds = await relay.storage.get('authentication', 'adminIds', []);
+        const idx = adminIds.indexOf(removeId);
+
+        if (idx < 0) {
+            throw { statusCode: 400, info: { id: ['administrator id not found'] } };
+        }
+        adminIds.splice(idx, 1);
+        await this.broadcastNotice(`is removing <<${removeId}>> from the administrator list`, actorUserId);
+        await relay.storage.set('authentication', 'adminIds', adminIds);
+
+        return this.getAdministrators();
+    }
 }
 
 module.exports = ForstaBot;
diff --git a/server/web/api.js b/server/web/api.js
index 6eebe66..284488e 100644
--- a/server/web/api.js
+++ b/server/web/api.js
@@ -3,11 +3,8 @@ const csvStringify = require('csv-stringify');
 const express = require('express');
 const relay = require('librelay');
 const jwt = require('jsonwebtoken');
-const bcrypt = require('bcrypt');
 const uuidv4 = require('uuid/v4');
 
-const bcryptSaltRounds = 12;
-
 
 class APIHandler {
 
@@ -30,8 +27,8 @@ class APIHandler {
                     relay.storage.get('authentication', 'jwtsecret')
                         .then((secret) => {
                             try {
-                                jwt.verify(parts[1], secret);
-                                fn.call(this, req, res, next).catch(e => {
+                                const jwtInfo = jwt.verify(parts[1], secret);
+                                fn.call(this, req, res, next, jwtInfo.userId).catch(e => {
                                     console.error('Async Route Error:', e);
                                     next();
                                 });
@@ -159,73 +156,86 @@ class AuthenticationAPIV1 extends APIHandler {
 
     constructor(options) {
         super(options);
-        this.router.get('/status/v1', this.asyncRoute(this.onGetStatus, false));
-        this.router.post('/login/v1', this.asyncRoute(this.onLogin, false));
-        this.router.post('/password/v1', this.asyncRoute(this.onPost, false));
-        this.router.put('/password/v1', this.asyncRoute(this.onPut));
+        this.router.get('/login/v1/:tag', this.asyncRoute(this.onRequestLoginCode, false));
+        this.router.post('/login/v1', this.asyncRoute(this.onValidateLoginCode, false));
+        this.router.get('/admins/v1', this.asyncRoute(this.onGetAdministrators));
+        this.router.post('/admins/v1', this.asyncRoute(this.onUpdateAdministrators));
     }
 
-    async genToken() {
+    async genToken(userId) {
         let secret = await relay.storage.get('authentication', 'jwtsecret');
         if (!secret) {
             secret = uuidv4();
             await relay.storage.set('authentication', 'jwtsecret', secret);
         }
-        return jwt.sign({}, secret, { algorithm: "HS512", expiresIn: 2*60*60 /* later: "2 days" */ });
+        return jwt.sign({ userId }, secret, { algorithm: "HS512", expiresIn: 2*60*60 /* later: "2 days" */ });
     }
 
-    async passwordHash(hash) {
-        if (hash) {
-            return await relay.storage.set('authentication', 'pwhash', hash);
-        } else {
-            return await relay.storage.get('authentication', 'pwhash');
+    async onRequestLoginCode(req, res) {
+        const tag = req.params.tag;
+        if (!tag) {
+            res.status(412).json({
+                error: 'missing_arg',
+                message: 'Missing URL param: tag'
+            });
+            return;
         }
-    }
-
-    async onGetStatus(req, res) {
-        const stashedHash = await this.passwordHash();
-        if (stashedHash) {
-            res.status(204).json({ });
-        } else {
-            res.status(404).json({error: 'not_configured'});
+        try {
+            const id = await this.server.bot.sendAuthCode(tag);
+            res.status(200).json({ id });
+            return;
+        } catch (e) {
+            res.status(e.statusCode || 500).json(e.info || { message: 'internal error'});
+            return;
         }
     }
 
-    async onLogin(req, res) {
-        const password = req.body.password;
-        const stashedHash = await this.passwordHash();
-        if (!stashedHash || bcrypt.compareSync(password, stashedHash)) {
-            // yes, if there is no stashed password hash, we give them a session
-            const token = await this.genToken();
+    async onValidateLoginCode(req, res) {
+        const userId = req.body.id;
+        const code = req.body.code;
+
+        try {
+            await this.server.bot.validateAuthCode(userId, code);
+            const token = await this.genToken(userId);
             res.status(200).json({ token });
-        } else {
-            res.status(401).json({ password: 'incorrect password' });
+            return;
+        } catch (e) {
+            res.status(e.statusCode || 500).json(e.info || { message: 'internal error'});
+            return;
         }
     }
 
-    async onPost(req, res) {
-        const exists = !!await this.passwordHash();
-        if (!exists) {
-            const password = req.body.password;
-            const hash = await bcrypt.hash(password, bcryptSaltRounds);
-            this.passwordHash(hash);
-            const token = await this.genToken();
-            res.status(201).json({ token });
-        } else {
-            res.status(405).json({ password: 'already exists' });
+    async onGetAdministrators(req, res) {
+        try {
+            const admins = await this.server.bot.getAdministrators();
+            res.status(200).json({ administrators: admins });
+            return;
+        } catch (e) {
+            console.log('problem in get administrators', e);
+            res.status(e.statusCode || 500).json(e.info || { message: 'internal error'});
+            return;
         }
     }
 
-    async onPut(req, res) {
-        const exists = !!this.passwordHash();
-        if (exists) {
-            const password = req.body.password;
-            const hash = await bcrypt.hash(password, bcryptSaltRounds);
-            this.passwordHash(hash);
-            const token = await this.genToken();
-            res.status(201).json({ token });
-        } else {
-            res.status(405).json({ password: 'does not exist' });
+    async onUpdateAdministrators(req, res, next, userId) {
+        const op = req.body.op;
+        const id = req.body.id;
+        const tag = req.body.tag;
+
+        if (!(op === 'add' && tag || op === 'remove' && id)) {
+            res.status(400).json({ non_field_errors: ['must either add tag or remove id'] });
+        }
+
+        try {
+            const admins = (op === 'add')
+                ? await this.server.bot.addAdministrator({addTag: tag, actorUserId: userId})
+                : await this.server.bot.removeAdministrator({removeId: id, actorUserId: userId});
+            res.status(200).json({ administrators: admins });
+            return;
+        } catch (e) {
+            console.log('problem in update administrators', e);
+            res.status(e.statusCode || 500).json(e.info || { message: 'internal error'});
+            return;
         }
     }
 }