diff --git a/controllers/class.Login.php b/controllers/class.Login.php
index c6dcecf4b..92de5eff4 100644
--- a/controllers/class.Login.php
+++ b/controllers/class.Login.php
@@ -31,50 +31,82 @@ class SeedDMS_Controller_Login extends SeedDMS_Controller_Common {
 		return self::$user;
 	} /* }}} */
 
+	/**
+	 * Create a webauthn challenge and return it as application/json
+	 *
+	 * This is called from javascript on the login page right after the
+	 * login button is preset. The returned challange is than passed to
+	 * javascript which instructs the browser to do the communication with
+	 * the usb key token.
+	 */
 	function preparelogin() { /* {{{ */
 		$dms = $this->params['dms'];
-		$settings = $this->params['settings'];
-		$session = $this->params['session'];
-		$sesstheme = $this->params['sesstheme'];
-		$source = isset($this->params['source']) ? $this->params['source'] : '';
-		$sesstheme = $this->getParam('sesstheme');
-		$referuri = $this->getParam('referuri');
-		$lang = $this->getParam('lang');
 		$login = $this->params['login'];
 
 		if($user = $dms->getUserByLogin($login)) {
 			$webauthn = new \Davidearl\WebAuthn\WebAuthn($_SERVER['HTTP_HOST']);
 
+			/* Even without a public key stored for the user (user has not
+			 * registered yet), we will do the authentication, because an
+			 * error msg may reveal that the user exists.
+			 */
 			$j['challenge'] = $webauthn->prepareForLogin($user->getWebauthn());
 		} else {
 			http_response_code(401);
-			echo 'failed to authenticate with that key';
+			echo 'User cannot be authenticated.';
 			exit;
 		}
 		header('Content-type: application/json');
 		echo json_encode($j);
 	} /* }}} */
 
+	/**
+	 * Alternative method to run() for authenticating with webauthn.
+	 *
+	 * Once the browser has successfully finished the communication with the
+	 * usb key token, this method will be called with the signature signed
+	 * by the usb key in 'logininfo'. That data is checked with the public
+	 * key store in the users profile.
+	 *
+	 * Not like run() this method is called from within javascript and
+	 * needs to return the uri. The calling javascript code will than
+	 * redirect the browser to the uri.
+	 */
 	function login() { /* {{{ */
 		$dms = $this->params['dms'];
+		$settings = $this->params['settings'];
 		$login = $this->params['login'];
 		$logininfo = $this->params['logininfo'];
+		$referuri = $this->params['referuri'];
 
 		if($user = $dms->getUserByLogin($login)) {
 			$webauthn = new \Davidearl\WebAuthn\WebAuthn($_SERVER['HTTP_HOST']);
 
 			if (! $webauthn->authenticate($logininfo, $user->getWebauthn())) {
+				http_response_code(401);
+				echo 'failed to authenticate with that key';
 				return false;
 			}
 
-			if(!self::_finalize($user)) {
+			if(self::_finalize($user)) {
+				if (isset($referuri) && strlen($referuri)>0) {
+					$j = $referuri;
+				} else {
+					$j = $settings->_httpRoot.(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php?folderid=".($user->getHomeFolder() ? $user->getHomeFolder() : $settings->_rootFolderID));
+				}
+				header('Content-type: application/json');
+				echo json_encode($j);
+				return true;
+			} else {
+				http_response_code(401);
+				echo 'failed to authenticate with that key';
 				return false;
 			}
-
 		} else {
+			http_response_code(401);
+			echo 'failed to authenticate with that key';
 			return false;
 		}
-		return true;
 	} /* }}} */
 
 	protected function _finalize($user) { /* {{{ */
diff --git a/op/op.Login.php b/op/op.Login.php
index c7fd8700f..31b0b3d8b 100644
--- a/op/op.Login.php
+++ b/op/op.Login.php
@@ -94,27 +94,14 @@ $controller->setParam('session', $session);
 $controller->setParam('authenticator', $authenticator);
 $action = !empty($_POST['action']) ? $_POST['action'] : '';
 switch($action) {
+/* preparelogin() and login() are both called by ajax */
 case 'preparelogin':
 	$controller->preparelogin();
 	exit();
 	break;
 case 'login':
-	if($controller->login()) {
-		if (isset($referuri) && strlen($referuri)>0) {
-			$j = $referuri;
-		} else {
-			$user = $controller->getUser();
-			$j = $settings->_httpRoot.(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php?folderid=".($user->getHomeFolder() ? $user->getHomeFolder() : $settings->_rootFolderID));
-		}
-		header('Content-type: application/json');
-		echo json_encode($j);
-		exit;
-	} else {
-		http_response_code(401);
-		echo 'failed to authenticate with that key';
-		exit;
-	}
-	exit;
+	$controller->login();
+	exit();
 	break;
 default:
 	if(!$controller()) {