diff --git a/src/Core/SecureFolderFS.Core/Constants.cs b/src/Core/SecureFolderFS.Core/Constants.cs
index 6b9b7f4ed..2289294c9 100644
--- a/src/Core/SecureFolderFS.Core/Constants.cs
+++ b/src/Core/SecureFolderFS.Core/Constants.cs
@@ -12,6 +12,7 @@ public static class Names
                 public const string VAULT_CONTENT_FOLDERNAME = "content";
                 public const string VAULT_KEYSTORE_FILENAME = $"keystore{CONFIGURATION_EXTENSION}";
                 public const string VAULT_CONFIGURATION_FILENAME = $"sfconfig{CONFIGURATION_EXTENSION}";
+                public const string VAULT_COMPLEMENTATION_FILENAME = $"sfcomplement{CONFIGURATION_EXTENSION}";
             }
 
             public static class Authentication
diff --git a/src/Core/SecureFolderFS.Core/DataModels/VaultSharesDataModel.cs b/src/Core/SecureFolderFS.Core/DataModels/VaultSharesDataModel.cs
new file mode 100644
index 000000000..4c13d89c4
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core/DataModels/VaultSharesDataModel.cs
@@ -0,0 +1,29 @@
+using System;
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace SecureFolderFS.Core.DataModels
+{
+    [Serializable]
+    public sealed record class VaultSharesDataModel
+    {
+        [JsonPropertyName("shares")]
+        public List<VaultShareDataModel>? Shares { get; init; }
+    }
+
+    [Serializable]
+    public sealed record class VaultShareDataModel
+    {
+        [JsonPropertyName("authOne")]
+        public string? AuthenticationMethodId { get; init; }
+
+        [JsonPropertyName("nonce")]
+        public byte[]? Nonce { get; init; }
+
+        [JsonPropertyName("c_complement")]
+        public byte[]? WrappedComplementSecret { get; init; }
+
+        [JsonPropertyName("tag")]
+        public byte[]? Tag { get; init; }
+    }
+}
\ No newline at end of file
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/ModifyComplementationRoutine.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/ModifyComplementationRoutine.cs
new file mode 100644
index 000000000..b9039ee7c
--- /dev/null
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/ModifyComplementationRoutine.cs
@@ -0,0 +1,413 @@
+using System;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using SecureFolderFS.Core.Cryptography;
+using SecureFolderFS.Core.DataModels;
+using SecureFolderFS.Core.Models;
+using SecureFolderFS.Core.Routines;
+using SecureFolderFS.Core.VaultAccess;
+using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.Models;
+
+namespace SecureFolderFS.Core.Routines.Operational
+{
+    public sealed class ModifyComplementationRoutine : IFinalizationRoutine, IContractRoutine, IOptionsRoutine
+    {
+        private const int ComplementSecretLength = 32;
+
+        private readonly VaultReader _vaultReader;
+        private readonly VaultWriter _vaultWriter;
+        private KeyPair? _keyPair;
+        private V4VaultKeystoreDataModel? _existingKeystoreDataModel;
+        private V4VaultKeystoreDataModel? _keystoreDataModel;
+        private V4VaultConfigurationDataModel? _existingConfigDataModel;
+        private V4VaultConfigurationDataModel? _configDataModel;
+        private VaultSharesDataModel? _existingSharesDataModel;
+        private VaultSharesDataModel? _sharesDataModel;
+        private bool _writeShares;
+
+        public ModifyComplementationRoutine(VaultReader vaultReader, VaultWriter vaultWriter)
+        {
+            _vaultReader = vaultReader;
+            _vaultWriter = vaultWriter;
+        }
+
+        /// <inheritdoc/>
+        public async Task InitAsync(CancellationToken cancellationToken = default)
+        {
+            _existingConfigDataModel = await _vaultReader.ReadV4ConfigurationAsync(cancellationToken);
+            _existingKeystoreDataModel = await _vaultReader.ReadKeystoreAsync<V4VaultKeystoreDataModel>(cancellationToken);
+            _existingSharesDataModel = await _vaultReader.ReadComplementationAsync(cancellationToken);
+        }
+
+        /// <inheritdoc/>
+        public void SetUnlockContract(IDisposable unlockContract)
+        {
+            if (unlockContract is not IWrapper<Security> securityWrapper)
+                throw new ArgumentException($"The {nameof(unlockContract)} is invalid.");
+
+            _keyPair = securityWrapper.Inner.KeyPair;
+        }
+
+        /// <inheritdoc/>
+        public void SetOptions(VaultOptions vaultOptions)
+        {
+            _configDataModel = V4VaultConfigurationDataModel.V4FromVaultOptions(vaultOptions);
+        }
+
+        public void SetCredentials(ComplementationCredentials credentials, CancellationToken cancellationToken = default)
+        {
+            _ = cancellationToken;
+            ArgumentNullException.ThrowIfNull(_keyPair);
+            ArgumentNullException.ThrowIfNull(_existingConfigDataModel);
+            ArgumentNullException.ThrowIfNull(_existingKeystoreDataModel);
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+            ArgumentNullException.ThrowIfNull(credentials);
+
+            var oldAuthentication = AuthenticationMethod.FromString(_existingConfigDataModel.AuthenticationMethod);
+            var newAuthentication = AuthenticationMethod.FromString(_configDataModel.AuthenticationMethod);
+            var primaryChanged = !oldAuthentication.Methods.SequenceEqual(newAuthentication.Methods, StringComparer.Ordinal);
+
+            if (string.IsNullOrWhiteSpace(oldAuthentication.Complementation) &&
+                !string.IsNullOrWhiteSpace(newAuthentication.Complementation))
+            {
+                AddComplementation(credentials, newAuthentication);
+                return;
+            }
+
+            if (!string.IsNullOrWhiteSpace(oldAuthentication.Complementation) &&
+                string.IsNullOrWhiteSpace(newAuthentication.Complementation))
+            {
+                RemoveComplementation(credentials, oldAuthentication);
+                return;
+            }
+
+            if (!string.IsNullOrWhiteSpace(oldAuthentication.Complementation) &&
+                !string.IsNullOrWhiteSpace(newAuthentication.Complementation))
+            {
+                if (primaryChanged || credentials.NewPrimaryCredential is not null)
+                    ChangePrimaryAndPreserveComplementation(credentials, oldAuthentication, newAuthentication);
+                else if (!string.Equals(oldAuthentication.Complementation, newAuthentication.Complementation, StringComparison.Ordinal) ||
+                         credentials.NewComplementCredential is not null)
+                    ReplaceComplementation(credentials, oldAuthentication, newAuthentication);
+                else
+                    throw new InvalidOperationException("No complementation change was requested.");
+
+                return;
+            }
+
+            throw new InvalidOperationException("The requested authentication change does not involve complementation.");
+        }
+
+        private void AddComplementation(
+            ComplementationCredentials credentials,
+            AuthenticationMethod newAuthentication)
+        {
+            var newComplementMethod = newAuthentication.Complementation ?? throw new InvalidOperationException("Complementation method is missing.");
+            var currentKey = ExportKey(credentials.CurrentCredential);
+            var newComplementKey = ExportKey(credentials.NewComplementCredential ?? throw new InvalidOperationException("New complement credentials are required."));
+            byte[]? newPrimaryKey = null;
+            byte[]? softwareEntropy = null;
+            byte[]? complementSecret = null;
+
+            try
+            {
+                newPrimaryKey = credentials.NewPrimaryCredential is null ? currentKey : ExportKey(credentials.NewPrimaryCredential);
+                softwareEntropy = DecryptSoftwareEntropy(currentKey);
+                complementSecret = DeriveComplementSecret(newPrimaryKey, GetPrimaryMethod(newAuthentication));
+
+                ReEncryptKeystore(complementSecret, softwareEntropy);
+                _sharesDataModel = CreateShares(VaultParser.V4WrapComplementSecret(complementSecret, newComplementKey, GetVaultId(), newComplementMethod));
+                _writeShares = true;
+            }
+            finally
+            {
+                Zero(newPrimaryKey, currentKey);
+                Zero(complementSecret);
+                Zero(softwareEntropy);
+                Zero(newComplementKey);
+                Zero(currentKey);
+            }
+
+        }
+
+        private void ReplaceComplementation(
+            ComplementationCredentials credentials,
+            AuthenticationMethod oldAuthentication,
+            AuthenticationMethod newAuthentication)
+        {
+            var newComplementMethod = newAuthentication.Complementation ?? throw new InvalidOperationException("Complementation method is missing.");
+            var currentKey = ExportKey(credentials.CurrentCredential);
+            var newComplementKey = ExportKey(credentials.NewComplementCredential ?? throw new InvalidOperationException("New complement credentials are required."));
+            byte[]? complementSecret = null;
+            byte[]? softwareEntropy = null;
+
+            try
+            {
+                complementSecret = RecoverComplementSecret(currentKey, oldAuthentication, allowPrimary: true);
+                softwareEntropy = DecryptSoftwareEntropy(complementSecret);
+
+                ReEncryptKeystore(complementSecret, softwareEntropy);
+                _sharesDataModel = CreateShares(VaultParser.V4WrapComplementSecret(complementSecret, newComplementKey, GetVaultId(), newComplementMethod));
+                _writeShares = true;
+            }
+            finally
+            {
+                Zero(softwareEntropy);
+                Zero(complementSecret);
+                Zero(newComplementKey);
+                Zero(currentKey);
+            }
+        }
+
+        private void RemoveComplementation(ComplementationCredentials credentials, AuthenticationMethod oldAuthentication)
+        {
+            var currentPrimaryKey = ExportKey(credentials.CurrentCredential);
+            byte[]? targetPasskey = null;
+            byte[]? complementSecret = null;
+            byte[]? softwareEntropy = null;
+
+            try
+            {
+                targetPasskey = credentials.NewPrimaryCredential is null ? currentPrimaryKey : ExportKey(credentials.NewPrimaryCredential);
+                complementSecret = DeriveComplementSecret(currentPrimaryKey, GetPrimaryMethod(oldAuthentication));
+                softwareEntropy = DecryptSoftwareEntropy(complementSecret);
+
+                ReEncryptKeystore(targetPasskey, softwareEntropy);
+                _sharesDataModel = null;
+                _writeShares = true;
+            }
+            finally
+            {
+                Zero(softwareEntropy);
+                Zero(complementSecret);
+                Zero(targetPasskey, currentPrimaryKey);
+                Zero(currentPrimaryKey);
+            }
+        }
+
+        private void ChangePrimaryAndPreserveComplementation(
+            ComplementationCredentials credentials,
+            AuthenticationMethod oldAuthentication,
+            AuthenticationMethod newAuthentication)
+        {
+            var oldComplementMethod = oldAuthentication.Complementation ?? throw new InvalidOperationException("Complementation method is missing.");
+            var newComplementMethod = newAuthentication.Complementation ?? throw new InvalidOperationException("Complementation method is missing.");
+            var currentComplementKey = ExportKey(credentials.CurrentComplementCredential ?? credentials.CurrentCredential);
+            var newPrimaryKey = ExportKey(credentials.NewPrimaryCredential ?? throw new InvalidOperationException("New primary credentials are required."));
+            byte[]? newComplementKey = null;
+            byte[]? oldComplementSecret = null;
+            byte[]? newComplementSecret = null;
+            byte[]? softwareEntropy = null;
+
+            try
+            {
+                oldComplementSecret = RecoverComplementSecretFromShare(currentComplementKey, oldComplementMethod);
+                softwareEntropy = DecryptSoftwareEntropy(oldComplementSecret);
+                newComplementSecret = DeriveComplementSecret(newPrimaryKey, GetPrimaryMethod(newAuthentication));
+
+                newComplementKey = string.Equals(oldComplementMethod, newComplementMethod, StringComparison.Ordinal)
+                    ? currentComplementKey
+                    : ExportKey(credentials.NewComplementCredential ?? throw new InvalidOperationException("New complement credentials are required."));
+
+                ReEncryptKeystore(newComplementSecret, softwareEntropy);
+                _sharesDataModel = CreateShares(VaultParser.V4WrapComplementSecret(newComplementSecret, newComplementKey, GetVaultId(), newComplementMethod));
+                _writeShares = true;
+            }
+            finally
+            {
+                Zero(softwareEntropy);
+                Zero(newComplementSecret);
+                Zero(oldComplementSecret);
+                Zero(newComplementKey, currentComplementKey);
+                Zero(newPrimaryKey);
+                Zero(currentComplementKey);
+            }
+        }
+
+        private byte[] RecoverComplementSecret(byte[] currentKey, AuthenticationMethod oldAuthentication, bool allowPrimary)
+        {
+            CryptographicException? lastException = null;
+
+            if (allowPrimary)
+            {
+                byte[]? complementSecret = null;
+                byte[]? softwareEntropy = null;
+                try
+                {
+                    complementSecret = DeriveComplementSecret(currentKey, GetPrimaryMethod(oldAuthentication));
+                    softwareEntropy = DecryptSoftwareEntropy(complementSecret);
+                    return complementSecret;
+                }
+                catch (CryptographicException ex)
+                {
+                    lastException = ex;
+                    Zero(complementSecret);
+                }
+                finally
+                {
+                    Zero(softwareEntropy);
+                }
+            }
+
+            if (!string.IsNullOrWhiteSpace(oldAuthentication.Complementation))
+                return RecoverComplementSecretFromShare(currentKey, oldAuthentication.Complementation, lastException);
+
+            throw lastException ?? new CryptographicException("The complement secret could not be recovered.");
+        }
+
+        private byte[] RecoverComplementSecretFromShare(byte[] currentKey, string complementMethod, CryptographicException? fallbackException = null)
+        {
+            var share = GetShare(complementMethod);
+            byte[]? complementSecret = null;
+            byte[]? softwareEntropy = null;
+
+            try
+            {
+                complementSecret = VaultParser.V4UnwrapComplementSecret(currentKey, GetVaultId(), share);
+                softwareEntropy = DecryptSoftwareEntropy(complementSecret);
+                return complementSecret;
+            }
+            catch (CryptographicException) when (fallbackException is not null)
+            {
+                Zero(complementSecret);
+                throw fallbackException;
+            }
+            catch
+            {
+                Zero(complementSecret);
+                throw;
+            }
+            finally
+            {
+                Zero(softwareEntropy);
+            }
+        }
+
+        private byte[] DeriveComplementSecret(byte[] passkey, string authenticationMethodId)
+        {
+            var complementSecret = new byte[ComplementSecretLength];
+            try
+            {
+                VaultParser.V4DeriveComplementKey(passkey, GetVaultId(), authenticationMethodId, complementSecret);
+                return complementSecret;
+            }
+            catch
+            {
+                Zero(complementSecret);
+                throw;
+            }
+        }
+
+        private byte[] DecryptSoftwareEntropy(byte[] passkey)
+        {
+            ArgumentNullException.ThrowIfNull(_existingKeystoreDataModel);
+
+            var softwareEntropy = new byte[ComplementSecretLength];
+            try
+            {
+                VaultParser.V4DecryptSoftwareEntropy(passkey, _existingKeystoreDataModel, softwareEntropy);
+                return softwareEntropy;
+            }
+            catch
+            {
+                Zero(softwareEntropy);
+                throw;
+            }
+        }
+
+        private void ReEncryptKeystore(byte[] passkey, byte[] softwareEntropy)
+        {
+            ArgumentNullException.ThrowIfNull(_keyPair);
+
+            var salt = new byte[Cryptography.Constants.KeyTraits.SALT_LENGTH];
+            RandomNumberGenerator.Fill(salt);
+
+            _keystoreDataModel = _keyPair.UseKeys((dekKey, macKey) =>
+                VaultParser.V4ReEncryptKeystore(passkey, dekKey, macKey, salt, softwareEntropy));
+        }
+
+        private VaultShareDataModel GetShare(string authenticationMethodId)
+        {
+            return _existingSharesDataModel?.Shares?.FirstOrDefault(x =>
+                       string.Equals(x.AuthenticationMethodId, authenticationMethodId, StringComparison.Ordinal))
+                   ?? throw new InvalidOperationException($"Complementation share '{authenticationMethodId}' was not found.");
+        }
+
+        private string GetVaultId()
+        {
+            ArgumentNullException.ThrowIfNull(_existingConfigDataModel);
+            return _existingConfigDataModel.Uid;
+        }
+
+        private static string GetPrimaryMethod(AuthenticationMethod authenticationMethod)
+        {
+            return authenticationMethod.Methods.FirstOrDefault() ?? throw new InvalidOperationException("Primary authentication is missing.");
+        }
+
+        private static VaultSharesDataModel CreateShares(VaultShareDataModel shareDataModel)
+        {
+            return new()
+            {
+                Shares = [ shareDataModel ]
+            };
+        }
+
+        private static byte[] ExportKey(IKeyUsage key)
+        {
+            var exported = new byte[key.Length];
+            try
+            {
+                key.UseKey(source => source.CopyTo(exported));
+                return exported;
+            }
+            catch
+            {
+                Zero(exported);
+                throw;
+            }
+        }
+
+        private static void Zero(byte[]? key)
+        {
+            if (key is not null)
+                CryptographicOperations.ZeroMemory(key);
+        }
+
+        private static void Zero(byte[]? key, byte[] sameAs)
+        {
+            if (key is not null && !ReferenceEquals(key, sameAs))
+                CryptographicOperations.ZeroMemory(key);
+        }
+
+        /// <inheritdoc/>
+        public async Task<IDisposable> FinalizeAsync(CancellationToken cancellationToken)
+        {
+            ArgumentNullException.ThrowIfNull(_keyPair);
+            ArgumentNullException.ThrowIfNull(_keystoreDataModel);
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+
+            _keyPair.MacKey.UseKey(macKey =>
+            {
+                VaultParser.V4CalculateConfigMac(_configDataModel, macKey, _configDataModel.PayloadMac);
+            });
+
+            await _vaultWriter.WriteKeystoreAsync(_keystoreDataModel, cancellationToken);
+            await _vaultWriter.WriteV4ConfigurationAsync(_configDataModel, cancellationToken);
+
+            if (_writeShares)
+                await _vaultWriter.WriteComplementationAsync(_sharesDataModel, cancellationToken);
+
+            using (_keyPair)
+                return new SecurityWrapper(_keyPair.CreateCopy(), _configDataModel);
+        }
+
+        /// <inheritdoc/>
+        public void Dispose()
+        {
+            _keyPair?.Dispose();
+        }
+    }
+}
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/UnlockRoutine.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/UnlockRoutine.cs
index 1de4732a1..b3449b2c7 100644
--- a/src/Core/SecureFolderFS.Core/Routines/Operational/UnlockRoutine.cs
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/UnlockRoutine.cs
@@ -1,4 +1,6 @@
 using System;
+using System.Linq;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using SecureFolderFS.Core.Cryptography;
@@ -7,6 +9,7 @@
 using SecureFolderFS.Core.Validators;
 using SecureFolderFS.Core.VaultAccess;
 using SecureFolderFS.Shared.ComponentModel;
+using SecureFolderFS.Shared.Models;
 using SecureFolderFS.Shared.SecureStore;
 
 namespace SecureFolderFS.Core.Routines.Operational
@@ -17,6 +20,7 @@ internal sealed class UnlockRoutine : ICredentialsRoutine
         private readonly VaultReader _vaultReader;
         private V4VaultKeystoreDataModel? _keystoreDataModel;
         private V4VaultConfigurationDataModel? _configDataModel;
+        private VaultSharesDataModel? _sharesDataModel;
         private SecureKey? _dekKey;
         private SecureKey? _macKey;
 
@@ -30,6 +34,7 @@ public async Task InitAsync(CancellationToken cancellationToken)
         {
             _configDataModel = await _vaultReader.ReadV4ConfigurationAsync(cancellationToken);
             _keystoreDataModel = await _vaultReader.ReadKeystoreAsync<V4VaultKeystoreDataModel>(cancellationToken);
+            _sharesDataModel = await _vaultReader.ReadComplementationAsync(cancellationToken);
         }
 
         /// <inheritdoc/>
@@ -38,11 +43,75 @@ public void SetCredentials(IKeyUsage passkey)
             ArgumentNullException.ThrowIfNull(_configDataModel);
             ArgumentNullException.ThrowIfNull(_keystoreDataModel);
 
-            var derived = passkey.UseKey(key => VaultParser.V4DeriveKeystore(key, _keystoreDataModel));
+            var authenticationMethod = AuthenticationMethod.FromString(_configDataModel.AuthenticationMethod);
+            var derived = string.IsNullOrWhiteSpace(authenticationMethod.Complementation)
+                ? passkey.UseKey(key => VaultParser.V4DeriveKeystore(key, _keystoreDataModel))
+                : DeriveComplementedKeystore(passkey, authenticationMethod);
+
             _dekKey = SecureKey.TakeOwnership(derived.dekKey);
             _macKey = SecureKey.TakeOwnership(derived.macKey);
         }
 
+        private (byte[] dekKey, byte[] macKey) DeriveComplementedKeystore(IKeyUsage passkey, AuthenticationMethod authenticationMethod)
+        {
+            ArgumentNullException.ThrowIfNull(_configDataModel);
+            ArgumentNullException.ThrowIfNull(_keystoreDataModel);
+
+            Exception? lastException = null;
+            var primaryMethodId = authenticationMethod.Methods.FirstOrDefault() ?? throw new InvalidOperationException("Primary authentication is missing.");
+
+            try
+            {
+                return passkey.UseKey(key =>
+                {
+                    Span<byte> complementSecret = stackalloc byte[32];
+                    try
+                    {
+                        VaultParser.V4DeriveComplementKey(key, _configDataModel.Uid, primaryMethodId, complementSecret);
+                        return VaultParser.V4DeriveKeystore(complementSecret, _keystoreDataModel);
+                    }
+                    finally
+                    {
+                        CryptographicOperations.ZeroMemory(complementSecret);
+                    }
+                });
+            }
+            catch (CryptographicException ex)
+            {
+                lastException = ex;
+            }
+
+            foreach (var share in _sharesDataModel?.Shares ?? [])
+            {
+                if (share.WrappedComplementSecret is null
+                    || share.Tag is null
+                    || share.Nonce is null
+                    || share.AuthenticationMethodId is null)
+                    continue;
+
+                if (!string.Equals(share.AuthenticationMethodId, authenticationMethod.Complementation, StringComparison.Ordinal))
+                    continue;
+
+                byte[]? complementSecret = null;
+                try
+                {
+                    complementSecret = passkey.UseKey(key => VaultParser.V4UnwrapComplementSecret(key, _configDataModel.Uid, share));
+                    return VaultParser.V4DeriveKeystore(complementSecret, _keystoreDataModel);
+                }
+                catch (CryptographicException ex)
+                {
+                    lastException = ex;
+                }
+                finally
+                {
+                    if (complementSecret is not null)
+                        CryptographicOperations.ZeroMemory(complementSecret);
+                }
+            }
+
+            throw lastException ?? new CryptographicException("The complemented credentials could not unlock this vault.");
+        }
+
         /// <inheritdoc/>
         public async Task<IDisposable> FinalizeAsync(CancellationToken cancellationToken)
         {
diff --git a/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs b/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
index 07f10296e..448a75927 100644
--- a/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
+++ b/src/Core/SecureFolderFS.Core/Routines/Operational/VaultRoutines.cs
@@ -51,6 +51,12 @@ public IModifyCredentialsRoutine ModifyCredentials()
             return new ModifyCredentialsRoutine(VaultReader, VaultWriter);
         }
 
+        public ModifyComplementationRoutine ModifyComplementation()
+        {
+            CheckVaultValidation();
+            return new ModifyComplementationRoutine(VaultReader, VaultWriter);
+        }
+
         private void CheckVaultValidation()
         {
             if (!_validationResult.Successful)
diff --git a/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs b/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
index 28bfc518d..47fea346b 100644
--- a/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
+++ b/src/Core/SecureFolderFS.Core/VaultAccess/VaultParser.cs
@@ -265,6 +265,86 @@ public static void V4DecryptSoftwareEntropy(
                 softwareEntropy);
         }
 
+        public static void V4DeriveComplementKey(
+            ReadOnlySpan<byte> passkey,
+            string vaultId,
+            string authenticationMethodId,
+            Span<byte> complementKey)
+        {
+            ArgumentException.ThrowIfNullOrWhiteSpace(vaultId);
+            ArgumentException.ThrowIfNullOrWhiteSpace(authenticationMethodId);
+
+            var salt = Encoding.UTF8.GetBytes(vaultId);
+            var info = Encoding.UTF8.GetBytes(authenticationMethodId);
+
+            HKDF.DeriveKey(
+                HashAlgorithmName.SHA256,
+                passkey,
+                complementKey,
+                salt,
+                info);
+        }
+
+        public static VaultShareDataModel V4WrapComplementSecret(
+            ReadOnlySpan<byte> complementSecret,
+            ReadOnlySpan<byte> wrappingKeyMaterial,
+            string vaultId,
+            string authenticationMethodId)
+        {
+            Span<byte> complementWrapKey = stackalloc byte[32];
+            try
+            {
+                V4DeriveComplementKey(wrappingKeyMaterial, vaultId, authenticationMethodId, complementWrapKey);
+
+                var nonce = new byte[12];
+                var tag = new byte[16];
+                var wrapped = new byte[complementSecret.Length];
+                RandomNumberGenerator.Fill(nonce);
+
+                using (var aes = new AesGcm(complementWrapKey, 16))
+                    aes.Encrypt(nonce, complementSecret, wrapped, tag);
+
+                return new()
+                {
+                    AuthenticationMethodId = authenticationMethodId,
+                    Nonce = nonce,
+                    WrappedComplementSecret = wrapped,
+                    Tag = tag
+                };
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(complementWrapKey);
+            }
+        }
+
+        public static byte[] V4UnwrapComplementSecret(
+            ReadOnlySpan<byte> wrappingKeyMaterial,
+            string vaultId,
+            VaultShareDataModel shareDataModel)
+        {
+            ArgumentNullException.ThrowIfNull(shareDataModel.AuthenticationMethodId);
+            ArgumentNullException.ThrowIfNull(shareDataModel.Nonce);
+            ArgumentNullException.ThrowIfNull(shareDataModel.WrappedComplementSecret);
+            ArgumentNullException.ThrowIfNull(shareDataModel.Tag);
+
+            Span<byte> complementWrapKey = stackalloc byte[32];
+            try
+            {
+                V4DeriveComplementKey(wrappingKeyMaterial, vaultId, shareDataModel.AuthenticationMethodId, complementWrapKey);
+
+                var complementSecret = new byte[shareDataModel.WrappedComplementSecret.Length];
+                using var aes = new AesGcm(complementWrapKey, 16);
+                aes.Decrypt(shareDataModel.Nonce, shareDataModel.WrappedComplementSecret, shareDataModel.Tag, complementSecret);
+
+                return complementSecret;
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(complementWrapKey);
+            }
+        }
+
         /// <summary>
         /// Shared implementation for both <see cref="V4EncryptKeystore"/> and <see cref="V4ReEncryptKeystore"/>.
         /// Encrypts the provided entropy under the passkey and wraps DEK/MAC under the augmented KEK.
diff --git a/src/Core/SecureFolderFS.Core/VaultAccess/VaultReader.cs b/src/Core/SecureFolderFS.Core/VaultAccess/VaultReader.cs
index 304ed0faa..4615172ee 100644
--- a/src/Core/SecureFolderFS.Core/VaultAccess/VaultReader.cs
+++ b/src/Core/SecureFolderFS.Core/VaultAccess/VaultReader.cs
@@ -53,6 +53,19 @@ public async Task<V4VaultConfigurationDataModel> ReadV4ConfigurationAsync(Cancel
             return await ReadDataAsync<V4VaultConfigurationDataModel>(configFile, _serializer, cancellationToken);
         }
 
+        public async Task<VaultSharesDataModel?> ReadComplementationAsync(CancellationToken cancellationToken)
+        {
+            try
+            {
+                var complementFile = await _vaultFolder.GetFileByNameAsync(Constants.Vault.Names.VAULT_COMPLEMENTATION_FILENAME, cancellationToken);
+                return await ReadDataAsync<VaultSharesDataModel?>(complementFile, _serializer, cancellationToken);
+            }
+            catch (Exception)
+            {
+                return null;
+            }
+        }
+
         public async Task<VersionDataModel> ReadVersionAsync(CancellationToken cancellationToken)
         {
             // Get configuration file
diff --git a/src/Core/SecureFolderFS.Core/VaultAccess/VaultWriter.cs b/src/Core/SecureFolderFS.Core/VaultAccess/VaultWriter.cs
index d30715db7..6c232d541 100644
--- a/src/Core/SecureFolderFS.Core/VaultAccess/VaultWriter.cs
+++ b/src/Core/SecureFolderFS.Core/VaultAccess/VaultWriter.cs
@@ -2,6 +2,7 @@
 using SecureFolderFS.Core.DataModels;
 using SecureFolderFS.Shared.ComponentModel;
 using SecureFolderFS.Shared.Extensions;
+using SecureFolderFS.Storage.Extensions;
 using System.IO;
 using System.Threading;
 using System.Threading.Tasks;
@@ -57,6 +58,29 @@ public async Task WriteV4ConfigurationAsync(V4VaultConfigurationDataModel? confi
             await WriteDataAsync(configFile, configDataModel, cancellationToken);
         }
 
+        public async Task WriteComplementationAsync(VaultSharesDataModel? sharesDataModel, CancellationToken cancellationToken)
+        {
+            if (sharesDataModel is null)
+            {
+                if (_vaultFolder is not IModifiableFolder modifiableFolder)
+                    return;
+
+                var existingFile = await modifiableFolder.TryGetFileByNameAsync(Constants.Vault.Names.VAULT_COMPLEMENTATION_FILENAME, cancellationToken);
+                if (existingFile is not null)
+                    await modifiableFolder.DeleteAsync(existingFile, cancellationToken);
+
+                return;
+            }
+
+            var complementFile = _vaultFolder switch
+            {
+                IModifiableFolder modifiableFolder => await modifiableFolder.CreateFileAsync(Constants.Vault.Names.VAULT_COMPLEMENTATION_FILENAME, true, cancellationToken),
+                _ => await _vaultFolder.GetFirstByNameAsync(Constants.Vault.Names.VAULT_COMPLEMENTATION_FILENAME, cancellationToken) as IFile
+            };
+
+            await WriteDataAsync(complementFile, sharesDataModel, cancellationToken);
+        }
+
         public async Task WriteAuthenticationAsync<TCapability>(string fileName, TCapability? authDataModel, CancellationToken cancellationToken)
             where TCapability : VaultCapabilityDataModel
         {
diff --git a/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
index 002316b66..2915350ac 100644
--- a/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Maui/Platforms/Android/ServiceImplementation/AndroidVaultCredentialsService.cs
@@ -36,7 +36,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
             string vaultId,
             [EnumeratorCancellation] CancellationToken cancellationToken = default)
         {
-            foreach (var item in unlockProcedure.Methods)
+            foreach (var item in EnumerateLoginMethods(unlockProcedure))
             {
                 yield return item switch
                 {
diff --git a/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
index 883f2ce4d..d651c1fc9 100644
--- a/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Maui/Platforms/iOS/ServiceImplementation/IOSVaultCredentialsService.cs
@@ -43,7 +43,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
             [EnumeratorCancellation] CancellationToken cancellationToken = default)
         {
             await Task.CompletedTask;
-            foreach (var item in unlockProcedure.Methods)
+            foreach (var item in EnumerateLoginMethods(unlockProcedure))
             {
                 yield return item switch
                 {
diff --git a/src/Platforms/SecureFolderFS.Maui/Popups/CredentialsPopup.xaml b/src/Platforms/SecureFolderFS.Maui/Popups/CredentialsPopup.xaml
index 4471df128..08a5c8ec0 100644
--- a/src/Platforms/SecureFolderFS.Maui/Popups/CredentialsPopup.xaml
+++ b/src/Platforms/SecureFolderFS.Maui/Popups/CredentialsPopup.xaml
@@ -80,6 +80,14 @@
                     <!--  Confirmation Panel  -->
                     <VerticalStackLayout IsVisible="{Binding IsRemoving, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}" Spacing="16">
                         <uc:RegisterControl CurrentViewModel="{Binding RegisterViewModel.CurrentViewModel, Mode=OneWay}" />
+                        <HorizontalStackLayout Spacing="8">
+                            <CheckBox
+                                IsChecked="{Binding IsComplementing, Mode=TwoWay}"
+                                IsEnabled="{Binding IsComplementationAvailable, Mode=OneWay}"
+                                VerticalOptions="Center" />
+                            <Label Text="Use as substitute" VerticalOptions="Center" />
+                        </HorizontalStackLayout>
+
                         <Label Text="{l:ResourceString Rid=RecoveryKeyTip}" />
                     </VerticalStackLayout>
 
diff --git a/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml b/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml
index 6151047f7..3d1e9bc40 100644
--- a/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml
+++ b/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml
@@ -8,14 +8,17 @@
     xmlns:mi_cupertino="clr-namespace:MauiIcons.Cupertino;assembly=MauiIcons.Cupertino"
     xmlns:mi_material="clr-namespace:MauiIcons.Material;assembly=MauiIcons.Material"
     xmlns:uc="clr-namespace:SecureFolderFS.Maui.UserControls"
+    xmlns:ucc="clr-namespace:SecureFolderFS.Maui.UserControls.Common"
     xmlns:uco="clr-namespace:SecureFolderFS.Maui.UserControls.Options"
+    xmlns:vm="clr-namespace:SecureFolderFS.Sdk.ViewModels.Controls.Authentication;assembly=SecureFolderFS.Sdk"
+    x:Name="ThisPage"
     Title="{Binding ViewModel.VaultViewModel.Title, Mode=OneWay}"
     x:DataType="local:LoginPage">
 
     <Grid>
         <ScrollView>
             <Grid Padding="20">
-                <VerticalStackLayout VerticalOptions="Center">
+                <VerticalStackLayout Margin="0,-48,0,0" VerticalOptions="Center">
                     <!--  Lock icon plate + heading  -->
                     <VerticalStackLayout Margin="0,0,0,48" Spacing="16">
                         <Border
@@ -54,48 +57,62 @@
                             Text="{Binding ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolToStringConverter}, ConverterParameter='false:localize|VaultLocked:true:localize|VaultUnlocked'}" />
                     </VerticalStackLayout>
 
-                    <!--  Remote connection progress indicator  -->
-                    <ActivityIndicator
-                        Margin="0,0,0,16"
-                        IsRunning="{Binding ViewModel.IsProgressing, Mode=OneWay}"
-                        IsVisible="{Binding ViewModel.LoginViewModel, Mode=OneWay, Converter={StaticResource NullToBoolConverter}}"
-                        Opacity="{Binding ViewModel.IsProgressing, Mode=OneWay, Converter={StaticResource BoolOpacityConverter}}" />
+                    <VerticalStackLayout>
+                        <!--  Remote connection progress indicator  -->
+                        <ActivityIndicator
+                            Margin="0,0,0,16"
+                            IsRunning="{Binding ViewModel.IsProgressing, Mode=OneWay}"
+                            IsVisible="{Binding ViewModel.LoginViewModel, Mode=OneWay, Converter={StaticResource NullToBoolConverter}}"
+                            Opacity="{Binding ViewModel.IsProgressing, Mode=OneWay, Converter={StaticResource BoolOpacityConverter}}" />
 
-                    <!--  Login  -->
-                    <uc:VaultLocatorControl
-                        CancelConnectionCommand="{Binding ViewModel.CancelConnectionCommand, Mode=OneWay}"
-                        ConnectCommand="{Binding ViewModel.ConnectToVaultCommand, Mode=OneWay}"
-                        IsConnected="{Binding ViewModel.LoginViewModel, Mode=OneWay, Converter={StaticResource NullToBoolConverter}}"
-                        IsRunning="{Binding ViewModel.ConnectToVaultCommand.IsRunning, Mode=OneWay}">
-                        <uc:VaultLocatorControl.LoginView>
-                            <VerticalStackLayout IsVisible="{Binding ViewModel.IsProgressing, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}" Spacing="8">
-                                <uc:LoginControl CurrentViewModel="{Binding ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay}" ProvideContinuationButton="True" />
-                                <VerticalStackLayout>
-                                    <Button
-                                        Command="{Binding ViewModel.LoginViewModel.DiscardSavedCredentialsCommand}"
-                                        HorizontalOptions="{OnPlatform Android={LayoutOptions Alignment=Fill},
-                                                                       iOS={LayoutOptions Alignment=Center}}"
-                                        IsVisible="{Binding ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay}"
-                                        Style="{OnPlatform Android={StaticResource TransparentButtonStyle},
-                                                           iOS={StaticResource NoBackgroundButtonStyle}}"
-                                        Text="{l:ResourceString Rid=DiscardSavedCredentials}" />
-                                    <Button
-                                        Command="{Binding ViewModel.LoginViewModel.RecoverAccessCommand}"
-                                        HorizontalOptions="{OnPlatform Android={LayoutOptions Alignment=Fill},
-                                                                       iOS={LayoutOptions Alignment=Center}}"
-                                        IsVisible="{Binding ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay, Converter={StaticResource TypeNameBoolConverter}, ConverterParameter='MigrationViewModel,ErrorViewModel|invert'}"
-                                        Style="{OnPlatform Android={StaticResource TransparentButtonStyle},
-                                                           iOS={StaticResource NoBackgroundButtonStyle}}"
-                                        Text="{l:ResourceString Rid=RecoverAccess}" />
+                        <!--  Login  -->
+                        <uc:VaultLocatorControl
+                            CancelConnectionCommand="{Binding ViewModel.CancelConnectionCommand, Mode=OneWay}"
+                            ConnectCommand="{Binding ViewModel.ConnectToVaultCommand, Mode=OneWay}"
+                            IsConnected="{Binding ViewModel.LoginViewModel, Mode=OneWay, Converter={StaticResource NullToBoolConverter}}"
+                            IsRunning="{Binding ViewModel.ConnectToVaultCommand.IsRunning, Mode=OneWay}">
+                            <uc:VaultLocatorControl.LoginView>
+                                <VerticalStackLayout IsVisible="{Binding ViewModel.IsProgressing, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}" Spacing="8">
+                                    <uc:LoginControl CurrentViewModel="{Binding ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay}" ProvideContinuationButton="True" />
+                                    <VerticalStackLayout>
+                                        <Button
+                                            Command="{Binding ViewModel.LoginViewModel.DiscardSavedCredentialsCommand}"
+                                            HorizontalOptions="{OnPlatform Android={LayoutOptions Alignment=Fill},
+                                                                           iOS={LayoutOptions Alignment=Center}}"
+                                            IsVisible="{Binding ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay}"
+                                            Style="{OnPlatform Android={StaticResource TransparentButtonStyle},
+                                                               iOS={StaticResource NoBackgroundButtonStyle}}"
+                                            Text="{l:ResourceString Rid=DiscardSavedCredentials}" />
+                                        <Button
+                                            Command="{Binding ViewModel.LoginViewModel.RecoverAccessCommand}"
+                                            HorizontalOptions="{OnPlatform Android={LayoutOptions Alignment=Fill},
+                                                                           iOS={LayoutOptions Alignment=Center}}"
+                                            IsVisible="{Binding ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay, Converter={StaticResource TypeNameBoolConverter}, ConverterParameter='MigrationViewModel,ErrorViewModel|invert'}"
+                                            Style="{OnPlatform Android={StaticResource TransparentButtonStyle},
+                                                               iOS={StaticResource NoBackgroundButtonStyle}}"
+                                            Text="{l:ResourceString Rid=RecoverAccess}" />
+                                    </VerticalStackLayout>
                                 </VerticalStackLayout>
-                            </VerticalStackLayout>
-                        </uc:VaultLocatorControl.LoginView>
-                    </uc:VaultLocatorControl>
+                            </uc:VaultLocatorControl.LoginView>
+                        </uc:VaultLocatorControl>
+                    </VerticalStackLayout>
                 </VerticalStackLayout>
 
                 <uco:OptionsContainer VerticalOptions="End">
                     <uco:OptionsContainer.InnerContent>
                         <VerticalStackLayout>
+                            <uco:OptionsControl Title="Login method" IsVisible="{Binding ViewModel.LoginViewModel.IsAlternativeLogin, Mode=OneWay}">
+                                <uco:OptionsControl.Slot>
+                                    <ucc:ModernPicker
+                                        BindingContext="{x:Reference ThisPage}"
+                                        HorizontalTextAlignment="End"
+                                        IsTransparent="True"
+                                        ItemDisplayBinding="{Binding Title, Mode=OneWay, x:DataType={x:Type vm:AuthenticationViewModel}}"
+                                        ItemsSource="{Binding ViewModel.LoginViewModel.AuthenticationOptions}"
+                                        SelectedIndexChanged="AuthenticationOptions_SelectedIndexChanged"
+                                        SelectedItem="{Binding ViewModel.LoginViewModel.SelectedAuthenticationOption, Mode=TwoWay}" />
+                                </uco:OptionsControl.Slot>
+                            </uco:OptionsControl>
                             <uco:OptionsControl Title="{l:ResourceString Rid=UnlockAsReadOnly}" IsSeparatorVisible="{Binding ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}">
                                 <uco:OptionsControl.Slot>
                                     <Switch IsToggled="{Binding ViewModel.IsReadOnly, Mode=TwoWay}" />
diff --git a/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml.cs b/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml.cs
index 1bf54723f..bc59dfe75 100644
--- a/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml.cs
+++ b/src/Platforms/SecureFolderFS.Maui/Views/Vault/LoginPage.xaml.cs
@@ -115,6 +115,15 @@ await ViewModel.VaultNavigation.ForgetNavigateSpecificViewAsync(dashboardViewMod
                 => (x as IVaultViewContext)?.VaultViewModel.VaultModel.Equals(args.UnlockedVaultViewModel.VaultViewModel.VaultModel) ?? false);
             e.TaskCompletion?.TrySetResult(true);
         }
+        
+        private void AuthenticationOptions_SelectedIndexChanged(object? sender, EventArgs e)
+        {
+            if (sender is not Picker picker)
+                return;
+            
+            var option = ViewModel?.LoginViewModel?.AuthenticationOptions.ElementAtOrDefault(picker.SelectedIndex);
+            ViewModel?.LoginViewModel?.SelectAuthenticationOptionCommand.Execute(option);
+        }
 
         public VaultLoginViewModel? ViewModel
         {
diff --git a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/BaseVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/BaseVaultCredentialsService.cs
index 975126659..059d41919 100644
--- a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/BaseVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/BaseVaultCredentialsService.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Runtime.CompilerServices;
+using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using OwlCore.Storage;
@@ -27,10 +28,18 @@ public virtual IEnumerable<string> GetEncodingOptions()
         /// <inheritdoc/>
         public virtual IEnumerable<string> GetContentCiphers()
         {
+            // Default to AES-GCM if supported, otherwise use XChaCha20-Poly1305.
+            // This is because AES-NI intrinsics are faster on supported platforms
+            if (AesGcm.IsSupported)
+                yield return Core.Cryptography.Constants.CipherId.AES_GCM;
+
+#if DEBUG
             if (!OperatingSystem.IsIOS())
                 yield return Core.Cryptography.Constants.CipherId.XCHACHA20_POLY1305;
+#else
+            yield return Core.Cryptography.Constants.CipherId.XCHACHA20_POLY1305;
+#endif
 
-            yield return Core.Cryptography.Constants.CipherId.AES_GCM;
             yield return Core.Cryptography.Constants.CipherId.NONE;
         }
 
@@ -85,5 +94,14 @@ public virtual async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync(IFo
 
         /// <inheritdoc/>
         public abstract IAsyncEnumerable<AuthenticationViewModel> GetCreationAsync(IFolder vaultFolder, string vaultId, CancellationToken cancellationToken = default);
+
+        protected static IEnumerable<string> EnumerateLoginMethods(AuthenticationMethod unlockProcedure)
+        {
+            foreach (var item in unlockProcedure.Methods)
+                yield return item;
+
+            if (!string.IsNullOrWhiteSpace(unlockProcedure.Complementation))
+                yield return unlockProcedure.Complementation;
+        }
     }
 }
diff --git a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
index 0322ef188..9d35efe10 100644
--- a/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
+++ b/src/Platforms/SecureFolderFS.UI/ServiceImplementation/VaultManagerService.cs
@@ -55,6 +55,18 @@ public virtual async Task<IDisposable> RecoverAsync(IFolder vaultFolder, string
 
             return await recoveryRoutine.FinalizeAsync(cancellationToken);
         }
+        
+        /// <inheritdoc/>
+        public virtual async Task ModifyComplementationAsync(IFolder vaultFolder, IDisposable unlockContract, ComplementationCredentials credentials, VaultOptions vaultOptions, CancellationToken cancellationToken = default)
+        {
+            using var complementationRoutine = (await VaultRoutines.CreateRoutinesAsync(vaultFolder, StreamSerializer.Instance, cancellationToken)).ModifyComplementation();
+            await complementationRoutine.InitAsync(cancellationToken);
+            complementationRoutine.SetUnlockContract(unlockContract);
+            complementationRoutine.SetOptions(vaultOptions);
+            complementationRoutine.SetCredentials(credentials, cancellationToken);
+
+            using var result = await complementationRoutine.FinalizeAsync(cancellationToken);
+        }
 
         /// <inheritdoc/>
         public virtual async Task ModifyAuthenticationAsync(IFolder vaultFolder, IDisposable unlockContract, IKeyUsage newPasskey, VaultOptions vaultOptions, CancellationToken cancellationToken = default)
diff --git a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/KeyFileViewModel.cs b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/KeyFileViewModel.cs
index 948c60103..c50a87a38 100644
--- a/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/KeyFileViewModel.cs
+++ b/src/Platforms/SecureFolderFS.UI/ViewModels/Authentication/KeyFileViewModel.cs
@@ -32,7 +32,7 @@ public abstract class KeyFileViewModel : AuthenticationViewModel
         public override event EventHandler<EventArgs>? StateChanged;
 
         /// <inheritdoc/>
-        public sealed override bool CanComplement { get; } = false;
+        public sealed override bool CanComplement { get; } = true;
 
         /// <inheritdoc/>
         public sealed override AuthenticationStage Availability { get; } = AuthenticationStage.Any;
diff --git a/src/Platforms/SecureFolderFS.Uno/Dialogs/CredentialsDialog.xaml b/src/Platforms/SecureFolderFS.Uno/Dialogs/CredentialsDialog.xaml
index 3e97d670e..90c07f226 100644
--- a/src/Platforms/SecureFolderFS.Uno/Dialogs/CredentialsDialog.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/Dialogs/CredentialsDialog.xaml
@@ -166,12 +166,7 @@
                     x:Load="{x:Bind IsRemoving, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}"
                     Spacing="24">
                     <uc:RegisterControl CurrentViewModel="{x:Bind RegisterViewModel.CurrentViewModel, Mode=OneWay}" />
-                    <StackPanel
-                        x:Name="SubstitutePanel"
-                        x:Load="{x:Bind IsComplementationAvailable, Mode=OneWay}"
-                        Orientation="Horizontal"
-                        Spacing="8"
-                        Visibility="Collapsed">
+                    <StackPanel Orientation="Horizontal" Spacing="8">
                         <CheckBox
                             Content="Use as substitute"
                             IsChecked="{x:Bind IsComplementing, Mode=TwoWay}"
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
index ad14c8323..0487ed7c7 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Desktop/ServiceImplementation/SkiaVaultCredentialsService.cs
@@ -58,7 +58,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
             [EnumeratorCancellation] CancellationToken cancellationToken = default)
         {
             await Task.CompletedTask;
-            foreach (var item in unlockProcedure.Methods)
+            foreach (var item in EnumerateLoginMethods(unlockProcedure))
             {
                 yield return item switch
                 {
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/MacCatalyst/ServiceImplementation/MacOsVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/MacCatalyst/ServiceImplementation/MacOsVaultCredentialsService.cs
index 2eef69bc2..07a254338 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/MacCatalyst/ServiceImplementation/MacOsVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/MacCatalyst/ServiceImplementation/MacOsVaultCredentialsService.cs
@@ -28,7 +28,7 @@ public override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync(IF
             var config = await vaultReader.ReadConfigurationAsync(cancellationToken);
             var authenticationMethod = AuthenticationMethod.FromString(config.AuthenticationMethod);
 
-            foreach (var item in authenticationMethod.Methods)
+            foreach (var item in EnumerateLoginMethods(authenticationMethod))
             {
                 yield return item switch
                 {
diff --git a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
index cbb1cac41..fd383a5fb 100644
--- a/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
+++ b/src/Platforms/SecureFolderFS.Uno/Platforms/Windows/ServiceImplementation/WindowsVaultCredentialsService.cs
@@ -53,7 +53,7 @@ protected override async IAsyncEnumerable<AuthenticationViewModel> GetLoginAsync
             AuthenticationMethod unlockProcedure, string vaultId,
             [EnumeratorCancellation] CancellationToken cancellationToken = default)
         {
-            foreach (var item in unlockProcedure.Methods)
+            foreach (var item in EnumerateLoginMethods(unlockProcedure))
             {
                 yield return item switch
                 {
diff --git a/src/Platforms/SecureFolderFS.Uno/UserControls/InterfaceRoot/VaultPreviewRootControl.xaml b/src/Platforms/SecureFolderFS.Uno/UserControls/InterfaceRoot/VaultPreviewRootControl.xaml
index 618b2bd9a..5d8a1e702 100644
--- a/src/Platforms/SecureFolderFS.Uno/UserControls/InterfaceRoot/VaultPreviewRootControl.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/UserControls/InterfaceRoot/VaultPreviewRootControl.xaml
@@ -51,10 +51,15 @@
                     <uc:LoginControl CurrentViewModel="{x:Bind ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay}" ProvideContinuationButton="True" />
                     <uc:LoginOptions
                         AreCredentialsSaved="{x:Bind ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay}"
+                        AuthenticationOptions="{x:Bind ViewModel.LoginViewModel.AuthenticationOptions, Mode=OneWay}"
                         DiscardSavedCredentialsCommand="{x:Bind ViewModel.LoginViewModel.DiscardSavedCredentialsCommand, Mode=OneWay}"
+                        IsAlternativeLogin="{x:Bind ViewModel.LoginViewModel.IsAlternativeLogin, Mode=OneWay}"
+                        IsLoginSequence="{x:Bind ViewModel.LoginViewModel.IsLoginSequence, Mode=OneWay}"
                         IsReadOnly="{x:Bind ViewModel.IsReadOnly, Mode=TwoWay}"
                         RecoverAccessCommand="{x:Bind ViewModel.RecoverAccessCommand, Mode=OneWay}"
                         RestartLoginCommand="{x:Bind ViewModel.LoginViewModel.RestartLoginProcessCommand, Mode=OneWay}"
+                        SelectAuthenticationOptionCommand="{x:Bind ViewModel.LoginViewModel.SelectAuthenticationOptionCommand, Mode=OneWay}"
+                        SelectedAuthenticationOption="{x:Bind ViewModel.LoginViewModel.SelectedAuthenticationOption, Mode=TwoWay}"
                         ShouldSaveCredentials="{x:Bind ViewModel.LoginViewModel.ShouldSaveCredentials, Mode=TwoWay}"
                         Visibility="{x:Bind ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay, Converter={StaticResource TypeNameVisibilityConverter}, ConverterParameter='MigrationViewModel,ErrorViewModel|invert'}" />
                 </StackPanel>
diff --git a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml
index f4e0f0f53..7f310a46c 100644
--- a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml
@@ -14,26 +14,38 @@
         Content="{l:ResourceString Rid=LoginOptions}">
         <FlyoutBase.AttachedFlyout>
             <Flyout>
-                <StackPanel Spacing="4">
-                    <CheckBox Content="{l:ResourceString Rid=UnlockAsReadOnly}" IsChecked="{x:Bind IsReadOnly, Mode=TwoWay}" />
-                    <CheckBox
-                        Content="{l:ResourceString Rid=SaveCredentials}"
-                        IsChecked="{x:Bind ShouldSaveCredentials, Mode=TwoWay}"
-                        IsEnabled="False"
-                        Visibility="{x:Bind AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}" />
+                <StackPanel>
+                    <ComboBox
+                        x:Name="CredentialOptions"
+                        MinWidth="180"
+                        Margin="0,0,0,4"
+                        x:Load="{x:Bind AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}"
+                        DisplayMemberPath="Title"
+                        ItemsSource="{x:Bind AuthenticationOptions, Mode=OneWay}"
+                        SelectedItem="{x:Bind SelectedAuthenticationOption, Mode=TwoWay}"
+                        SelectionChanged="AuthenticationOptions_SelectionChanged"
+                        Visibility="{x:Bind IsAlternativeLogin, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
 
-                    <Button
-                        Command="{x:Bind DiscardSavedCredentialsCommand, Mode=OneWay}"
-                        Content="{l:ResourceString Rid=DiscardSavedCredentials}"
-                        Visibility="{x:Bind AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
-                    <Button
-                        Command="{x:Bind RestartLoginCommand, Mode=OneWay}"
-                        Content="{l:ResourceString Rid=RestartLogin}"
-                        Visibility="{x:Bind IsLoginSequence, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
-                    <Button
-                        HorizontalAlignment="Stretch"
-                        Command="{x:Bind RecoverAccessCommand, Mode=OneWay}"
-                        Content="{l:ResourceString Rid=RecoverAccess}" />
+                    <StackPanel Spacing="4">
+                        <CheckBox Content="{l:ResourceString Rid=UnlockAsReadOnly}" IsChecked="{x:Bind IsReadOnly, Mode=TwoWay}" />
+                        <CheckBox
+                            Content="{l:ResourceString Rid=SaveCredentials}"
+                            IsChecked="{x:Bind ShouldSaveCredentials, Mode=TwoWay}"
+                            Visibility="{x:Bind AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolInvertConverter}}" />
+
+                        <Button
+                            Command="{x:Bind DiscardSavedCredentialsCommand, Mode=OneWay}"
+                            Content="{l:ResourceString Rid=DiscardSavedCredentials}"
+                            Visibility="{x:Bind AreCredentialsSaved, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
+                        <Button
+                            Command="{x:Bind RestartLoginCommand, Mode=OneWay}"
+                            Content="{l:ResourceString Rid=RestartLogin}"
+                            Visibility="{x:Bind IsLoginSequence, Mode=OneWay, Converter={StaticResource BoolToVisibilityConverter}}" />
+                        <Button
+                            HorizontalAlignment="Stretch"
+                            Command="{x:Bind RecoverAccessCommand, Mode=OneWay}"
+                            Content="{l:ResourceString Rid=RecoverAccess}" />
+                    </StackPanel>
                 </StackPanel>
             </Flyout>
         </FlyoutBase.AttachedFlyout>
diff --git a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml.cs b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml.cs
index 4817cc650..9c3c15726 100644
--- a/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml.cs
+++ b/src/Platforms/SecureFolderFS.Uno/UserControls/LoginOptions.xaml.cs
@@ -1,3 +1,4 @@
+using System.Collections;
 using System.Windows.Input;
 using Microsoft.UI.Xaml;
 using Microsoft.UI.Xaml.Controls;
@@ -52,6 +53,44 @@ public bool IsLoginSequence
         public static readonly DependencyProperty IsLoginSequenceProperty =
             DependencyProperty.Register(nameof(IsLoginSequence), typeof(bool), typeof(LoginOptions), new PropertyMetadata(false));
 
+        public bool IsAlternativeLogin
+        {
+            get => (bool)GetValue(IsAlternativeLoginProperty);
+            set => SetValue(IsAlternativeLoginProperty, value);
+        }
+        public static readonly DependencyProperty IsAlternativeLoginProperty =
+            DependencyProperty.Register(nameof(IsAlternativeLogin), typeof(bool), typeof(LoginOptions), new PropertyMetadata(false));
+
+        public IEnumerable? AuthenticationOptions
+        {
+            get => (IEnumerable?)GetValue(AuthenticationOptionsProperty);
+            set => SetValue(AuthenticationOptionsProperty, value);
+        }
+        public static readonly DependencyProperty AuthenticationOptionsProperty =
+            DependencyProperty.Register(nameof(AuthenticationOptions), typeof(IEnumerable), typeof(LoginOptions), new PropertyMetadata(null));
+
+        public object? SelectedAuthenticationOption
+        {
+            get => GetValue(SelectedAuthenticationOptionProperty);
+            set => SetValue(SelectedAuthenticationOptionProperty, value);
+        }
+        public static readonly DependencyProperty SelectedAuthenticationOptionProperty =
+            DependencyProperty.Register(nameof(SelectedAuthenticationOption), typeof(object), typeof(LoginOptions), new PropertyMetadata(null));
+
+        public ICommand? SelectAuthenticationOptionCommand
+        {
+            get => (ICommand?)GetValue(SelectAuthenticationOptionCommandProperty);
+            set => SetValue(SelectAuthenticationOptionCommandProperty, value);
+        }
+        public static readonly DependencyProperty SelectAuthenticationOptionCommandProperty =
+            DependencyProperty.Register(nameof(SelectAuthenticationOptionCommand), typeof(ICommand), typeof(LoginOptions), new PropertyMetadata(null));
+
+        private void AuthenticationOptions_SelectionChanged(object sender, SelectionChangedEventArgs e)
+        {
+            if (sender is ComboBox { SelectedItem: { } selectedItem } && SelectAuthenticationOptionCommand?.CanExecute(selectedItem) == true)
+                SelectAuthenticationOptionCommand.Execute(selectedItem);
+        }
+
         public ICommand? DiscardSavedCredentialsCommand
         {
             get => (ICommand?)GetValue(DiscardSavedCredentialsCommandProperty);
diff --git a/src/Platforms/SecureFolderFS.Uno/Views/Vault/VaultLoginPage.xaml b/src/Platforms/SecureFolderFS.Uno/Views/Vault/VaultLoginPage.xaml
index 1b3b976fe..628fe8b5f 100644
--- a/src/Platforms/SecureFolderFS.Uno/Views/Vault/VaultLoginPage.xaml
+++ b/src/Platforms/SecureFolderFS.Uno/Views/Vault/VaultLoginPage.xaml
@@ -50,10 +50,15 @@
 
                     <uc:LoginOptions
                         AreCredentialsSaved="{x:Bind ViewModel.LoginViewModel.AreCredentialsSaved, Mode=OneWay}"
+                        AuthenticationOptions="{x:Bind ViewModel.LoginViewModel.AuthenticationOptions, Mode=OneWay}"
                         DiscardSavedCredentialsCommand="{x:Bind ViewModel.LoginViewModel.DiscardSavedCredentialsCommand, Mode=OneWay}"
+                        IsAlternativeLogin="{x:Bind ViewModel.LoginViewModel.IsAlternativeLogin, Mode=OneWay}"
+                        IsLoginSequence="{x:Bind ViewModel.LoginViewModel.IsLoginSequence, Mode=OneWay}"
                         IsReadOnly="{x:Bind ViewModel.IsReadOnly, Mode=TwoWay}"
                         RecoverAccessCommand="{x:Bind ViewModel.LoginViewModel.RecoverAccessCommand, Mode=OneWay}"
                         RestartLoginCommand="{x:Bind ViewModel.LoginViewModel.RestartLoginProcessCommand, Mode=OneWay}"
+                        SelectAuthenticationOptionCommand="{x:Bind ViewModel.LoginViewModel.SelectAuthenticationOptionCommand, Mode=OneWay}"
+                        SelectedAuthenticationOption="{x:Bind ViewModel.LoginViewModel.SelectedAuthenticationOption, Mode=TwoWay}"
                         ShouldSaveCredentials="{x:Bind ViewModel.LoginViewModel.ShouldSaveCredentials, Mode=TwoWay}"
                         Visibility="{x:Bind ViewModel.LoginViewModel.CurrentViewModel, Mode=OneWay, Converter={StaticResource TypeNameVisibilityConverter}, ConverterParameter='MigrationViewModel,ErrorViewModel|invert'}" />
                 </StackPanel>
diff --git a/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs b/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
index 97e0e6ec8..56dffa3e4 100644
--- a/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/Services/IVaultManagerService.cs
@@ -48,6 +48,8 @@ public interface IVaultManagerService
         // TODO: Consider using IVaultUnlockingModel
         //Task<IVaultUnlockingModel> GetUnlockingModelAsync(IFolder vaultFolder, CancellationToken cancellationToken = default);
 
+        Task ModifyComplementationAsync(IFolder vaultFolder, IDisposable unlockContract, ComplementationCredentials credentials, VaultOptions vaultOptions, CancellationToken cancellationToken = default);
+
         /// <summary>
         /// Modifies the configured authentication for the specified <paramref name="vaultFolder"/>.
         /// </summary>
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
index 3802b2a5a..90320d553 100644
--- a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Controls/LoginViewModel.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Collections.ObjectModel;
 using System.ComponentModel;
 using System.Linq;
 using System.Threading;
@@ -38,9 +39,12 @@ public sealed partial class LoginViewModel : ObservableObject, IViewable, IAsync
         [ObservableProperty] private string? _Title;
         [ObservableProperty] private bool _CanRecover;
         [ObservableProperty] private bool _IsLoginSequence;
+        [ObservableProperty] private bool _IsAlternativeLogin;
         [ObservableProperty] private bool _AreCredentialsSaved;
         [ObservableProperty] private bool _ShouldSaveCredentials;
         [ObservableProperty] private ICommand? _ProvideCredentialsCommand;
+        [ObservableProperty] private AuthenticationViewModel? _SelectedAuthenticationOption;
+        [ObservableProperty] private ObservableCollection<AuthenticationViewModel> _AuthenticationOptions;
         [ObservableProperty] private ReportableViewModel? _CurrentViewModel;
 
         /// <summary>
@@ -54,6 +58,7 @@ public LoginViewModel(IFolder vaultFolder, LoginViewType loginViewMode, KeySeque
             _vaultFolder = vaultFolder;
             _loginViewMode = loginViewMode;
             _keySequence = keySequence ?? new();
+            _AuthenticationOptions = new();
             _vaultWatcherModel = new VaultWatcherModel(_vaultFolder);
             _vaultWatcherModel.StateChanged += VaultWatcherModel_StateChanged;
         }
@@ -71,36 +76,14 @@ public async Task InitAsync(CancellationToken cancellationToken = default)
             //      2b. Offer to unlock (from 'provide keystore' view) using recovery key, if possible
             //
 
-            // Dispose previous state, if any
-            _keySequence.Dispose();
-            _loginSequence?.Dispose();
-
+            ResetLoginState();
             var validationResult = await VaultService.VaultValidator.TryValidateAsync(_vaultFolder, cancellationToken);
             if (validationResult.Successful)
             {
                 try
                 {
-                    if (!PersistedCredentialsModel.Instance.Credentials.IsEmpty()
-                        && _loginViewMode is LoginViewType.Full or LoginViewType.Constrained)
-                    {
-                        _vaultOptions = await VaultService.GetVaultOptionsAsync(_vaultFolder, cancellationToken);
-                        if (!string.IsNullOrEmpty(_vaultOptions.VaultId) && PersistedCredentialsModel.Instance.Credentials.ContainsKey(_vaultOptions.VaultId))
-                        {
-                            AreCredentialsSaved = true;
-                            CurrentViewModel = new PersistedAuthenticationViewModel(_vaultOptions.VaultId);
-                            return;
-                        }
-                    }
-
-                    // Get the authentication method enumerator for this vault
-                    var loginItems = await VaultCredentialsService.GetLoginAsync(_vaultFolder, cancellationToken).ToArrayAsyncImpl(cancellationToken);
-                    _loginSequence = new(loginItems);
-                    IsLoginSequence = _loginSequence.Count > 1;
-
-                    // Set up the first authentication method
-                    var result = ProceedAuthentication();
-                    if (!result.Successful)
-                        CurrentViewModel = new ErrorViewModel(result);
+                    var allowPersistedCredentials = _loginViewMode is LoginViewType.Full or LoginViewType.Constrained;
+                    await InitializeLoginAsync(allowPersistedCredentials, cancellationToken);
                 }
                 catch (NotSupportedException)
                 {
@@ -171,13 +154,8 @@ private async Task DiscardSavedCredentialsAsync(CancellationToken cancellationTo
                 if (!string.IsNullOrEmpty(vaultOptions.VaultId))
                 {
                     PersistedCredentialsModel.Instance.Remove(vaultOptions.VaultId);
-                    AreCredentialsSaved = false;
-
-                    _loginSequence?.Dispose();
-                    var loginItems = await VaultCredentialsService.GetLoginAsync(_vaultFolder, cancellationToken).ToArrayAsyncImpl(cancellationToken);
-                    _loginSequence = new(loginItems);
-                    IsLoginSequence = _loginSequence.Count > 1;
-                    RestartLoginProcess();
+                    ResetLoginState();
+                    await InitializeLoginAsync(allowPersistedCredentials: false, cancellationToken);
                 }
             }
             catch (Exception ex)
@@ -186,17 +164,82 @@ private async Task DiscardSavedCredentialsAsync(CancellationToken cancellationTo
             }
         }
 
+        private void ResetLoginState()
+        {
+            _keySequence.Dispose();
+            _loginSequence?.Dispose();
+            AuthenticationOptions.DisposeAll();
+            AuthenticationOptions.Clear();
+            SelectedAuthenticationOption = null;
+            IsAlternativeLogin = false;
+            IsLoginSequence = false;
+            AreCredentialsSaved = false;
+            _vaultOptions = null;
+        }
+
+        private async Task InitializeLoginAsync(bool allowPersistedCredentials, CancellationToken cancellationToken)
+        {
+            _vaultOptions = await VaultService.GetVaultOptionsAsync(_vaultFolder, cancellationToken);
+            if (allowPersistedCredentials
+                && !PersistedCredentialsModel.Instance.Credentials.IsEmpty()
+                && !string.IsNullOrEmpty(_vaultOptions.VaultId)
+                && PersistedCredentialsModel.Instance.Credentials.ContainsKey(_vaultOptions.VaultId))
+            {
+                AreCredentialsSaved = true;
+                IsAlternativeLogin = !string.IsNullOrWhiteSpace(_vaultOptions.UnlockProcedure.Complementation);
+                CurrentViewModel = new PersistedAuthenticationViewModel(_vaultOptions.VaultId);
+                return;
+            }
+
+            var loginItems = await VaultCredentialsService.GetLoginAsync(_vaultFolder, cancellationToken).ToArrayAsyncImpl(cancellationToken);
+            if (!string.IsNullOrWhiteSpace(_vaultOptions.UnlockProcedure.Complementation))
+            {
+                foreach (var item in loginItems)
+                    AuthenticationOptions.Add(item);
+
+                IsAlternativeLogin = AuthenticationOptions.Count > 1;
+                IsLoginSequence = false;
+                SelectedAuthenticationOption = AuthenticationOptions.FirstOrDefault();
+                CurrentViewModel = SelectedAuthenticationOption is not null
+                    ? SelectedAuthenticationOption
+                    : new ErrorViewModel("No authentication methods available.");
+                return;
+            }
+
+            // Set up the first authentication method
+            _loginSequence = new(loginItems);
+            IsLoginSequence = _loginSequence.Count > 1;
+            var result = ProceedAuthentication();
+            if (!result.Successful)
+                CurrentViewModel = new ErrorViewModel(result);
+        }
+
         [RelayCommand]
         private void RestartLoginProcess()
         {
             // Dispose built key sequence
             _keySequence.Dispose();
+
+            if (IsAlternativeLogin)
+                return;
+
             _loginSequence?.Reset();
             var result = ProceedAuthentication();
             if (!result.Successful)
                 CurrentViewModel = new ErrorViewModel(result);
         }
 
+        [RelayCommand]
+        private void SelectAuthenticationOption(AuthenticationViewModel? authenticationViewModel)
+        {
+            if (!IsAlternativeLogin || authenticationViewModel is null)
+                return;
+
+            _keySequence.Dispose();
+            SelectedAuthenticationOption = authenticationViewModel;
+            CurrentViewModel = authenticationViewModel;
+        }
+
         private async Task<bool> TryUnlockAsync(CancellationToken cancellationToken = default)
         {
             try
@@ -288,6 +331,14 @@ private async void CurrentViewModel_CredentialsProvided(object? sender, Credenti
                 // Add authentication
                 _keySequence.Add(e.Authentication);
 
+                if (IsAlternativeLogin)
+                {
+                    if (!await TryUnlockAsync())
+                        _keySequence.Dispose();
+
+                    return;
+                }
+
                 var result = ProceedAuthentication();
                 if (!result.Successful && CurrentViewModel is not ErrorViewModel)
                 {
@@ -341,6 +392,7 @@ public void Dispose()
                 authenticationViewModel.CredentialsProvided -= CurrentViewModel_CredentialsProvided;
 
             _keySequence.Dispose();
+            AuthenticationOptions.DisposeAll();
             _loginSequence?.Dispose();
         }
     }
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsConfirmationViewModel.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsConfirmationViewModel.cs
index 1d345b792..274d55571 100644
--- a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsConfirmationViewModel.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsConfirmationViewModel.cs
@@ -109,7 +109,12 @@ private async Task ChangeCredentialsAsync(IKeyUsage key, VaultOptions configured
             };
 
             if (OldPasskey is not null)
-                await VaultManagerService.ModifyAuthenticationAsync(_vaultFolder, UnlockContract, OldPasskey, key, updatedOptions, cancellationToken);
+            {
+                if (RequiresComplementationRoutine(configuredOptions.UnlockProcedure, unlockProcedure))
+                    await VaultManagerService.ModifyComplementationAsync(_vaultFolder, UnlockContract, CreateComplementationCredentials(key, configuredOptions.UnlockProcedure, unlockProcedure), updatedOptions, cancellationToken);
+                else
+                    await VaultManagerService.ModifyAuthenticationAsync(_vaultFolder, UnlockContract, OldPasskey, key, updatedOptions, cancellationToken);
+            }
             else
                 await VaultManagerService.ModifyAuthenticationAsync(_vaultFolder, UnlockContract, key, updatedOptions, cancellationToken);
 
@@ -125,6 +130,67 @@ private async Task ChangeCredentialsAsync(IKeyUsage key, VaultOptions configured
                 await ConfiguredViewModel.RevokeAsync(configuredOptions.VaultId, cancellationToken);
         }
 
+        private ComplementationCredentials CreateComplementationCredentials(IKeyUsage key, AuthenticationMethod configuredProcedure, AuthenticationMethod updatedProcedure)
+        {
+            ArgumentNullException.ThrowIfNull(OldPasskey);
+
+            var currentCredential = GetCredentialAt(OldPasskey, 0) ?? OldPasskey;
+            var oldComplementation = configuredProcedure.Complementation;
+            var newComplementation = updatedProcedure.Complementation;
+            var primaryChanged = !configuredProcedure.Methods.SequenceEqual(updatedProcedure.Methods);
+
+            if (string.IsNullOrWhiteSpace(oldComplementation) && !string.IsNullOrWhiteSpace(newComplementation))
+            {
+                return new()
+                {
+                    CurrentCredential = currentCredential,
+                    NewComplementCredential = GetCredentialAt(key, 1) ?? key
+                };
+            }
+
+            if (!string.IsNullOrWhiteSpace(oldComplementation) && string.IsNullOrWhiteSpace(newComplementation))
+            {
+                return new()
+                {
+                    CurrentCredential = currentCredential,
+                    NewPrimaryCredential = updatedProcedure.Methods.Length > 1 ? key : null
+                };
+            }
+
+            if (!string.IsNullOrWhiteSpace(oldComplementation) && !string.IsNullOrWhiteSpace(newComplementation))
+            {
+                var updatePrimaryCredential = primaryChanged || _authenticationStage == AuthenticationStage.FirstStageOnly;
+                var updateComplementCredential = !string.Equals(oldComplementation, newComplementation, StringComparison.Ordinal) ||
+                                                 _authenticationStage == AuthenticationStage.ProceedingStageOnly;
+
+                return new()
+                {
+                    CurrentCredential = currentCredential,
+                    CurrentComplementCredential = GetCredentialAt(OldPasskey, 1),
+                    NewPrimaryCredential = updatePrimaryCredential ? GetCredentialAt(key, 0) ?? key : null,
+                    NewComplementCredential = updateComplementCredential ? GetCredentialAt(key, 1) ?? key : null
+                };
+            }
+
+            throw new InvalidOperationException("The requested authentication change does not involve complementation.");
+        }
+
+        private static bool RequiresComplementationRoutine(AuthenticationMethod configuredProcedure, AuthenticationMethod updatedProcedure)
+        {
+            var wasComplemented = !string.IsNullOrWhiteSpace(configuredProcedure.Complementation);
+            var willBeComplemented = !string.IsNullOrWhiteSpace(updatedProcedure.Complementation);
+            var complementationChanged = !string.Equals(configuredProcedure.Complementation, updatedProcedure.Complementation, StringComparison.Ordinal);
+
+            return complementationChanged || wasComplemented || willBeComplemented;
+        }
+
+        private static IKeyUsage? GetCredentialAt(IKeyUsage key, int index)
+        {
+            return key is KeySequence sequence
+                ? sequence.Keys.ElementAtOrDefault(index)
+                : index == 0 ? key : null;
+        }
+
         private void RegisterViewModel_CredentialsProvided(object? sender, CredentialsProvidedEventArgs e)
         {
             _credentialsTcs.TrySetResult(e.Authentication);
diff --git a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsSelectionViewModel.cs b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsSelectionViewModel.cs
index e41d72964..776aaf4ac 100644
--- a/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsSelectionViewModel.cs
+++ b/src/Sdk/SecureFolderFS.Sdk/ViewModels/Views/Credentials/CredentialsSelectionViewModel.cs
@@ -98,7 +98,7 @@ private async Task ItemSelected(AuthenticationViewModel? authenticationViewModel
             ConfirmationRequested?.Invoke(this, new(_vaultFolder, RegisterViewModel, _authenticationStage)
             {
                 IsRemoving = false,
-                IsComplementationAvailable = _authenticationStage != AuthenticationStage.FirstStageOnly,
+                IsComplementationAvailable = RegisterViewModel.CurrentViewModel?.CanComplement ?? false,
                 UnlockContract = UnlockContract,
                 OldPasskey = OldPasskey,
                 ConfiguredViewModel = ConfiguredViewModel
diff --git a/src/Shared/SecureFolderFS.Shared/Models/ComplementationCredentials.cs b/src/Shared/SecureFolderFS.Shared/Models/ComplementationCredentials.cs
new file mode 100644
index 000000000..6a9b5c862
--- /dev/null
+++ b/src/Shared/SecureFolderFS.Shared/Models/ComplementationCredentials.cs
@@ -0,0 +1,15 @@
+using SecureFolderFS.Shared.ComponentModel;
+
+namespace SecureFolderFS.Shared.Models
+{
+    public sealed record class ComplementationCredentials
+    {
+        public required IKeyUsage CurrentCredential { get; init; }
+
+        public IKeyUsage? CurrentComplementCredential { get; init; }
+
+        public IKeyUsage? NewPrimaryCredential { get; init; }
+
+        public IKeyUsage? NewComplementCredential { get; init; }
+    }
+}
diff --git a/tests/SecureFolderFS.Tests/CliTests/CliTestHost.cs b/tests/SecureFolderFS.Tests/CliTests/CliTestHost.cs
index fc8d7e255..3718fcaaf 100644
--- a/tests/SecureFolderFS.Tests/CliTests/CliTestHost.cs
+++ b/tests/SecureFolderFS.Tests/CliTests/CliTestHost.cs
@@ -99,19 +99,19 @@ private static IServiceProvider BuildServiceProvider(string settingsPath)
         return serviceProvider;
     }
 
-    private static CliApplication BuildApplication(IServiceProvider services)
+    private static CommandLineApplication BuildApplication(IServiceProvider services)
     {
-        return new CliApplicationBuilder()
-            .AddCommand<CredsAddCommand>()
-            .AddCommand<CredsChangeCommand>()
-            .AddCommand<CredsRemoveCommand>()
-            .AddCommand<VaultCreateCommand>()
-            .AddCommand<VaultInfoCommand>()
-            .AddCommand<VaultMountCommand>()
-            .AddCommand<VaultRunCommand>()
-            .AddCommand<VaultShellCommand>()
-            .AddCommand<VaultUnmountCommand>()
-            .UseTypeActivator(type => ActivatorUtilities.CreateInstance(services, type))
+        return new CommandLineApplicationBuilder()
+            .AddCommand(CredsAddCommand.Descriptor)
+            .AddCommand(CredsChangeCommand.Descriptor)
+            .AddCommand(CredsRemoveCommand.Descriptor)
+            .AddCommand(VaultCreateCommand.Descriptor)
+            .AddCommand(VaultInfoCommand.Descriptor)
+            .AddCommand(VaultMountCommand.Descriptor)
+            .AddCommand(VaultRunCommand.Descriptor)
+            .AddCommand(VaultShellCommand.Descriptor)
+            .AddCommand(VaultUnmountCommand.Descriptor)
+            .UseTypeInstantiator(type => ActivatorUtilities.CreateInstance(services, type))
             .Build();
     }
 }
diff --git a/tests/SecureFolderFS.Tests/CliTests/CommandDiscoveryTests.cs b/tests/SecureFolderFS.Tests/CliTests/CommandDiscoveryTests.cs
index 192e4f3dd..bee5ddc7b 100644
--- a/tests/SecureFolderFS.Tests/CliTests/CommandDiscoveryTests.cs
+++ b/tests/SecureFolderFS.Tests/CliTests/CommandDiscoveryTests.cs
@@ -1,5 +1,5 @@
 using CliFx;
-using CliFx.Attributes;
+using CliFx.Binding;
 using FluentAssertions;
 using NUnit.Framework;
 using SecureFolderFS.Cli.Commands;
@@ -41,4 +41,3 @@ public void CliAssembly_ExposesExpectedCommandTypes()
         ]);
     }
 }
-
diff --git a/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.Latest.cs b/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.Latest.cs
index 73957ff5f..6a9d5d13d 100644
--- a/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.Latest.cs
+++ b/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.Latest.cs
@@ -7,7 +7,7 @@ internal static partial class MockVaultHelpers
     {
         public static async Task<(IFolder, string)> CreateVaultLatestAsync(MockVaultOptions? options, CancellationToken cancellationToken = default)
         {
-            return await CreateVaultV3Async(options, cancellationToken);
+            return await CreateVaultV4Async(options, cancellationToken);
         }
     }
 }
diff --git a/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.V4.cs b/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.V4.cs
new file mode 100644
index 000000000..622e32796
--- /dev/null
+++ b/tests/SecureFolderFS.Tests/Helpers/MockVaultHelpers.V4.cs
@@ -0,0 +1,41 @@
+using OwlCore.Storage;
+using SecureFolderFS.Tests.Models;
+
+namespace SecureFolderFS.Tests.Helpers
+{
+    internal static partial class MockVaultHelpers
+    {
+        // Mock recovery key
+        public const string V4_RECOVERY_KEY = "osNie57du4qOxSkuxcyYd36RsQI3xPVnUpPad/aych4=@@@7wmweOio0sGGljnvBiggxo/65ZlvTnTfVNFmwFZ7W8g=";
+
+        private const string V4_KEYSTORE_STRING = """
+                                                  {
+                                                    "c_encryptionKey": "d0qVlgnquQr1NID0IdtrTd4pqzHkGxXWhHSpkrPuYtDXjVbm3ODpwQ==",
+                                                    "c_macKey": "ZKhu3nbUjoqV6ZGtU/gitauQBuC76iCwuDnLD6oa3Pav1srYcQN/zw==",
+                                                    "salt": "OEpZjy18/dbbS+i2LlmKjA==",
+                                                    "c_softwareEntropy": "T9dHlJg4WLmuKM4Qz1rcdIn0QsCdiGNNtU6EyzN03OA=",
+                                                    "entropyNonce": "buZqCJGGsukm87mP",
+                                                    "entropyTag": "AvsZawlWTMG3gBpuavmu4g=="
+                                                  }
+                                                  """;
+
+        private const string V4_SFCONFIG_STRING = """
+                                                  {
+                                                    "contentCipherScheme": "XChaCha20-Poly1305",
+                                                    "filenameCipherScheme": "AES-SIV",
+                                                    "filenameEncoding": "Base4K",
+                                                    "recycleBinSize": -1,
+                                                    "authMode": "password",
+                                                    "vaultId": "8a1fbf8a-b986-4f8a-a3d7-59df8d203e3a",
+                                                    "hmacsha256mac": "/gLIyGTCd8Y/bvj3YxY7JmmFEbCX3iDGYFVmeNMNw8w=",
+                                                    "version": 4
+                                                  }
+                                                  """;
+
+        public static async Task<(IFolder, string)> CreateVaultV4Async(MockVaultOptions? options,
+            CancellationToken cancellationToken = default)
+        {
+            return (await SetupMockVault(V4_SFCONFIG_STRING, V4_KEYSTORE_STRING, options, cancellationToken), V4_RECOVERY_KEY);
+        }
+    }
+}
diff --git a/tests/SecureFolderFS.Tests/VaultTests/CredentialTests.cs b/tests/SecureFolderFS.Tests/VaultTests/CredentialTests.cs
index a62e1603a..a63760b03 100644
--- a/tests/SecureFolderFS.Tests/VaultTests/CredentialTests.cs
+++ b/tests/SecureFolderFS.Tests/VaultTests/CredentialTests.cs
@@ -2,11 +2,14 @@
 using NUnit.Framework;
 using OwlCore.Storage;
 using OwlCore.Storage.Memory;
+using SecureFolderFS.Core.VaultAccess;
 using SecureFolderFS.Sdk.Services;
 using SecureFolderFS.Shared;
 using SecureFolderFS.Shared.ComponentModel;
 using SecureFolderFS.Shared.Extensions;
 using SecureFolderFS.Shared.Models;
+using SecureFolderFS.Shared.SecureStore;
+using SecureFolderFS.Storage.Extensions;
 using SecureFolderFS.UI.ViewModels.Authentication;
 using static SecureFolderFS.Core.Constants.Vault.Authentication;
 
@@ -195,6 +198,192 @@ public async Task ModifyAuthentication_InvalidUnlockContract_ThrowsArgumentExcep
             }
         }
 
+        [Test]
+        public async Task ModifyComplementation_AddKeyFile_AllowsPasswordOrKeyFile()
+        {
+            // Arrange
+            var vaultFolder = CreateVaultFolder();
+            var manager = DI.Service<IVaultManagerService>();
+            var vaultService = DI.Service<IVaultService>();
+            var vaultId = Guid.NewGuid().ToString("N");
+
+            var passwordProcedure = new AuthenticationMethod([AUTH_PASSWORD], null);
+            var complementedProcedure = new AuthenticationMethod([AUTH_PASSWORD], AUTH_KEYFILE);
+
+            using var password = await GetPasswordCreationCredentialAsync("Password#1");
+            using var _ = await manager.CreateAsync(vaultFolder, password, CreateOptions(passwordProcedure, vaultId));
+
+            using var unlockPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, unlockPasskey);
+            using var keyFile = await GetKeyFileCreationCredentialAsync(vaultId);
+
+            // Act
+            await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+            {
+                CurrentCredential = unlockPasskey,
+                NewComplementCredential = keyFile
+            }, CreateOptions(complementedProcedure, vaultId));
+
+            // Assert
+            using var passwordOnlyPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var keyFileOnlyPasskey = keyFile.CreateCopy();
+            using var wrongPasswordPasskey = await GetPasswordLoginCredentialAsync("WrongPassword");
+            using var chainedPasskey = new KeySequence();
+            chainedPasskey.Add(await GetPasswordLoginCredentialAsync("Password#1"));
+            chainedPasskey.Add(keyFile.CreateCopy());
+
+            (await CanUnlockAsync(manager, vaultFolder, passwordOnlyPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, keyFileOnlyPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, chainedPasskey)).Should().BeFalse();
+            (await CanUnlockAsync(manager, vaultFolder, wrongPasswordPasskey)).Should().BeFalse();
+
+            var configuredOptions = await vaultService.GetVaultOptionsAsync(vaultFolder);
+            var shares = await new VaultReader(vaultFolder, StreamSerializer.Instance).ReadComplementationAsync(CancellationToken.None);
+
+            configuredOptions.UnlockProcedure.Should().BeEquivalentTo(complementedProcedure);
+            shares.Should().NotBeNull();
+            shares!.Shares.Should().ContainSingle(x => x.AuthenticationMethodId == AUTH_KEYFILE);
+        }
+
+        [Test]
+        public async Task ModifyComplementation_ReplaceComplement_UsesNewComplementAndRejectsOld()
+        {
+            // Arrange
+            var vaultFolder = CreateVaultFolder();
+            var manager = DI.Service<IVaultManagerService>();
+            var vaultService = DI.Service<IVaultService>();
+            var vaultId = Guid.NewGuid().ToString("N");
+
+            var biometricProcedure = new AuthenticationMethod([AUTH_PASSWORD], AUTH_APPLE_BIOMETRIC);
+            using var oldKeyFile = await CreatePasswordVaultWithKeyFileComplementAsync(manager, vaultFolder, "Password#1", vaultId);
+
+            using var oldComplementUnlock = oldKeyFile.CreateCopy();
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, oldComplementUnlock);
+            using var newComplement = SecureKey.CreateSecureRandom(32);
+
+            // Act
+            await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+            {
+                CurrentCredential = oldKeyFile,
+                NewComplementCredential = newComplement
+            }, CreateOptions(biometricProcedure, vaultId));
+
+            // Assert
+            using var passwordOnlyPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var oldComplementPasskey = oldKeyFile.CreateCopy();
+            using var newComplementPasskey = newComplement.CreateCopy();
+
+            (await CanUnlockAsync(manager, vaultFolder, passwordOnlyPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, oldComplementPasskey)).Should().BeFalse();
+            (await CanUnlockAsync(manager, vaultFolder, newComplementPasskey)).Should().BeTrue();
+
+            var configuredOptions = await vaultService.GetVaultOptionsAsync(vaultFolder);
+            configuredOptions.UnlockProcedure.Should().BeEquivalentTo(biometricProcedure);
+        }
+
+        [Test]
+        public async Task ModifyComplementation_RemoveComplement_RestoresPrimaryOnlyUnlock()
+        {
+            // Arrange
+            var vaultFolder = CreateVaultFolder();
+            var manager = DI.Service<IVaultManagerService>();
+            var vaultService = DI.Service<IVaultService>();
+            var vaultId = Guid.NewGuid().ToString("N");
+
+            var passwordOnlyProcedure = new AuthenticationMethod([AUTH_PASSWORD], null);
+            using var keyFile = await CreatePasswordVaultWithKeyFileComplementAsync(manager, vaultFolder, "Password#1", vaultId);
+
+            using var unlockPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, unlockPasskey);
+
+            // Act
+            await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+            {
+                CurrentCredential = unlockPasskey
+            }, CreateOptions(passwordOnlyProcedure, vaultId));
+
+            // Assert
+            using var passwordOnlyPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var keyFileOnlyPasskey = keyFile.CreateCopy();
+
+            (await CanUnlockAsync(manager, vaultFolder, passwordOnlyPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, keyFileOnlyPasskey)).Should().BeFalse();
+
+            var configuredOptions = await vaultService.GetVaultOptionsAsync(vaultFolder);
+            var shares = await new VaultReader(vaultFolder, StreamSerializer.Instance).ReadComplementationAsync(CancellationToken.None);
+            var complementFile = await vaultFolder.TryGetFileByNameAsync(SecureFolderFS.Core.Constants.Vault.Names.VAULT_COMPLEMENTATION_FILENAME);
+
+            configuredOptions.UnlockProcedure.Should().BeEquivalentTo(passwordOnlyProcedure);
+            shares.Should().BeNull();
+            complementFile.Should().BeNull();
+        }
+
+        [Test]
+        public async Task ModifyComplementation_ChangePrimaryWithComplement_PreservesComplementUnlock()
+        {
+            // Arrange
+            var vaultFolder = CreateVaultFolder();
+            var manager = DI.Service<IVaultManagerService>();
+            var vaultId = Guid.NewGuid().ToString("N");
+
+            var complementedProcedure = new AuthenticationMethod([AUTH_PASSWORD], AUTH_KEYFILE);
+            using var keyFile = await CreatePasswordVaultWithKeyFileComplementAsync(manager, vaultFolder, "Password#1", vaultId);
+
+            using var keyFileUnlock = keyFile.CreateCopy();
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, keyFileUnlock);
+            using var newPassword = await GetPasswordCreationCredentialAsync("Password#2");
+
+            // Act
+            await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+            {
+                CurrentCredential = keyFile,
+                NewPrimaryCredential = newPassword
+            }, CreateOptions(complementedProcedure, vaultId));
+
+            // Assert
+            using var oldPasswordPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var newPasswordPasskey = await GetPasswordLoginCredentialAsync("Password#2");
+            using var keyFileOnlyPasskey = keyFile.CreateCopy();
+
+            (await CanUnlockAsync(manager, vaultFolder, oldPasswordPasskey)).Should().BeFalse();
+            (await CanUnlockAsync(manager, vaultFolder, newPasswordPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, keyFileOnlyPasskey)).Should().BeTrue();
+        }
+
+        [Test]
+        public async Task ModifyComplementation_ChangePrimaryWithComplementUsingPrimaryCurrentCredential_PreservesComplementUnlock()
+        {
+            // Arrange
+            var vaultFolder = CreateVaultFolder();
+            var manager = DI.Service<IVaultManagerService>();
+            var vaultId = Guid.NewGuid().ToString("N");
+
+            var complementedProcedure = new AuthenticationMethod([AUTH_PASSWORD], AUTH_KEYFILE);
+            using var keyFile = await CreatePasswordVaultWithKeyFileComplementAsync(manager, vaultFolder, "Password#1", vaultId);
+
+            using var currentPasswordUnlock = await GetPasswordLoginCredentialAsync("Password#1");
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, currentPasswordUnlock);
+            using var currentPassword = await GetPasswordLoginCredentialAsync("Password#1");
+            using var newPassword = await GetPasswordCreationCredentialAsync("Password#2");
+
+            // Act
+            await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+            {
+                CurrentCredential = currentPassword,
+                CurrentComplementCredential = keyFile,
+                NewPrimaryCredential = newPassword
+            }, CreateOptions(complementedProcedure, vaultId));
+
+            // Assert
+            using var oldPasswordPasskey = await GetPasswordLoginCredentialAsync("Password#1");
+            using var newPasswordPasskey = await GetPasswordLoginCredentialAsync("Password#2");
+            using var keyFileOnlyPasskey = keyFile.CreateCopy();
+
+            (await CanUnlockAsync(manager, vaultFolder, oldPasswordPasskey)).Should().BeFalse();
+            (await CanUnlockAsync(manager, vaultFolder, newPasswordPasskey)).Should().BeTrue();
+            (await CanUnlockAsync(manager, vaultFolder, keyFileOnlyPasskey)).Should().BeTrue();
+        }
+
         private static IFolder CreateVaultFolder()
         {
             var path = Path.Combine(Path.DirectorySeparatorChar.ToString(), $"TestVault-{Guid.NewGuid():N}");
@@ -304,6 +493,35 @@ private static async Task<IKeyUsage> GetKeyFileLoginCredentialAsync(IFolder vaul
                 : throw result.Exception ?? new InvalidOperationException("Key file login credential was not provided.");
         }
 
+        private static async Task<IKeyUsage> CreatePasswordVaultWithKeyFileComplementAsync(IVaultManagerService manager, IFolder vaultFolder, string password, string vaultId)
+        {
+            var passwordProcedure = new AuthenticationMethod([AUTH_PASSWORD], null);
+            var complementedProcedure = new AuthenticationMethod([AUTH_PASSWORD], AUTH_KEYFILE);
+
+            using var passwordKey = await GetPasswordCreationCredentialAsync(password);
+            using var _ = await manager.CreateAsync(vaultFolder, passwordKey, CreateOptions(passwordProcedure, vaultId));
+
+            using var unlockPasskey = await GetPasswordLoginCredentialAsync(password);
+            using var unlockContract = await manager.UnlockAsync(vaultFolder, unlockPasskey);
+            var keyFile = await GetKeyFileCreationCredentialAsync(vaultId);
+
+            try
+            {
+                await manager.ModifyComplementationAsync(vaultFolder, unlockContract, new()
+                {
+                    CurrentCredential = unlockPasskey,
+                    NewComplementCredential = keyFile
+                }, CreateOptions(complementedProcedure, vaultId));
+
+                return keyFile;
+            }
+            catch
+            {
+                keyFile.Dispose();
+                throw;
+            }
+        }
+
         private static async Task<bool> CanUnlockAsync(IVaultManagerService manager, IFolder vaultFolder, IKeyUsage passkey)
         {
             try
@@ -318,4 +536,3 @@ private static async Task<bool> CanUnlockAsync(IVaultManagerService manager, IFo
         }
     }
 }
-