diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb
index 7858cd625..e5bda46f5 100644
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@@ -4,7 +4,7 @@ module Repp
     prefix :repp
 
     http_basic do |username, password|
-      @current_user ||= ApiUser.find_by(username: username, password: password)
+      @current_user ||= ApiUser.find_by(username: username, plain_text_password: password)
       if @current_user
         true
       else
diff --git a/app/controllers/admin/api_users_controller.rb b/app/controllers/admin/api_users_controller.rb
index 84344c2e9..bbf0a8a4e 100644
--- a/app/controllers/admin/api_users_controller.rb
+++ b/app/controllers/admin/api_users_controller.rb
@@ -32,7 +32,10 @@ module Admin
     end
 
     def update
-      params[:api_user].delete(:password) if params[:api_user][:password].blank?
+      if params[:api_user][:plain_text_password].blank?
+        params[:api_user].delete(:plain_text_password)
+      end
+
       if @api_user.update(api_user_params)
         flash[:notice] = I18n.t('record_updated')
         redirect_to [:admin, @api_user]
@@ -59,7 +62,7 @@ module Admin
     end
 
     def api_user_params
-      params.require(:api_user).permit(:username, :password, :active,
+      params.require(:api_user).permit(:username, :plain_text_password, :active,
                                        :registrar_id, :registrar_typeahead,
                                        :identity_code, { roles: [] })
     end
diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb
index 7de43f7fc..17e75785a 100644
--- a/app/controllers/admin/base_controller.rb
+++ b/app/controllers/admin/base_controller.rb
@@ -1,10 +1,20 @@
 module Admin
   class BaseController < ApplicationController
-    before_action :authenticate_user!
+    before_action :authenticate_admin_user!
     helper_method :head_title_sufix
 
     def head_title_sufix
       t(:admin_head_title_sufix)
     end
+
+    private
+
+    def current_ability
+      @current_ability ||= Ability.new(current_admin_user)
+    end
+
+    def user_for_paper_trail
+      current_admin_user ? current_admin_user.id_role_username : 'anonymous'
+    end
   end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/admin/dashboard_controller.rb b/app/controllers/admin/dashboard_controller.rb
new file mode 100644
index 000000000..f48698780
--- /dev/null
+++ b/app/controllers/admin/dashboard_controller.rb
@@ -0,0 +1,7 @@
+module Admin
+  class DashboardController < BaseController
+    authorize_resource class: false
+
+    def show; end
+  end
+end
\ No newline at end of file
diff --git a/app/controllers/admin/dashboards_controller.rb b/app/controllers/admin/dashboards_controller.rb
deleted file mode 100644
index 52d82ea0a..000000000
--- a/app/controllers/admin/dashboards_controller.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-module Admin
-  class DashboardsController < BaseController
-    authorize_resource class: false
-
-    def show
-      redirect_to [:admin, :domains] if can? :show, Domain
-    end
-  end
-end
diff --git a/app/controllers/admin/pending_deletes_controller.rb b/app/controllers/admin/pending_deletes_controller.rb
index 86529da84..9cc8702c5 100644
--- a/app/controllers/admin/pending_deletes_controller.rb
+++ b/app/controllers/admin/pending_deletes_controller.rb
@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)
@@ -16,7 +16,7 @@ module Admin
     def destroy
       authorize! :destroy, :pending
 
-      if registrant_verification.domain_registrant_delete_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_delete_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)
diff --git a/app/controllers/admin/pending_updates_controller.rb b/app/controllers/admin/pending_updates_controller.rb
index e402227e0..4a2e5ec7c 100644
--- a/app/controllers/admin/pending_updates_controller.rb
+++ b/app/controllers/admin/pending_updates_controller.rb
@@ -6,7 +6,7 @@ module Admin
     def update
       authorize! :update, :pending
 
-      if registrant_verification.domain_registrant_change_confirm!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_confirm!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_applied)
       else
         redirect_to edit_admin_domain_path(@domain.id), alert: t(:failure)
@@ -15,7 +15,7 @@ module Admin
 
     def destroy
       authorize! :destroy, :pending
-      if registrant_verification.domain_registrant_change_reject!("admin #{current_user.username}")
+      if registrant_verification.domain_registrant_change_reject!("admin #{current_admin_user.username}")
         redirect_to admin_domain_path(@domain.id), notice: t(:pending_removed)
       else
         redirect_to admin_domain_path(@domain.id), alert: t(:failure)
diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb
index 1bdcd30dc..57d702059 100644
--- a/app/controllers/admin/sessions_controller.rb
+++ b/app/controllers/admin/sessions_controller.rb
@@ -1,28 +1,17 @@
 module Admin
   class SessionsController < Devise::SessionsController
-    skip_authorization_check only: :create
+    private
 
-    def login
-      @admin_user = AdminUser.new
+    def after_sign_in_path_for(_resource_or_scope)
+      admin_domains_path
     end
 
-    def create
-      if params[:admin_user].blank?
-        @admin_user = AdminUser.new
-        flash[:alert] = 'Something went wrong'
-        return render 'login'
-      end
+    def after_sign_out_path_for(_resource_or_scope)
+      new_admin_user_session_path
+    end
 
-      @admin_user = AdminUser.find_by(username: params[:admin_user][:username])
-      @admin_user ||= AdminUser.new(username: params[:admin_user][:username])
-
-      if @admin_user.valid_password?(params[:admin_user][:password])
-        sign_in @admin_user, event: :authentication
-        redirect_to admin_root_url, notice: I18n.t(:welcome)
-      else
-        flash[:alert] = 'Authorization error'
-        render 'login'
-      end
+    def user_for_paper_trail
+      current_admin_user ? current_admin_user.id_role_username : 'anonymous'
     end
   end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/api/v1/registrant/contacts_controller.rb b/app/controllers/api/v1/registrant/contacts_controller.rb
index de5ef9dcf..1be620ba4 100644
--- a/app/controllers/api/v1/registrant/contacts_controller.rb
+++ b/app/controllers/api/v1/registrant/contacts_controller.rb
@@ -35,7 +35,7 @@ module Api
         private
 
         def set_contacts_pool
-          country_code, ident = current_user.registrant_ident.to_s.split '-'
+          country_code, ident = current_registrant_user.registrant_ident.to_s.split '-'
           associated_domain_ids = begin
             BusinessRegistryCache.fetch_by_ident_and_cc(ident, country_code).associated_domain_ids
           end
diff --git a/app/controllers/api/v1/registrant/domains_controller.rb b/app/controllers/api/v1/registrant/domains_controller.rb
index 7209f8a10..97925701a 100644
--- a/app/controllers/api/v1/registrant/domains_controller.rb
+++ b/app/controllers/api/v1/registrant/domains_controller.rb
@@ -16,12 +16,12 @@ module Api
                    status: :bad_request) && return
           end
 
-          @domains = associated_domains(current_user).limit(limit).offset(offset)
+          @domains = associated_domains(current_registrant_user).limit(limit).offset(offset)
           render json: @domains
         end
 
         def show
-          domain_pool = associated_domains(current_user)
+          domain_pool = associated_domains(current_registrant_user)
           @domain = domain_pool.find_by(uuid: params[:uuid])
 
           if @domain
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 87dabad01..dec34acbf 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -12,63 +12,15 @@ class ApplicationController < ActionController::Base
   end
 
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to current_root_url, alert: exception.message
+    redirect_to root_url, alert: exception.message
   end
 
-  helper_method :registrant_request?, :registrar_request?, :admin_request?, :current_root_url
   helper_method :available_languages
 
-  def registrant_request?
-    request.path.match(/^\/registrant/)
-  end
-
-  def registrar_request?
-    request.path.match(/^\/registrar/)
-  end
-
-  def admin_request?
-    request.path.match(/^\/admin/)
-  end
-
-  def current_root_url
-    if registrar_request?
-      registrar_root_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_root_url
-    end
-  end
-
-  def after_sign_in_path_for(_resource)
-    rt = session[:user_return_to].to_s.presence
-    login_paths = [admin_login_path, registrar_login_path, '/login']
-    return rt if rt && !login_paths.include?(rt)
-    current_root_url
-  end
-
-  def after_sign_out_path_for(_resource)
-    if registrar_request?
-      registrar_login_url
-    elsif registrant_request?
-      registrant_login_url
-    elsif admin_request?
-      admin_login_url
-    end
-  end
-
   def info_for_paper_trail
     { uuid: request.uuid }
   end
 
-  def user_for_paper_trail
-    user_log_str(current_user)
-  end
-
-  def user_log_str(user)
-    user.nil? ? 'public' : user.id_role_username
-  end
-
   def comma_support_for(parent_key, key)
     return if params[parent_key].blank?
     return if params[parent_key][key].blank?
@@ -80,4 +32,4 @@ class ApplicationController < ActionController::Base
   def available_languages
     { en: 'English', et: 'Estonian' }.invert
   end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index e3e9f3114..05bbba9a8 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -81,7 +81,7 @@ class Epp::SessionsController < EppController
 
     if success
       if params[:parsed_frame].css('newPW').first
-        unless @api_user.update(password: params[:parsed_frame].css('newPW').first.text)
+        unless @api_user.update(plain_text_password: params[:parsed_frame].css('newPW').first.text)
           response.headers['X-EPP-Returncode'] = '2500'
           handle_errors(@api_user) and return
         end
@@ -128,7 +128,7 @@ class Epp::SessionsController < EppController
   def login_params
     user = params[:parsed_frame].css('clID').first.text
     pw = params[:parsed_frame].css('pw').first.text
-    { username: user, password: pw }
+    { username: user, plain_text_password: pw }
   end
 
   private
diff --git a/app/controllers/registrant/contacts_controller.rb b/app/controllers/registrant/contacts_controller.rb
index 267b4d68d..9defa8bd6 100644
--- a/app/controllers/registrant/contacts_controller.rb
+++ b/app/controllers/registrant/contacts_controller.rb
@@ -3,7 +3,6 @@ class Registrant::ContactsController < RegistrantController
 
   def show
     @contact = Contact.where(id: contacts).find_by(id: params[:id])
-    @current_user = current_user
 
     authorize! :read, @contact
   end
@@ -22,7 +21,7 @@ class Registrant::ContactsController < RegistrantController
 
   def domain_ids
     @domain_ids ||= begin
-      ident_cc, ident = @current_user.registrant_ident.to_s.split '-'
+      ident_cc, ident = current_registrant_user.registrant_ident.to_s.split '-'
       BusinessRegistryCache.fetch_by_ident_and_cc(ident, ident_cc).associated_domain_ids
     end
   end
diff --git a/app/controllers/registrant/domain_delete_confirms_controller.rb b/app/controllers/registrant/domain_delete_confirms_controller.rb
index af8516462..d6e4666c7 100644
--- a/app/controllers/registrant/domain_delete_confirms_controller.rb
+++ b/app/controllers/registrant/domain_delete_confirms_controller.rb
@@ -19,7 +19,8 @@ class Registrant::DomainDeleteConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username :
+                  t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_delete_reject!("email link #{initiator}")
diff --git a/app/controllers/registrant/domain_update_confirms_controller.rb b/app/controllers/registrant/domain_update_confirms_controller.rb
index 0d23943c9..413ac43ff 100644
--- a/app/controllers/registrant/domain_update_confirms_controller.rb
+++ b/app/controllers/registrant/domain_update_confirms_controller.rb
@@ -19,7 +19,8 @@ class Registrant::DomainUpdateConfirmsController < RegistrantController
                                                           domain_name: @domain.name,
                                                           verification_token: params[:token])
 
-    initiator = current_user ? current_user.username : t(:user_not_authenticated)
+    initiator = current_registrant_user ? current_registrant_user.username :
+                  t(:user_not_authenticated)
 
     if params[:rejected]
       if @registrant_verification.domain_registrant_change_reject!("email link, #{initiator}")
diff --git a/app/controllers/registrant/domains_controller.rb b/app/controllers/registrant/domains_controller.rb
index 0e2f6eeaf..06b24624d 100644
--- a/app/controllers/registrant/domains_controller.rb
+++ b/app/controllers/registrant/domains_controller.rb
@@ -54,13 +54,13 @@ class Registrant::DomainsController < RegistrantController
   end
 
   def domains
-    ident_cc, ident = @current_user.registrant_ident.split '-'
+    ident_cc, ident = current_registrant_user.registrant_ident.split '-'
     begin
       BusinessRegistryCache.fetch_associated_domains ident, ident_cc
     rescue Soap::Arireg::NotAvailableError => error
       flash[:notice] = I18n.t(error.json[:message])
       Rails.logger.fatal("[EXCEPTION] #{error.to_s}")
-      current_user.domains
+      current_registrant_user.domains
     end
   end
 
diff --git a/app/controllers/registrant/sessions_controller.rb b/app/controllers/registrant/sessions_controller.rb
index 80a23eb0a..db403b2a5 100644
--- a/app/controllers/registrant/sessions_controller.rb
+++ b/app/controllers/registrant/sessions_controller.rb
@@ -1,8 +1,7 @@
 class Registrant::SessionsController < Devise::SessionsController
   layout 'registrant/application'
 
-  def login
-  end
+  def new; end
 
   def id
     id_code, id_issuer = request.env['SSL_CLIENT_S_DN'], request.env['SSL_CLIENT_I_DN_O']
@@ -10,11 +9,10 @@ class Registrant::SessionsController < Devise::SessionsController
 
     @user = RegistrantUser.find_or_create_by_idc_data(id_code, id_issuer)
     if @user
-      sign_in(@user, event: :authentication)
-      redirect_to registrant_root_url
+      sign_in_and_redirect(:registrant_user, @user, event: :authentication)
     else
       flash[:alert] = t('login_failed_check_id_card')
-      redirect_to registrant_login_url
+      redirect_to new_registrant_user_session_url
     end
   end
 
@@ -68,7 +66,7 @@ class Registrant::SessionsController < Devise::SessionsController
     when 'USER_AUTHENTICATED'
       @user = RegistrantUser.find_by(registrant_ident: "#{session[:user_country]}-#{session[:user_id_code]}")
 
-      sign_in @user
+      sign_in(:registrant_user, @user)
       flash[:notice] = t(:welcome)
       flash.keep(:notice)
       render js: "window.location = '#{registrant_root_path}'"
@@ -97,4 +95,18 @@ class Registrant::SessionsController < Devise::SessionsController
     return User.new unless idc
     ApiUser.find_by(identity_code: idc) || User.new
   end
-end
+
+  private
+
+  def after_sign_in_path_for(_resource_or_scope)
+    registrant_root_path
+  end
+
+  def after_sign_out_path_for(_resource_or_scope)
+    new_registrant_user_session_path
+  end
+
+  def user_for_paper_trail
+    current_registrant_user.present? ? current_registrant_user.id_role_username : 'anonymous'
+  end
+end
\ No newline at end of file
diff --git a/app/controllers/registrant_controller.rb b/app/controllers/registrant_controller.rb
index 72fb78a08..9e8c1998e 100644
--- a/app/controllers/registrant_controller.rb
+++ b/app/controllers/registrant_controller.rb
@@ -1,11 +1,22 @@
 class RegistrantController < ApplicationController
-  before_action :authenticate_user!
+  before_action :authenticate_registrant_user!
   layout 'registrant/application'
 
   include Registrant::ApplicationHelper
 
   helper_method :head_title_sufix
+
   def head_title_sufix
     t(:registrant_head_title_sufix)
   end
-end
+
+  private
+
+  def current_ability
+    @current_ability ||= Ability.new(current_registrant_user, request.remote_ip)
+  end
+
+  def user_for_paper_trail
+    current_registrant_user.present? ? current_registrant_user.id_role_username : 'anonymous'
+  end
+end
\ No newline at end of file
diff --git a/app/controllers/registrar/account_activities_controller.rb b/app/controllers/registrar/account_activities_controller.rb
index 0b95d0122..baa0256af 100644
--- a/app/controllers/registrar/account_activities_controller.rb
+++ b/app/controllers/registrar/account_activities_controller.rb
@@ -4,7 +4,7 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      account = current_user.registrar.cash_account
+      account = current_registrar_user.registrar.cash_account
 
       ca_cache = params[:q][:created_at_lteq]
       begin
diff --git a/app/controllers/registrar/base_controller.rb b/app/controllers/registrar/base_controller.rb
index 90f2f5210..499d44594 100644
--- a/app/controllers/registrar/base_controller.rb
+++ b/app/controllers/registrar/base_controller.rb
@@ -2,7 +2,7 @@ class Registrar
   class BaseController < ApplicationController
     include Registrar::ApplicationHelper
 
-    before_action :authenticate_user!
+    before_action :authenticate_registrar_user!
     before_action :check_ip_restriction
     helper_method :depp_controller?
     helper_method :head_title_sufix
@@ -10,21 +10,21 @@ class Registrar
     protected
 
     def current_ability
-      @current_ability ||= Ability.new(current_user, request.remote_ip)
+      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
     end
 
     private
 
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
-      allowed = ip_restriction.can_access_registrar_area?(current_user.registrar)
+      allowed = ip_restriction.can_access_registrar_area?(current_registrar_user.registrar)
 
       return if allowed
 
-      sign_out current_user
+      sign_out current_registrar_user
 
       flash[:alert] = t('registrar.authorization.ip_not_allowed', ip: request.ip)
-      redirect_to registrar_login_url
+      redirect_to new_registrar_user_session_url
     end
 
     def depp_controller?
@@ -34,5 +34,9 @@ class Registrar
     def head_title_sufix
       t(:registrar_head_title_sufix)
     end
+
+    def user_for_paper_trail
+      current_registrar_user ? current_registrar_user.id_role_username : 'anonymous'
+    end
   end
 end
diff --git a/app/controllers/registrar/bulk_change_controller.rb b/app/controllers/registrar/bulk_change_controller.rb
index 562344a46..441127f6c 100644
--- a/app/controllers/registrar/bulk_change_controller.rb
+++ b/app/controllers/registrar/bulk_change_controller.rb
@@ -10,7 +10,7 @@ class Registrar
     private
 
     def available_contacts
-      current_user.registrar.contacts.order(:name).pluck(:name, :code)
+      current_registrar_user.registrar.contacts.order(:name).pluck(:name, :code)
     end
 
     def default_tab
diff --git a/app/controllers/registrar/contacts_controller.rb b/app/controllers/registrar/contacts_controller.rb
index cb059641e..f343f9bfb 100644
--- a/app/controllers/registrar/contacts_controller.rb
+++ b/app/controllers/registrar/contacts_controller.rb
@@ -21,11 +21,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        contacts = current_user.registrar.contacts.includes(:registrar).where(
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar).where(
           "contacts.statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        contacts = current_user.registrar.contacts.includes(:registrar)
+        contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       end
 
       normalize_search_parameters do
@@ -45,7 +45,7 @@ class Registrar
         @contacts = Contact.find_by(name: params[:q][:name_matches])
       end
 
-      contacts = current_user.registrar.contacts.includes(:registrar)
+      contacts = current_registrar_user.registrar.contacts.includes(:registrar)
       contacts = contacts.filter_by_states(params[:statuses_contains]) if params[:statuses_contains]
 
       normalize_search_parameters do
diff --git a/app/controllers/registrar/current_user_controller.rb b/app/controllers/registrar/current_user_controller.rb
index 266e4b915..624ee294e 100644
--- a/app/controllers/registrar/current_user_controller.rb
+++ b/app/controllers/registrar/current_user_controller.rb
@@ -3,9 +3,9 @@ class Registrar
     skip_authorization_check
 
     def switch
-      raise 'Cannot switch to unlinked user' unless current_user.linked_with?(new_user)
+      raise 'Cannot switch to unlinked user' unless current_registrar_user.linked_with?(new_user)
 
-      sign_in(new_user)
+      sign_in(:registrar_user, new_user)
       redirect_to :back, notice: t('.switched', new_user: new_user)
     end
 
diff --git a/app/controllers/registrar/dashboard_controller.rb b/app/controllers/registrar/dashboard_controller.rb
deleted file mode 100644
index 80b3f530b..000000000
--- a/app/controllers/registrar/dashboard_controller.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-class Registrar
-  class DashboardController < BaseController
-    authorize_resource class: false
-
-    def show
-      if can?(:show, :poll)
-        redirect_to registrar_poll_url and return
-      elsif can?(:show, Invoice)
-        redirect_to registrar_invoices_url and return
-      end
-    end
-  end
-end
diff --git a/app/controllers/registrar/deposits_controller.rb b/app/controllers/registrar/deposits_controller.rb
index 818e38c6d..0dcaf6830 100644
--- a/app/controllers/registrar/deposits_controller.rb
+++ b/app/controllers/registrar/deposits_controller.rb
@@ -7,7 +7,7 @@ class Registrar
     end
 
     def create
-      @deposit = Deposit.new(deposit_params.merge(registrar: current_user.registrar))
+      @deposit = Deposit.new(deposit_params.merge(registrar: current_registrar_user.registrar))
       @invoice = @deposit.issue_prepayment_invoice
 
       if @invoice
diff --git a/app/controllers/registrar/depp_controller.rb b/app/controllers/registrar/depp_controller.rb
index 234ab40b7..70fb01c4a 100644
--- a/app/controllers/registrar/depp_controller.rb
+++ b/app/controllers/registrar/depp_controller.rb
@@ -5,13 +5,13 @@ class Registrar
     rescue_from(Errno::ECONNRESET, Errno::ECONNREFUSED) do |exception|
       logger.error 'COULD NOT CONNECT TO REGISTRY'
       logger.error exception.backtrace.join("\n")
-      redirect_to registrar_login_url, alert: t(:no_connection_to_registry)
+      redirect_to new_registrar_user_session_url, alert: t(:no_connection_to_registry)
     end
 
     before_action :authenticate_user
 
     def authenticate_user
-      redirect_to registrar_login_url and return unless depp_current_user
+      redirect_to new_registrar_user_session_url and return unless depp_current_user
     end
 
     def depp_controller?
@@ -19,10 +19,10 @@ class Registrar
     end
 
     def depp_current_user
-      return nil unless current_user
+      return nil unless current_registrar_user
       @depp_current_user ||= Depp::User.new(
-        tag: current_user.username,
-        password: current_user.password
+        tag: current_registrar_user.username,
+        password: current_registrar_user.plain_text_password
       )
     end
 
diff --git a/app/controllers/registrar/domain_transfers_controller.rb b/app/controllers/registrar/domain_transfers_controller.rb
index 7c0925f03..acacc3ef4 100644
--- a/app/controllers/registrar/domain_transfers_controller.rb
+++ b/app/controllers/registrar/domain_transfers_controller.rb
@@ -21,7 +21,8 @@ class Registrar
         uri = URI.parse("#{ENV['repp_url']}domain_transfers")
         request = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
         request.body = { data: { domainTransfers: domain_transfers } }.to_json
-        request.basic_auth(current_user.username, current_user.password)
+        request.basic_auth(current_registrar_user.username,
+                           current_registrar_user.plain_text_password)
 
 
         if Rails.env.test?
diff --git a/app/controllers/registrar/domains_controller.rb b/app/controllers/registrar/domains_controller.rb
index 7cb8fdfbe..d2969bb69 100644
--- a/app/controllers/registrar/domains_controller.rb
+++ b/app/controllers/registrar/domains_controller.rb
@@ -16,11 +16,11 @@ class Registrar
       end
 
       if params[:statuses_contains]
-        domains = current_user.registrar.domains.includes(:registrar, :registrant).where(
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant).where(
           "statuses @> ?::varchar[]", "{#{params[:statuses_contains].join(',')}}"
         )
       else
-        domains = current_user.registrar.domains.includes(:registrar, :registrant)
+        domains = current_registrar_user.registrar.domains.includes(:registrar, :registrant)
       end
 
       normalize_search_parameters do
@@ -142,7 +142,7 @@ class Registrar
     def search_contacts
       authorize! :create, Depp::Domain
 
-      scope = current_user.registrar.contacts.limit(10)
+      scope = current_registrar_user.registrar.contacts.limit(10)
       if params[:query].present?
         escaped_str = ActiveRecord::Base.connection.quote_string params[:query]
         scope = scope.where("name ilike '%#{escaped_str}%' OR code ilike '%#{escaped_str}%' ")
@@ -159,7 +159,7 @@ class Registrar
 
 
     def contacts
-      current_user.registrar.contacts
+      current_registrar_user.registrar.contacts
     end
 
     def normalize_search_parameters
diff --git a/app/controllers/registrar/invoices_controller.rb b/app/controllers/registrar/invoices_controller.rb
index 735df91a3..c29558e0f 100644
--- a/app/controllers/registrar/invoices_controller.rb
+++ b/app/controllers/registrar/invoices_controller.rb
@@ -6,7 +6,8 @@ class Registrar
 
     def index
       params[:q] ||= {}
-      invoices = current_user.registrar.invoices.includes(:invoice_items, :account_activity)
+      invoices = current_registrar_user.registrar.invoices
+                   .includes(:invoice_items, :account_activity)
 
       normalize_search_parameters do
         @q = invoices.search(params[:q])
diff --git a/app/controllers/registrar/nameservers_controller.rb b/app/controllers/registrar/nameservers_controller.rb
index 3b70059a2..95da7e329 100644
--- a/app/controllers/registrar/nameservers_controller.rb
+++ b/app/controllers/registrar/nameservers_controller.rb
@@ -12,7 +12,8 @@ class Registrar
                                attributes: { hostname: params[:new_hostname],
                                              ipv4: ipv4,
                                              ipv6: ipv6 } } }.to_json
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username,
+                         current_registrar_user.plain_text_password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,
diff --git a/app/controllers/registrar/profile_controller.rb b/app/controllers/registrar/profile_controller.rb
index 5f202a894..1fe6d6a0b 100644
--- a/app/controllers/registrar/profile_controller.rb
+++ b/app/controllers/registrar/profile_controller.rb
@@ -5,13 +5,13 @@ class Registrar
     helper_method :linked_users
 
     def show
-      @user = current_user
+      @user = current_registrar_user
     end
 
     private
 
     def linked_users
-      current_user.linked_users
+      current_registrar_user.linked_users
     end
   end
 end
diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
index 11841481d..8f4db9fdd 100644
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@@ -3,12 +3,8 @@ class Registrar
     before_action :check_ip_restriction
     helper_method :depp_controller?
 
-    def login
-      @depp_user = Depp::User.new
-    end
-
     def create
-      @depp_user = Depp::User.new(params[:depp_user].merge(pki: !(Rails.env.development? || Rails.env.test?)))
+      @depp_user = Depp::User.new(depp_user_params)
 
       if @depp_user.pki && request.env['HTTP_SSL_CLIENT_S_DN_CN'].blank?
         @depp_user.errors.add(:base, :webserver_missing_user_name_directive)
@@ -26,11 +22,12 @@ class Registrar
         @depp_user.errors.add(:base, :webserver_client_cert_directive_should_be_required)
       end
 
-      @api_user = ApiUser.find_by(username: params[:depp_user][:tag], password: params[:depp_user][:password])
+      @api_user = ApiUser.find_by(username: sign_in_params[:username],
+                                  plain_text_password: sign_in_params[:password])
 
       unless @api_user
         @depp_user.errors.add(:base, t(:no_such_user))
-        render 'login' and return
+        show_error and return
       end
 
       if @depp_user.pki
@@ -41,14 +38,13 @@ class Registrar
 
       if @depp_user.errors.none?
         if @api_user.active?
-          sign_in @api_user
-          redirect_to registrar_root_url
+          sign_in_and_redirect(:registrar_user, @api_user)
         else
           @depp_user.errors.add(:base, :not_active)
-          render 'login'
+          show_error and return
         end
       else
-        render 'login'
+        show_error and return
       end
     end
 
@@ -56,11 +52,10 @@ class Registrar
       @user = ApiUser.find_by_idc_data_and_allowed(request.env['SSL_CLIENT_S_DN'], request.ip)
 
       if @user
-        sign_in(@user, event: :authentication)
-        redirect_to registrar_root_url
+        sign_in_and_redirect(:registrar_user, @user, event: :authentication)
       else
         flash[:alert] = t('no_such_user')
-        redirect_to registrar_login_url
+        redirect_to new_registrar_user_session_url
       end
     end
 
@@ -117,7 +112,7 @@ class Registrar
           render json: { message: t(:check_your_phone_for_confirmation_code) }, status: :ok
         when 'USER_AUTHENTICATED'
           @user = find_user_by_idc_and_allowed(session[:user_id_code])
-          sign_in @user
+          sign_in(:registrar_user, @user)
           flash[:notice] = t(:welcome)
           flash.keep(:notice)
           render js: "window.location = '#{registrar_root_url}'"
@@ -163,8 +158,6 @@ class Registrar
       end
     end
 
-
-
     def check_ip_restriction
       ip_restriction = Authorization::RestrictedIP.new(request.ip)
       allowed = ip_restriction.can_access_registrar_area_sign_in_page?
@@ -173,5 +166,36 @@ class Registrar
 
       render text: t('registrar.authorization.ip_not_allowed', ip: request.ip)
     end
+
+    def current_ability
+      @current_ability ||= Ability.new(current_registrar_user, request.remote_ip)
+    end
+
+    def after_sign_in_path_for(_resource_or_scope)
+      if can?(:show, :poll)
+        registrar_root_path
+      else
+        registrar_profile_path
+      end
+    end
+
+    def after_sign_out_path_for(_resource_or_scope)
+      new_registrar_user_session_path
+    end
+
+    def user_for_paper_trail
+      current_registrar_user ? current_registrar_user.id_role_username : 'anonymous'
+    end
+
+    def depp_user_params
+      params = sign_in_params
+      params[:tag] = params.delete(:username)
+      params.merge!(pki: !(Rails.env.development? || Rails.env.test?))
+      params
+    end
+
+    def show_error
+      redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
+    end
   end
-end
+end
\ No newline at end of file
diff --git a/app/controllers/registrar/tech_contacts_controller.rb b/app/controllers/registrar/tech_contacts_controller.rb
index 9d4568ad6..1d459ef0f 100644
--- a/app/controllers/registrar/tech_contacts_controller.rb
+++ b/app/controllers/registrar/tech_contacts_controller.rb
@@ -8,7 +8,8 @@ class Registrar
       request = Net::HTTP::Patch.new(uri)
       request.set_form_data(current_contact_id: params[:current_contact_id],
                             new_contact_id: params[:new_contact_id])
-      request.basic_auth(current_user.username, current_user.password)
+      request.basic_auth(current_registrar_user.username,
+                         current_registrar_user.plain_text_password)
 
       if Rails.env.test?
         response = Net::HTTP.start(uri.hostname, uri.port,
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 8203a630f..6c19d3ac3 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -89,4 +89,8 @@ module ApplicationHelper
     types.delete('ddoc')
     ".#{types.join(',.')}"
   end
-end
+
+  def body_css_class
+    [controller_path.split('/').map!(&:dasherize), action_name.dasherize, 'page'].join('-')
+  end
+end
\ No newline at end of file
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 97086110b..8ca94d89b 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -31,8 +31,6 @@ class Ability
   end
 
   def epp # Registrar/api_user dynamic role
-    can :view, :registrar_dashboard
-
     if @user.registrar.api_ip_white?(@ip)
       can :manage, :poll
       can :manage, Depp::Contact
@@ -71,7 +69,6 @@ class Ability
   end
 
   def billing # Registrar/api_user dynamic role
-    can :view, :registrar_dashboard
     can(:manage, Invoice) { |i| i.buyer_id == @user.registrar_id }
     can :manage, :deposit
     can :read, AccountActivity
diff --git a/app/models/admin_user.rb b/app/models/admin_user.rb
index d76c42dec..07686e921 100644
--- a/app/models/admin_user.rb
+++ b/app/models/admin_user.rb
@@ -9,7 +9,8 @@ class AdminUser < User
 
   ROLES = %w(user customer_service admin) # should not match to api_users roles
 
-  devise :database_authenticatable, :rememberable, :trackable, :validatable, :lockable
+  devise :database_authenticatable, :trackable, :validatable, :timeoutable,
+         authentication_keys: [:username]
 
   def self.min_password_length
     Devise.password_length.min
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index ce32c4045..a7c8c022d 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -2,11 +2,12 @@ require 'open3'
 
 class ApiUser < User
   include EppErrors
+  devise :database_authenticatable, :trackable, :timeoutable, authentication_keys: [:username]
 
   def epp_code_map
     {
       '2306' => [ # Parameter policy error
-        [:password, :blank]
+        %i[plain_text_password blank]
       ]
     }
   end
@@ -19,8 +20,8 @@ class ApiUser < User
   belongs_to :registrar
   has_many :certificates
 
-  validates :username, :password, :registrar, :roles, presence: true
-  validates :password, length: { minimum: min_password_length }
+  validates :username, :plain_text_password, :registrar, :roles, presence: true
+  validates :plain_text_password, length: { minimum: min_password_length }
   validates :username, uniqueness: true
 
   delegate :code, :name, to: :registrar, prefix: true
@@ -30,6 +31,7 @@ class ApiUser < User
 
   SUPER = 'super'
   EPP = 'epp'
+  BILLING = 'billing'
 
   ROLES = %w(super epp billing) # should not match to admin roles
 
diff --git a/app/models/registrant_user.rb b/app/models/registrant_user.rb
index 889f2ca4c..f47b924f6 100644
--- a/app/models/registrant_user.rb
+++ b/app/models/registrant_user.rb
@@ -2,6 +2,8 @@ class RegistrantUser < User
   ACCEPTED_ISSUER = 'AS Sertifitseerimiskeskus'
   attr_accessor :idc_data
 
+  devise :database_authenticatable, :trackable, :timeoutable
+
   def ability
     @ability ||= Ability.new(self)
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index b69e0250c..8968e2736 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,6 +1,5 @@
 class User < ActiveRecord::Base
   include Versions # version/user_version.rb
-  devise :trackable, :timeoutable
 
   attr_accessor :phone
 
diff --git a/app/views/admin/api_users/_form.haml b/app/views/admin/api_users/_form.haml
index 9a26b9fc8..12ea322aa 100644
--- a/app/views/admin/api_users/_form.haml
+++ b/app/views/admin/api_users/_form.haml
@@ -11,9 +11,9 @@
           = f.text_field :username, required: true, autofocus: true, class: 'form-control'
       .form-group
         .col-md-4.control-label
-          = f.label :password, nil, class: 'required'
+          = f.label :plain_text_password, nil, class: 'required'
         .col-md-7
-          = f.text_field :password, required: true, class: 'form-control'
+          = f.text_field :plain_text_password, required: true, class: 'form-control'
 
       .form-group
         .col-md-4.control-label
diff --git a/app/views/admin/api_users/show.haml b/app/views/admin/api_users/show.haml
index 00e562c6d..2e13445d1 100644
--- a/app/views/admin/api_users/show.haml
+++ b/app/views/admin/api_users/show.haml
@@ -21,7 +21,7 @@
           %dd= @api_user.username
 
           %dt= t(:password)
-          %dd= @api_user.password
+          %dd= @api_user.plain_text_password
 
           %dt= t(:registrar_name)
           %dd= link_to(@api_user.registrar, admin_registrar_path(@api_user.registrar))
diff --git a/app/views/admin/base/_menu.haml b/app/views/admin/base/_menu.haml
index 7c813e43e..6c8e15201 100644
--- a/app/views/admin/base/_menu.haml
+++ b/app/views/admin/base/_menu.haml
@@ -39,6 +39,6 @@
           %li= link_to t('.repp_log'), admin_repp_logs_path(created_after: 'today')
           %li= link_to t('.que'), '/admin/que'
 
-  - if signed_in?
-    %ul.nav.navbar-nav.navbar-right
-      %li= link_to t(:log_out, user: current_user), '/admin/logout'
+  %ul.nav.navbar-nav.navbar-right
+    %li= link_to t('.sign_out'), destroy_admin_user_session_path, method: :delete,
+    class: 'navbar-link'
\ No newline at end of file
diff --git a/app/views/admin/dashboards/show.haml b/app/views/admin/dashboard/show.html.erb
similarity index 100%
rename from app/views/admin/dashboards/show.haml
rename to app/views/admin/dashboard/show.html.erb
diff --git a/app/views/admin/sessions/_links.html.erb b/app/views/admin/sessions/_links.html.erb
new file mode 100644
index 000000000..93dadb0d8
--- /dev/null
+++ b/app/views/admin/sessions/_links.html.erb
@@ -0,0 +1,29 @@
+<%- if controller_name != 'sessions' %>
+    <%= link_to "Log in", new_session_path(resource_name) %><br/>
+<% end -%>
+
+<%- if devise_mapping.registerable? && controller_name != 'registrations' %>
+    <%= link_to "Sign up", new_registration_path(resource_name) %><br/>
+<% end -%>
+
+<%- if devise_mapping.recoverable? && controller_name != 'passwords' &&
+    controller_name != 'registrations' %>
+    <%= link_to "Forgot your password?", new_password_path(resource_name) %><br/>
+<% end -%>
+
+<%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
+    <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %>
+    <br/>
+<% end -%>
+
+<%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) &&
+    controller_name != 'unlocks' %>
+    <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br/>
+<% end -%>
+
+<%- if devise_mapping.omniauthable? %>
+    <%- resource_class.omniauth_providers.each do |provider| %>
+        <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}",
+                    omniauth_authorize_path(resource_name, provider) %><br/>
+    <% end -%>
+<% end -%>
diff --git a/app/views/admin/sessions/login.haml b/app/views/admin/sessions/login.haml
deleted file mode 100644
index 1ecca10ae..000000000
--- a/app/views/admin/sessions/login.haml
+++ /dev/null
@@ -1,15 +0,0 @@
-.row
-  .form-signin.col-md-6.center-block.text-center
-    %h2.form-signin-heading.text-center Eesti Interneti SA
-    %hr
-    .form-signin
-      = form_for(@admin_user, url: admin_sessions_path, method: :create, html: {class: 'form-signin'}) do |f|
-        = render 'admin/shared/errors', object: f.object
-
-        - error_class = f.object.errors.any? ? 'has-error' : ''
-        %div{class: error_class}
-          = f.text_field :username, class: 'form-control', placeholder: t(:username), required: true
-          = f.password_field :password, class: 'form-control', 
-            autocomplete: 'off', placeholder: t(:password), required: true
-        %button.btn.btn-lg.btn-primary.btn-block{:type => 'submit'}= t(:log_in)
-
diff --git a/app/views/admin/sessions/new.html.erb b/app/views/admin/sessions/new.html.erb
new file mode 100644
index 000000000..c875c00ce
--- /dev/null
+++ b/app/views/admin/sessions/new.html.erb
@@ -0,0 +1,29 @@
+<div class="row">
+    <%= form_for resource, as: resource_name, url: session_path(resource_name),
+                 html: { class: 'col-md-6 form-signin center-block text-center' } do |f| %>
+        <h1 class="form-signin-heading text-center"><%= t '.header_html' %></h1>
+
+        <hr>
+
+        <%= f.label :username, class: 'sr-only' %>
+        <%= f.text_field :username, placeholder: AdminUser.human_attribute_name(:username),
+                         required: true,
+                         autofocus: true,
+                         class: 'form-control' %>
+
+        <%= f.label :password, class: 'sr-only' %>
+        <%= f.password_field :password, placeholder: AdminUser.human_attribute_name(:password),
+                             required: true,
+                             class: 'form-control' %>
+
+        <% if devise_mapping.rememberable? -%>
+            <div class="checkbox">
+                <label><%= f.check_box :remember_me %> <%= t '.remember_checkbox' %> %></label>
+            </div>
+        <% end -%>
+
+        <%= f.submit t('.sign_in_btn'), class: 'btn btn-lg btn-primary btn-block' %>
+    <% end %>
+</div>
+
+<%= render 'links' %>
\ No newline at end of file
diff --git a/app/views/admin/shared/_errors.haml b/app/views/admin/shared/_errors.haml
deleted file mode 100644
index 50eb6de12..000000000
--- a/app/views/admin/shared/_errors.haml
+++ /dev/null
@@ -1,5 +0,0 @@
-- if object.errors.any?
-  %p.text-danger
-    - object.errors.each do |attr, err|
-      = err
-      %br
diff --git a/app/views/layouts/admin/base.haml b/app/views/layouts/admin/base.haml
index 717c5015c..792a8cc0b 100644
--- a/app/views/layouts/admin/base.haml
+++ b/app/views/layouts/admin/base.haml
@@ -10,7 +10,7 @@
     = csrf_meta_tags
     = stylesheet_link_tag 'admin-manifest', media: 'all'
     = favicon_link_tag 'favicon.ico'
-  %body{:style => env_style}
+  %body{:style => env_style, class: body_css_class}
     .navbar.navbar-inverse.navbar-static-top{role: "navigation"}
       .container
         .navbar-header
@@ -19,7 +19,7 @@
             %span.icon-bar
             %span.icon-bar
             %span.icon-bar
-          = link_to admin_dashboard_path, class: 'navbar-brand' do
+          = link_to admin_root_path, class: 'navbar-brand' do
             = ENV['app_name']
             - if unstable_env.present?
               .text-center
diff --git a/app/views/layouts/devise.haml b/app/views/layouts/devise.haml
index 81248b86d..e6abcdcc0 100644
--- a/app/views/layouts/devise.haml
+++ b/app/views/layouts/devise.haml
@@ -9,7 +9,7 @@
     = csrf_meta_tags
     = stylesheet_link_tag 'admin-manifest', media: 'all'
     = favicon_link_tag 'favicon.ico'
-  %body{:style => env_style}
+  %body{:style => env_style, class: body_css_class}
     .navbar.navbar-inverse.navbar-static-top{role: "navigation"}
       .container
         .navbar-header
@@ -18,7 +18,7 @@
             %span.icon-bar
             %span.icon-bar
             %span.icon-bar
-          = link_to admin_dashboard_path, class: 'navbar-brand' do
+          = link_to new_admin_user_session_path, class: 'navbar-brand' do
             = ENV['app_name']
             - if unstable_env.present?
               .text-center
diff --git a/app/views/layouts/registrant/application.html.erb b/app/views/layouts/registrant/application.html.erb
index b5ddb5f0f..7873728d5 100644
--- a/app/views/layouts/registrant/application.html.erb
+++ b/app/views/layouts/registrant/application.html.erb
@@ -14,7 +14,7 @@
         <%= stylesheet_link_tag 'registrant-manifest', media: 'all' %>
         <%= favicon_link_tag 'favicon.ico' %>
     </head>
-    <body>
+    <body class="<%= body_css_class %>">
         <!-- Fixed navbar
         -->
         <nav class="navbar navbar-default navbar-fixed-top">
@@ -37,7 +37,7 @@
                         <% end %>
                     <% end %>
                 </div>
-                <% if current_user %>
+                <% if current_registrant_user %>
                     <div class="navbar-collapse collapse">
                         <ul class="nav navbar-nav public-nav">
                             <% if can? :view, Depp::Domain %>
@@ -54,9 +54,9 @@
                             <% end %>
                         </ul>
                         <ul class="nav navbar-nav navbar-right">
-                            <% if user_signed_in? %>
+                            <% if registrant_user_signed_in? %>
                                 <li>
-                                    <%= link_to t(:log_out, user: current_user), '/registrant/logout' %>
+                                    <%= link_to t(:log_out, user: current_registrant_user), destroy_registrant_user_session_path, method: :delete %>
                                 </li>
                             <% end %>
                         </ul>
diff --git a/app/views/layouts/registrar/base.html.erb b/app/views/layouts/registrar/base.html.erb
index c14899418..e3e93f89f 100644
--- a/app/views/layouts/registrar/base.html.erb
+++ b/app/views/layouts/registrar/base.html.erb
@@ -14,7 +14,7 @@
         <%= stylesheet_link_tag 'registrar-manifest', media: 'all' %>
         <%= favicon_link_tag 'favicon.ico' %>
     </head>
-    <body>
+    <body class="<%= body_css_class %>">
         <nav class="navbar navbar-default navbar-fixed-top">
             <div class="container">
                 <div class="navbar-header">
@@ -24,7 +24,8 @@
                         <span class="icon-bar"></span>
                         <span class="icon-bar"></span>
                     </button>
-                    <%= link_to registrar_root_path, class: 'navbar-brand' do %>
+                    <%= link_to can?(:show, :poll) ? registrar_root_path : registrar_profile_path,
+                                class: 'navbar-brand' do %>
                         <%= t(:registrar_head_title) %>
                         <% if unstable_env.present? %>
                             <div class="text-center">
diff --git a/app/views/layouts/registrar/sessions.html.erb b/app/views/layouts/registrar/sessions.html.erb
index 4632e477c..3cb345ef9 100644
--- a/app/views/layouts/registrar/sessions.html.erb
+++ b/app/views/layouts/registrar/sessions.html.erb
@@ -13,12 +13,11 @@
     <%= stylesheet_link_tag 'registrar-manifest', media: 'all' %>
     <%= javascript_include_tag 'registrar-manifest' %>
 </head>
-<body>
+<body class="<%= body_css_class %>">
     <nav class="navbar navbar-default navbar-fixed-top">
         <div class="container">
             <div class="navbar-header">
-                <%= link_to registrar_root_path, class: 'navbar-brand',
-                            id: 'registrar-home-btn' do %>
+                <%= link_to new_registrar_user_session_path, class: 'navbar-brand' do %>
                     <%= t(:registrar_head_title) %>
                     <% if unstable_env.present? %>
                         <div class="text-center">
diff --git a/app/views/registrant/sessions/login.haml b/app/views/registrant/sessions/login.haml
deleted file mode 100644
index c24b19aca..000000000
--- a/app/views/registrant/sessions/login.haml
+++ /dev/null
@@ -1,11 +0,0 @@
-.row
-  .form-signin.col-md-6.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in)
-    %hr
-    .row
-      =t "only_estonian_residets_can_signin"
-    %br
-    = link_to '/registrant/login/mid' do
-      = image_tag 'mid.gif'
-    = link_to '/registrant/id', method: :post do
-      = image_tag 'id_card.gif'
diff --git a/app/views/registrant/sessions/login_mid.haml b/app/views/registrant/sessions/login_mid.haml
index 34da5a2ae..54a30fd3d 100644
--- a/app/views/registrant/sessions/login_mid.haml
+++ b/app/views/registrant/sessions/login_mid.haml
@@ -1,12 +1,12 @@
 .row
   .form-signin.col-md-4.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in_with_mid)
+    %h2.form-signin-heading.text-center= t '.header'
     %hr
     = form_for @user, url: registrant_mid_path, auto_html5_validation: false, 
       html: {class: 'form-signin'} do |f|
       = f.text_field :phone, class: 'form-control', 
         placeholder: t(:phone_no), autocomplete: 'off', required: true
-      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t(:log_in)
+      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t '.submit_btn'
 
   - if ['development', 'alpha'].include?(Rails.env)
     %div.text-center
diff --git a/app/views/registrant/sessions/new.html.erb b/app/views/registrant/sessions/new.html.erb
new file mode 100644
index 000000000..d711601b3
--- /dev/null
+++ b/app/views/registrant/sessions/new.html.erb
@@ -0,0 +1,18 @@
+<div class="row">
+    <div class="form-signin col-md-6 center-block text-center">
+        <h2 class="form-signin-heading text-center">
+            <%= t '.header' %>
+        </h2>
+        <hr/>
+        <div class="row">
+            <%= t '.hint' %>
+        </div>
+        <br/>
+        <%= link_to '/registrant/login/mid' do %>
+            <%= image_tag 'mid.gif' %>
+        <% end %>
+        <%= link_to '/registrant/id', method: :post do %>
+            <%= image_tag 'id_card.gif' %>
+        <% end %>
+    </div>
+</div>
\ No newline at end of file
diff --git a/app/views/registrar/base/_current_user.html.erb b/app/views/registrar/base/_current_user.html.erb
index 75d159bfb..0e45c9c7d 100644
--- a/app/views/registrar/base/_current_user.html.erb
+++ b/app/views/registrar/base/_current_user.html.erb
@@ -1,5 +1,5 @@
-<% current_user_presenter = UserPresenter.new(user: current_user, view: self) %>
+<% current_user_presenter = UserPresenter.new(user: current_registrar_user, view: self) %>
 <%= link_to current_user_presenter.login_with_role, registrar_profile_path, id: 'registrar-profile-btn',
             class: 'navbar-link' %>
 <span class="text-muted">|</span>
-<%= link_to t('.sign_out'), registrar_destroy_user_session_path, method: :delete, class: 'navbar-link' %>
+<%= link_to t('.sign_out'), destroy_registrar_user_session_path, method: :delete, class: 'navbar-link' %>
diff --git a/app/views/registrar/dashboard/show.haml b/app/views/registrar/dashboard/show.haml
deleted file mode 100644
index 74a9405a6..000000000
--- a/app/views/registrar/dashboard/show.haml
+++ /dev/null
@@ -1,3 +0,0 @@
-.panel.panel-default
-  .panel-body
-    = t('welcome_to_eis_registrar_portal')
diff --git a/app/views/registrar/invoices/index.haml b/app/views/registrar/invoices/index.haml
index 61d955708..47270f2a6 100644
--- a/app/views/registrar/invoices/index.haml
+++ b/app/views/registrar/invoices/index.haml
@@ -4,8 +4,8 @@
 = render 'shared/title', name: t(:your_account)
 
 = t(:your_current_account_balance_is,
-  balance: currency(current_user.registrar.cash_account.balance),
-  currency: current_user.registrar.cash_account.currency)
+  balance: currency(current_registrar_user.registrar.cash_account.balance),
+  currency: current_registrar_user.registrar.cash_account.currency)
 
 %h1= t(:invoices)
 .row
diff --git a/app/views/registrar/sessions/login.haml b/app/views/registrar/sessions/login.haml
deleted file mode 100644
index 75ec951af..000000000
--- a/app/views/registrar/sessions/login.haml
+++ /dev/null
@@ -1,22 +0,0 @@
-.row
-  .form-signin.col-md-6.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in)
-    %hr
-    = form_for @depp_user, url: registrar_sessions_path, html: {class: 'form-signin'} do |f|
-      = render 'registrar/shared/errors', object: f.object
-
-      - error_class = f.object.errors.any? ? 'has-error' : ''
-      %div{class: error_class}
-        = f.text_field :tag, class: 'form-control', placeholder: t(:username), required: true
-        = f.password_field :password, class: 'form-control',
-          autocomplete: 'off', placeholder: t(:password), required: true
-
-      %button.btn.btn-lg.btn-primary.btn-block{:type => 'submit'}= t('.login_btn')
-
-    %hr
-    = link_to '/registrar/login/mid', id: 'login-with-mobile-id-btn' do
-      = image_tag 'mid.gif'
-    = link_to '/registrar/id', method: :post do
-      = image_tag 'id_card.gif'
-
-
diff --git a/app/views/registrar/sessions/login_mid.haml b/app/views/registrar/sessions/login_mid.haml
index 78e39a3b7..0b27564e5 100644
--- a/app/views/registrar/sessions/login_mid.haml
+++ b/app/views/registrar/sessions/login_mid.haml
@@ -1,12 +1,12 @@
 .row
   .form-signin.col-md-4.center-block.text-center
-    %h2.form-signin-heading.text-center= t(:log_in_with_mid)
+    %h2.form-signin-heading.text-center= t '.header'
     %hr
     = form_for @user, url: registrar_mid_path, auto_html5_validation: false,
       html: {class: 'form-signin'} do |f|
       = f.text_field :phone, class: 'form-control',
         placeholder: t(:phone_no), autocomplete: 'off', required: true
-      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t('.login_btn')
+      %button.btn.btn-lg.btn-primary.btn-block.js-login{:type => 'submit'}= t '.submit_btn'
 
   - if ['development', 'alpha'].include?(Rails.env)
     %div.text-center
diff --git a/app/views/registrar/sessions/new.html.erb b/app/views/registrar/sessions/new.html.erb
new file mode 100644
index 000000000..701c41c9e
--- /dev/null
+++ b/app/views/registrar/sessions/new.html.erb
@@ -0,0 +1,30 @@
+<div class="row">
+    <div class="form-signin col-md-6 center-block text-center">
+        <h1 class="form-signin-heading text-center"><%= t '.header_html' %></h1>
+
+        <hr>
+
+        <%= form_for resource, as: resource_name, url: session_path(resource_name) do |f| %>
+            <%= f.text_field :username, placeholder: ApiUser.human_attribute_name(:username),
+                             autofocus: true,
+                             required: true,
+                             class: 'form-control' %>
+            <%= f.password_field :password,
+                                 placeholder: ApiUser.human_attribute_name(:password),
+                                 required: true,
+                                 class: 'form-control' %>
+
+            <%= f.submit t('.submit_btn'), class: 'btn btn-lg btn-primary btn-block' %>
+        <% end %>
+
+        <hr>
+
+        <%= link_to '/registrar/login/mid', id: 'login-with-mobile-id-btn' do %>
+            <%= image_tag 'mid.gif' %>
+        <% end %>
+
+        <%= link_to '/registrar/id', method: :post do %>
+            <%= image_tag 'id_card.gif' %>
+        <% end %>
+    </div>
+</div>
\ No newline at end of file
diff --git a/app/views/registrar/shared/_errors.haml b/app/views/registrar/shared/_errors.haml
deleted file mode 100644
index 50eb6de12..000000000
--- a/app/views/registrar/shared/_errors.haml
+++ /dev/null
@@ -1,5 +0,0 @@
-- if object.errors.any?
-  %p.text-danger
-    - object.errors.each do |attr, err|
-      = err
-      %br
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index eceb6d5f2..c2f89e691 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -1,26 +1,31 @@
-require 'devise_custom_failure'
+# frozen_string_literal: true
 
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
-  config.warden do |manager|
-    manager.failure_app = DeviseCustomFailure
-  end
-
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
+  # Devise will use the `secret_key_base` as its `secret_key`
+  # by default. You can change it below and use your own secret key.
   config.secret_key = ENV['devise_secret']
   
+  # ==> Controller configuration
+  # Configure the parent class to the devise controllers.
+  # config.parent_controller = 'DeviseController'
+
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
   # note that it will be overwritten if you use your own mailer class
   # with default "from" parameter.
-  config.mailer_sender = 'noreply@example.com'
+  config.mailer_sender = 'please-change-me-at-config-initializers-devise@example.com'
 
   # Configure the class responsible to send e-mails.
   # config.mailer = 'Devise::Mailer'
 
+  # Configure the parent class responsible to send e-mails.
+  # config.parent_mailer = 'ActionMailer::Base'
+
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
@@ -35,7 +40,7 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  # config.authentication_keys = [ :email ]
+  # config.authentication_keys = [:email]
 
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the
@@ -67,7 +72,7 @@ Devise.setup do |config|
   # :database      = Support basic authentication with authentication key + password
   # config.http_authenticatable = false
 
-  # If http headers should be returned for AJAX requests. True by default.
+  # If 401 status code should be returned for AJAX requests. True by default.
   # config.http_authenticatable_on_xhr = true
 
   # The realm used in Http Basic Authentication. 'Application' by default.
@@ -91,20 +96,31 @@ Devise.setup do |config|
   # from the server. You can disable this option at your own risk.
   # config.clean_up_csrf_token_on_authentication = true
 
+  # When false, Devise will not attempt to reload routes on eager load.
+  # This can reduce the time taken to boot the app but if your application
+  # requires the Devise mappings to be loaded during boot time the application
+  # won't boot properly.
+  # config.reload_routes = true
+
   # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
-  # using other encryptors, it sets how many times you want the password re-encrypted.
+  # For bcrypt, this is the cost for hashing the password and defaults to 11. If
+  # using other algorithms, it sets how many times you want the password to be hashed.
   #
   # Limiting the stretches to just one in testing will increase the performance of
   # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
   # a value less than 10 in other environments. Note that, for bcrypt (the default
-  # encryptor), the cost increases exponentially with the number of stretches (e.g.
+  # algorithm), the cost increases exponentially with the number of stretches (e.g.
   # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
-  config.stretches = Rails.env.test? ? 1 : 10
+  config.stretches = Rails.env.test? ? 1 : 11
 
-  # Setup a pepper to generate the encrypted password.
-  # config.pepper = '4d1b39f778c3ea5b415476ce410f337a27895181a8ccd586c60e50e0f7284' \
-  # '3d5d6ded80558ed7a4637de6b3a1504379270af6eee995fd9a329e4f4c5daa33882'
+  # Set up a pepper to generate the hashed password.
+  # config.pepper = '1fc02c7f3a9d5d0dc6c3e49828eb45d29e5fdb3136f78ee0063a2cdf774b7ed53ea40176d5823703554b7f015dd23c0e491fb488bb705a0768db32d02b1d088d'
+
+  # Send a notification to the original email when the user's email is changed.
+  # config.send_email_changed_notification = false
+
+  # Send a notification email when the user's password is changed.
+  # config.send_password_change_notification = false
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
@@ -129,11 +145,11 @@ Devise.setup do |config|
   config.reconfirmable = true
 
   # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]
 
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
-  config.remember_for = 2.weeks
+  # config.remember_for = 2.weeks
 
   # Invalidates all the remember me tokens when the user signs out.
   config.expire_all_remember_me_on_sign_out = true
@@ -152,15 +168,12 @@ Devise.setup do |config|
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
-  config.timeout_in = ENV['user_session_timeout'].to_i.seconds if ENV['user_session_timeout']
-
-  # If true, expires auth token on session timeout.
-  # config.expire_auth_token_on_timeout = false
+  # config.timeout_in = 30.minutes
 
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
@@ -169,7 +182,7 @@ Devise.setup do |config|
   # config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
@@ -186,24 +199,28 @@ Devise.setup do |config|
   # config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  # config.last_attempt_warning = false
+  # config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]
 
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
   config.reset_password_within = 6.hours
 
+  # When set to false, does not sign a user in automatically after their password is
+  # reset. Defaults to true, so a user is signed in automatically after a reset.
+  # config.sign_in_after_reset_password = true
+
   # ==> Configuration for :encryptable
-  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
-  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
-  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
-  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper).
+  # Allow you to use another hashing or encryption algorithm besides bcrypt (default).
+  # You can use :sha1, :sha512 or algorithms from others authentication tools as
+  # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20
+  # for default behavior) and :restful_authentication_sha1 (then you should set
+  # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).
   #
   # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
@@ -220,7 +237,7 @@ Devise.setup do |config|
 
   # Set this configuration to false if you want /users/sign_out to sign out
   # only the current scope. By default, Devise signs out all scopes.
-  # config.sign_out_all_scopes = true
+  config.sign_out_all_scopes = false
 
   # ==> Navigation configuration
   # Lists the formats that should be treated as navigational. Formats like
@@ -260,8 +277,7 @@ Devise.setup do |config|
   # The router that invoked `devise_for`, in the example above, would be:
   # config.router_name = :my_engine
   #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
+  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
 end
-
diff --git a/config/locales/admin/base.en.yml b/config/locales/admin/base.en.yml
new file mode 100644
index 000000000..c092815cf
--- /dev/null
+++ b/config/locales/admin/base.en.yml
@@ -0,0 +1,5 @@
+en:
+  admin:
+    base:
+      menu:
+        sign_out: Sign out
\ No newline at end of file
diff --git a/config/locales/admin/sessions.en.yml b/config/locales/admin/sessions.en.yml
new file mode 100644
index 000000000..b3a47b553
--- /dev/null
+++ b/config/locales/admin/sessions.en.yml
@@ -0,0 +1,7 @@
+en:
+  admin:
+    sessions:
+      new:
+        header_html: Eesti Interneti SA<br>Admin portal
+        sign_in_btn: Sign in
+        remember_checkbox: Remember me
\ No newline at end of file
diff --git a/config/locales/api_users.en.yml b/config/locales/api_users.en.yml
new file mode 100644
index 000000000..757ded049
--- /dev/null
+++ b/config/locales/api_users.en.yml
@@ -0,0 +1,16 @@
+en:
+  activerecord:
+    attributes:
+      api_user:
+        plain_text_password: Password
+    errors:
+      models:
+        api_user:
+          attributes:
+            username:
+              blank: 'Username is missing'
+              taken: 'Username already exists'
+            plain_text_password:
+              blank: 'Password is missing'
+            registrar:
+              blank: 'Registrar is missing'
\ No newline at end of file
diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml
index 9524e860c..3a853fe31 100644
--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@@ -9,12 +9,12 @@ en:
     failure:
       already_authenticated: "You are already signed in."
       inactive: "Your account is not activated yet."
-      invalid: "Invalid email or password."
+      invalid: "Invalid %{authentication_keys} or password."
       locked: "Your account is locked."
       last_attempt: "You have one more attempt before your account is locked."
-      not_found_in_database: "Invalid email address or password."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
       timeout: "Your session expired. Please sign in again to continue."
-      unauthenticated: "You need to sign in."
+      unauthenticated: "You need to sign in before continuing."
       unconfirmed: "You have to confirm your email address before continuing."
     mailer:
       confirmation_instructions:
@@ -23,6 +23,10 @@ en:
         subject: "Reset password instructions"
       unlock_instructions:
         subject: "Unlock instructions"
+      email_changed:
+        subject: "Email Changed"
+      password_change:
+        subject: "Password Changed"
     omniauth_callbacks:
       failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
       success: "Successfully authenticated from %{kind} account."
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 2afbb45a5..d2af3cc01 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -135,16 +135,6 @@ en:
             registrar:
               blank: 'Registrar is missing'
 
-        api_user:
-          attributes:
-            username:
-              blank: 'Username is missing'
-              taken: 'Username already exists'
-            password:
-              blank: 'Password is missing'
-            registrar:
-              blank: 'Registrar is missing'
-
         dnskey:
           attributes:
             alg:
@@ -400,7 +390,6 @@ en:
   invoices: 'Invoices'
   no_such_user: 'No such user'
   phone_no: 'Phone number'
-  log_in_with_mid: 'Log in with mobile-id'
   confirmation_sms_was_sent_to_your_phone_verification_code_is: 'Confirmation sms was sent to your phone. Verification code is %{code}.'
   user_signature_is_invalid: 'User signature is invalid'
   session_timeout: 'Session timeout'
@@ -432,7 +421,6 @@ en:
               blank: "Password can't be blank"
 
   username: 'Username'
-  log_in: 'Log in'
   domains: 'Domains'
   register: 'Register'
   contacts: 'Contacts'
@@ -729,7 +717,6 @@ en:
   mail_templates: Mail Templates
   failure: "It was not saved"
   contact_is_not_valid: 'Contact %{value} is not valid, please fix the invalid contact'
-  welcome_to_eis_registrar_portal: 'Welcome to EIS Registrar portal'
   next: 'Next'
   previous: 'Previous'
   personal_domain_verification_url: 'Personal domain verification url'
@@ -741,7 +728,6 @@ en:
   test_registrar: "Test registrar"
   verified_confirm: 'Verified status is for cases when current registrant is the one applying for the update. Legal document signed by the registrant is required. Are you sure this update is properly verified with the registrant?'
   verified: 'Verified'
-  only_estonian_residets_can_signin: "Access currently available only to Estonian citizens and e-residents with Estonian ID-card or Mobile-ID."
   deleted: 'Deleted'
   cant_match_version: 'Impossible match version with request'
   user_not_authenticated: "user not authenticated"
diff --git a/config/locales/et.yml b/config/locales/et.yml
index 96839e4c1..05d32be24 100644
--- a/config/locales/et.yml
+++ b/config/locales/et.yml
@@ -1,7 +1,6 @@
 et:
   username: 'Kasutajanimi'
   password: 'Parool'
-  log_in: 'Logi sisse'
 
   date:
     # Don't forget the nil at the beginning; there's no such thing as a 0th month
diff --git a/config/locales/registrant/sessions.en.yml b/config/locales/registrant/sessions.en.yml
new file mode 100644
index 000000000..3032382c1
--- /dev/null
+++ b/config/locales/registrant/sessions.en.yml
@@ -0,0 +1,12 @@
+en:
+  registrant:
+    sessions:
+      new:
+        header: Log in
+        hint:  >-
+          Access currently available only to Estonian citizens and e-residents with Estonian ID-card
+          or Mobile-ID.
+
+      login_mid:
+        header: Log in with mobile-id
+        submit_btn: Login
\ No newline at end of file
diff --git a/config/locales/registrar/sessions.en.yml b/config/locales/registrar/sessions.en.yml
index 25031e189..f74f74bc9 100644
--- a/config/locales/registrar/sessions.en.yml
+++ b/config/locales/registrar/sessions.en.yml
@@ -1,7 +1,9 @@
 en:
   registrar:
     sessions:
-      login:
-        login_btn: Login
+      new:
+        header_html: Eesti Interneti SA<br>Registrar Portal
+        submit_btn: Login
       login_mid:
-        login_btn: Login
+        header: Log in with mobile-id
+        submit_btn: Login
diff --git a/config/routes.rb b/config/routes.rb
index 20c55f25a..362271516 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -31,8 +31,17 @@ Rails.application.routes.draw do
 
   # REGISTRAR ROUTES
   namespace :registrar do
-    resource :dashboard
-    root 'dashboard#show'
+    root 'polls#show'
+
+    devise_for :users, path: '', class_name: 'ApiUser', skip: %i[sessions]
+
+    devise_scope :registrar_user do
+      get 'login/mid' => 'sessions#login_mid'
+      post 'login/mid' => 'sessions#mid'
+      post 'login/mid_status' => 'sessions#mid_status'
+      post 'id' => 'sessions#id'
+      post 'mid' => 'sessions#mid'
+    end
 
     resources :invoices do
       member do
@@ -45,18 +54,6 @@ Rails.application.routes.draw do
     resources :deposits
     resources :account_activities
 
-    devise_scope :user do
-      get 'login' => 'sessions#login'
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-
-      post 'sessions' => 'sessions#create'
-      post 'id' => 'sessions#id'
-      post 'mid' => 'sessions#mid'
-      delete 'logout', to: '/devise/sessions#destroy', as: :destroy_user_session
-    end
-
     put 'current_user/switch/:new_user_id', to: 'current_user#switch', as: :switch_current_user
     resource :profile, controller: :profile, only: :show
 
@@ -87,7 +84,7 @@ Rails.application.routes.draw do
       end
     end
 
-    resource :poll do
+    resource :poll, only: %i[show destroy] do
       collection do
         post 'confirm_keyrelay'
         post 'confirm_transfer'
@@ -109,9 +106,33 @@ Rails.application.routes.draw do
     get  'pay/go/:bank'           => 'payments#pay',   as: 'payment_with'
   end
 
+  scope :registrar do
+    devise_scope :registrar_user do
+      get 'sign_in', to: 'registrar/sessions#new', as: :new_registrar_user_session
+
+      # /registrar/sessions path is hardcoded in Apache config for certificate-based authentication
+      # See https://github.com/internetee/registry/blob/master/README.md#installation
+      # Client certificate is asked only on login form submission, therefore the path must be
+      # different from the one in `new_registrar_user_session` route
+      post 'sessions', to: 'registrar/sessions#create', as: :registrar_user_session
+
+      delete 'sign_out', to: 'registrar/sessions#destroy', as: :destroy_registrar_user_session
+    end
+  end
+
   namespace :registrant do
     root 'domains#index'
 
+    # POST /registrant/sign_in is not used
+    devise_for :users, path: '', class_name: 'RegistrantUser'
+    devise_scope :registrant_user do
+      get 'login/mid' => 'sessions#login_mid'
+      post 'login/mid' => 'sessions#mid'
+      post 'login/mid_status' => 'sessions#mid_status'
+      post 'mid' => 'sessions#mid'
+      post 'id' => 'sessions#id'
+    end
+
     resources :registrars, only: :show
     resources :contacts, only: :show
     resources :domains, only: %i[index show] do
@@ -126,22 +147,13 @@ Rails.application.routes.draw do
 
     resources :domain_update_confirms, only: %i[show update]
     resources :domain_delete_confirms, only: %i[show update]
-
-    devise_scope :user do
-      get 'login' => 'sessions#login'
-      get 'login/mid' => 'sessions#login_mid'
-      post 'login/mid' => 'sessions#mid'
-      post 'login/mid_status' => 'sessions#mid_status'
-
-      post 'sessions' => 'sessions#create'
-      post 'mid' => 'sessions#mid'
-      post 'id' => 'sessions#id'
-      get 'logout' => '/devise/sessions#destroy'
-    end
   end
 
   # ADMIN ROUTES
   namespace :admin do
+    root 'dashboard#show'
+    devise_for :users, path: '', class_name: 'AdminUser'
+
     resources :keyrelays
     resources :zonefiles
     resources :zones, controller: 'dns/zones', except: %i[show destroy]
@@ -243,26 +255,14 @@ Rails.application.routes.draw do
     end
 
     resources :delayed_jobs
-
-    resource :dashboard
-
     resources :epp_logs
     resources :repp_logs
 
-    devise_scope :user do
-      get 'login' => 'sessions#login'
-      post 'sessions' => 'sessions#create'
-      get 'logout' => '/devise/sessions#destroy'
-    end
-
-    authenticate :user do
+    authenticate :admin_user do
       mount Que::Web, at: 'que'
     end
-
-    root 'dashboards#show'
   end
 
-  devise_for :users
-
-  root to: redirect('admin/login')
-end
+  # To prevent users seeing the default welcome message "Welcome aboard" from Rails
+  root to: redirect('admin/sign_in')
+end
\ No newline at end of file
diff --git a/db/migrate/20180713154915_rename_users_password_to_plain_text_password.rb b/db/migrate/20180713154915_rename_users_password_to_plain_text_password.rb
new file mode 100644
index 000000000..9636d69bf
--- /dev/null
+++ b/db/migrate/20180713154915_rename_users_password_to_plain_text_password.rb
@@ -0,0 +1,5 @@
+class RenameUsersPasswordToPlainTextPassword < ActiveRecord::Migration
+  def change
+    rename_column :users, :password, :plain_text_password
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index 3bd6939f6..14d5ffffd 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -2282,7 +2282,7 @@ ALTER SEQUENCE public.settings_id_seq OWNED BY public.settings.id;
 CREATE TABLE public.users (
     id integer NOT NULL,
     username character varying,
-    password character varying,
+    plain_text_password character varying,
     created_at timestamp without time zone,
     updated_at timestamp without time zone,
     email character varying,
@@ -4759,3 +4759,5 @@ INSERT INTO schema_migrations (version) VALUES ('20180613030330');
 
 INSERT INTO schema_migrations (version) VALUES ('20180613045614');
 
+INSERT INTO schema_migrations (version) VALUES ('20180713154915');
+
diff --git a/doc/controllers_complete.svg b/doc/controllers_complete.svg
index 7f3644dd3..0501ceac9 100644
--- a/doc/controllers_complete.svg
+++ b/doc/controllers_complete.svg
@@ -433,14 +433,6 @@
 <path fill="none" stroke="black" d="M-467.5,-480.5C-467.5,-480.5 -344.5,-480.5 -344.5,-480.5 -338.5,-480.5 -332.5,-486.5 -332.5,-492.5 -332.5,-492.5 -332.5,-681.5 -332.5,-681.5 -332.5,-687.5 -338.5,-693.5 -344.5,-693.5 -344.5,-693.5 -467.5,-693.5 -467.5,-693.5 -473.5,-693.5 -479.5,-687.5 -479.5,-681.5 -479.5,-681.5 -479.5,-492.5 -479.5,-492.5 -479.5,-486.5 -473.5,-480.5 -467.5,-480.5"/>
 <text text-anchor="middle" x="-406" y="-678.3" font-family="Times,serif" font-size="14.00">ApplicationController</text>
 <polyline fill="none" stroke="black" points="-479.5,-670.5 -332.5,-670.5 "/>
-<text text-anchor="start" x="-471.5" y="-655.3" font-family="Times,serif" font-size="14.00">admin_request?</text>
-<text text-anchor="start" x="-471.5" y="-640.3" font-family="Times,serif" font-size="14.00">after_sign_in_path_for</text>
-<text text-anchor="start" x="-471.5" y="-625.3" font-family="Times,serif" font-size="14.00">after_sign_out_path_for</text>
-<text text-anchor="start" x="-471.5" y="-610.3" font-family="Times,serif" font-size="14.00">api_user_log_str</text>
-<text text-anchor="start" x="-471.5" y="-595.3" font-family="Times,serif" font-size="14.00">current_root_url</text>
-<text text-anchor="start" x="-471.5" y="-565.3" font-family="Times,serif" font-size="14.00">registrant_request?</text>
-<text text-anchor="start" x="-471.5" y="-550.3" font-family="Times,serif" font-size="14.00">registrar_request?</text>
-<text text-anchor="start" x="-471.5" y="-535.3" font-family="Times,serif" font-size="14.00">user_for_paper_trail</text>
 <polyline fill="none" stroke="black" points="-479.5,-527.5 -332.5,-527.5 "/>
 <polyline fill="none" stroke="black" points="-479.5,-503.5 -332.5,-503.5 "/>
 <text text-anchor="start" x="-471.5" y="-488.3" font-family="Times,serif" font-size="14.00">_layout</text>
diff --git a/doc/registrant-api/v1/authentication.md b/doc/registrant-api/v1/authentication.md
index 20ad6edd6..f9e3be9bf 100644
--- a/doc/registrant-api/v1/authentication.md
+++ b/doc/registrant-api/v1/authentication.md
@@ -38,7 +38,7 @@ Content-type: application/json
 #### Response
 ```
 HTTP/1.1 201
-Content-Type: application.json
+Content-Type: application/json
 
 
 {
@@ -70,7 +70,7 @@ Content-type: application/json
 #### Response
 ```
 HTTP/1.1 201
-Content-Type: application.json
+Content-Type: application/json
 
 
 {
diff --git a/doc/registrant-api/v1/contact.md b/doc/registrant-api/v1/contact.md
index 4e1c12bec..1102752b3 100644
--- a/doc/registrant-api/v1/contact.md
+++ b/doc/registrant-api/v1/contact.md
@@ -148,7 +148,7 @@ Content-type: application/json
 
 ```
 HTTP/1.1 200
-Content-Type: application.json
+Content-Type: application/json
 
 {
   "uuid": "84c62f3d-e56f-40fa-9ca4-dc0137778949",
@@ -184,7 +184,7 @@ Content-Type: application.json
 ### Response on failure
 ```
 HTTP/1.1 400
-Content-Type: application.json
+Content-Type: application/json
 
 {
   "errors": [
diff --git a/lib/devise_custom_failure.rb b/lib/devise_custom_failure.rb
deleted file mode 100644
index a8a947173..000000000
--- a/lib/devise_custom_failure.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-class DeviseCustomFailure < Devise::FailureApp
-  def redirect_url
-    return registrant_login_url if request.original_fullpath.to_s.match(%r{^\/registrant})
-    return registrar_login_url  if request.original_fullpath.to_s.match(%r{^\/registrar})
-    return '/admin'             if request.original_fullpath.to_s.match(%r{^\/admin\/que})
-    return admin_login_url      if request.original_fullpath.to_s.match(%r{^\/admin})
-    root_url
-  end
-
-  # You need to override respond to eliminate recall
-  def respond
-    if http_auth?
-      http_auth
-    else
-      redirect
-    end
-  end
-end
diff --git a/lib/tasks/import.rake b/lib/tasks/import.rake
index 2fa67a827..a3b884935 100644
--- a/lib/tasks/import.rake
+++ b/lib/tasks/import.rake
@@ -145,7 +145,7 @@ namespace :import do
           if y.try(:cert) == 'idkaart'
             id_users << ApiUser.new({
               username: y.try(:password) ? y.try(:password) : y.try(:password),
-              password: ('a'..'z').to_a.shuffle.first(8).join,
+              plain_text_password: ('a'..'z').to_a.shuffle.first(8).join,
               identity_code: y.try(:password) ? y.try(:password) : y.try(:password),
               registrar_id: Registrar.find_by(legacy_id: x.try(:id)).try(:id),
               roles: ['billing'],
@@ -154,7 +154,7 @@ namespace :import do
           else
             temp << ApiUser.new({
               username: x.handle.try(:strip),
-              password: y.try(:password) ? y.try(:password) : ('a'..'z').to_a.shuffle.first(8).join,
+              plain_text_password: y.try(:password) ? y.try(:password) : ('a'..'z').to_a.shuffle.first(8).join,
               registrar_id: Registrar.find_by(legacy_id: x.try(:id)).try(:id),
               roles: ['epp'],
               legacy_id: y.try(:id)
diff --git a/spec/api/repp/contact_v1_spec.rb b/spec/api/repp/contact_v1_spec.rb
index 716eb40cc..77ce38d2e 100644
--- a/spec/api/repp/contact_v1_spec.rb
+++ b/spec/api/repp/contact_v1_spec.rb
@@ -45,6 +45,6 @@ RSpec.describe Repp::ContactV1, db: true do
   end
 
   def http_auth_key
-    ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.password)
+    ActionController::HttpAuthentication::Basic.encode_credentials(user.username, user.plain_text_password)
   end
 end
diff --git a/spec/factories/api_user.rb b/spec/factories/api_user.rb
index a3f9623b6..01ba0f8da 100644
--- a/spec/factories/api_user.rb
+++ b/spec/factories/api_user.rb
@@ -1,7 +1,7 @@
 FactoryBot.define do
   factory :api_user do
     sequence(:username) { |n| "test#{n}" }
-    password 'a' * ApiUser.min_password_length
+    plain_text_password 'a' * ApiUser.min_password_length
     roles ['super']
     registrar
 
diff --git a/spec/features/registrar/home_link_spec.rb b/spec/features/registrar/home_link_spec.rb
deleted file mode 100644
index 04d61e1b7..000000000
--- a/spec/features/registrar/home_link_spec.rb
+++ /dev/null
@@ -1,8 +0,0 @@
-require 'rails_helper'
-
-RSpec.feature 'Registrar area home link', db: true do
-  scenario 'is visible' do
-    visit registrar_login_url
-    expect(page).to have_link('registrar-home-btn', href: registrar_root_path)
-  end
-end
diff --git a/spec/features/registrar/sign_in/password_spec.rb b/spec/features/registrar/sign_in/password_spec.rb
deleted file mode 100644
index 64e22b8f4..000000000
--- a/spec/features/registrar/sign_in/password_spec.rb
+++ /dev/null
@@ -1,39 +0,0 @@
-require 'rails_helper'
-
-RSpec.feature 'Registrar area password sign-in' do
-  scenario 'signs in the user with valid credentials' do
-    create(:api_user_with_unlimited_balance,
-           active: true,
-           login: 'test',
-           password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'testtest'
-
-    expect(page).to have_text(t('registrar.base.current_user.sign_out'))
-  end
-
-  scenario 'notifies the user with invalid credentials' do
-    create(:api_user, login: 'test', password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'invalid'
-
-    expect(page).to have_text('No such user')
-  end
-
-  scenario 'notifies the user with inactive account' do
-    create(:api_user, active: false, login: 'test', password: 'testtest')
-
-    visit registrar_login_path
-    sign_in_with 'test', 'testtest'
-
-    expect(page).to have_text('User is not active')
-  end
-
-  def sign_in_with(username, password)
-    fill_in 'depp_user_tag', with: username
-    fill_in 'depp_user_password', with: password
-    click_button 'Login'
-  end
-end
diff --git a/spec/features/registrar/sign_out_spec.rb b/spec/features/registrar/sign_out_spec.rb
deleted file mode 100644
index 09ae011cd..000000000
--- a/spec/features/registrar/sign_out_spec.rb
+++ /dev/null
@@ -1,14 +0,0 @@
-require 'rails_helper'
-
-RSpec.feature 'Registrar area sign-out', settings: false do
-  background do
-    sign_in_to_registrar_area(user: create(:api_user_with_unlimited_balance))
-  end
-
-  scenario 'signs the user out' do
-    visit registrar_root_path
-    click_on t('registrar.base.current_user.sign_out')
-
-    expect(page).to have_text('Signed out successfully.')
-  end
-end
diff --git a/spec/requests/registrar/ip_restriction_spec.rb b/spec/requests/registrar/ip_restriction_spec.rb
index 69ba33602..49a04428a 100644
--- a/spec/requests/registrar/ip_restriction_spec.rb
+++ b/spec/requests/registrar/ip_restriction_spec.rb
@@ -2,11 +2,11 @@ require 'rails_helper'
 
 RSpec.describe 'Registrar area IP restriction', settings: false do
   before do
-    @original_registrar_ip_whitelist_enabled = Setting.registrar_ip_whitelist_enabled
+    @original_registrar_ip_whitelist_enabled_setting = Setting.registrar_ip_whitelist_enabled
   end
 
   after do
-    Setting.registrar_ip_whitelist_enabled = @original_registrar_ip_whitelist_enabled
+    Setting.registrar_ip_whitelist_enabled = @original_registrar_ip_whitelist_enabled_setting
   end
 
   context 'when authenticated' do
@@ -22,12 +22,11 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
       context 'when ip is allowed' do
         let!(:white_ip) { create(:white_ip,
                                  ipv4: '127.0.0.1',
-                                 registrar: controller.current_user.registrar,
+                                 registrar: controller.current_registrar_user.registrar,
                                  interfaces: [WhiteIp::REGISTRAR]) }
 
         specify do
           get registrar_root_url
-          follow_redirect!
           expect(response).to be_success
         end
       end
@@ -35,13 +34,12 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
       context 'when ip is not allowed' do
         it 'signs the user out' do
           get registrar_root_url
-          follow_redirect!
-          expect(controller.current_user).to be_nil
+          expect(controller.current_registrar_user).to be_nil
         end
 
         it 'redirects to login url' do
           get registrar_root_url
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
         end
       end
     end
@@ -49,7 +47,6 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
     context 'when IP restriction is disabled' do
       specify do
         get registrar_root_url
-        follow_redirect!
         expect(response).to be_success
       end
     end
@@ -67,14 +64,14 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
                                  interfaces: [WhiteIp::REGISTRAR]) }
 
         specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
           expect(response).to be_success
         end
       end
 
       context 'when ip is not allowed' do
         specify do
-          get registrar_login_path
+          get new_registrar_user_session_path
           expect(response.body).to match "Access denied"
         end
       end
@@ -82,7 +79,7 @@ RSpec.describe 'Registrar area IP restriction', settings: false do
 
     context 'when IP restriction is disabled' do
       specify do
-        get registrar_login_path
+        get new_registrar_user_session_path
         expect(response).to be_success
       end
     end
diff --git a/spec/requests/registrar/linked_users_spec.rb b/spec/requests/registrar/linked_users_spec.rb
index d5d51e3c6..05cf10600 100644
--- a/spec/requests/registrar/linked_users_spec.rb
+++ b/spec/requests/registrar/linked_users_spec.rb
@@ -6,7 +6,7 @@ RSpec.describe 'Registrar area linked users', db: false do
       let!(:current_user) { create(:api_user, id: 1, identity_code: 'code') }
 
       before do
-        sign_in_to_registrar_area(user: current_user)
+        sign_in current_user
       end
 
       context 'when ip is allowed' do
@@ -23,7 +23,7 @@ RSpec.describe 'Registrar area linked users', db: false do
           it 'signs in as a new user' do
             put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_url }
             follow_redirect!
-            expect(controller.current_user.id).to eq(2)
+            expect(controller.current_registrar_user.id).to eq(2)
           end
 
           it 'redirects back' do
@@ -40,15 +40,6 @@ RSpec.describe 'Registrar area linked users', db: false do
               put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_path }
             end.to raise_error('Cannot switch to unlinked user')
           end
-
-          it 'does not sign in as a new user' do
-            suppress StandardError do
-              put '/registrar/current_user/switch/2', nil, { HTTP_REFERER: registrar_contacts_path }
-            end
-
-            follow_redirect!
-            expect(controller.current_user.id).to eq(1)
-          end
         end
       end
 
@@ -62,7 +53,7 @@ RSpec.describe 'Registrar area linked users', db: false do
 
         specify do
           put '/registrar/current_user/switch/2'
-          expect(response).to redirect_to(registrar_login_url)
+          expect(response).to redirect_to(new_registrar_user_session_url)
         end
       end
     end
@@ -70,7 +61,7 @@ RSpec.describe 'Registrar area linked users', db: false do
     context 'when user is not authenticated' do
       specify do
         put '/registrar/current_user/switch/2'
-        expect(response).to redirect_to(registrar_login_url)
+        expect(response).to redirect_to(new_registrar_user_session_url)
       end
     end
   end
diff --git a/spec/requests/registrar/sign_in/password_spec.rb b/spec/requests/registrar/sign_in/password_spec.rb
deleted file mode 100644
index b875de98a..000000000
--- a/spec/requests/registrar/sign_in/password_spec.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe 'Registrar area password sign-in', settings: false do
-  let!(:user) { create(:api_user, active: true, login: 'test', password: 'testtest') }
-
-  it 'signs the user in' do
-    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
-    follow_redirect!
-    expect(controller.current_user).to eq(user)
-  end
-
-  it 'redirects to root url' do
-    post registrar_sessions_path, depp_user: { tag: 'test', password: 'testtest' }
-    expect(response).to redirect_to(registrar_root_url)
-  end
-end
diff --git a/spec/requests/registrar/sign_out_spec.rb b/spec/requests/registrar/sign_out_spec.rb
deleted file mode 100644
index 4f5b099c0..000000000
--- a/spec/requests/registrar/sign_out_spec.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe 'Registrar area sign-out', settings: false do
-  before do
-    sign_in_to_registrar_area
-  end
-
-  it 'signs the user out' do
-    delete registrar_destroy_user_session_path
-    follow_redirect!
-    expect(controller.current_user).to be_nil
-  end
-
-  it 'redirects to login url' do
-    delete registrar_destroy_user_session_path
-    expect(response).to redirect_to(registrar_login_url)
-  end
-end
diff --git a/spec/routing/registrar/domains_routing_spec.rb b/spec/routing/registrar/domains_routing_spec.rb
deleted file mode 100644
index e30d1dd24..000000000
--- a/spec/routing/registrar/domains_routing_spec.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe Registrar::DomainsController do
-  describe 'routing' do
-    it 'routes to #index' do
-      expect(get: '/registrar/domains').to route_to('registrar/domains#index')
-    end
-  end
-end
diff --git a/spec/routing/registrar/sessions_routing_spec.rb b/spec/routing/registrar/sessions_routing_spec.rb
deleted file mode 100644
index 24e075e58..000000000
--- a/spec/routing/registrar/sessions_routing_spec.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-require 'rails_helper'
-
-RSpec.describe Registrar::SessionsController do
-  describe 'routing' do
-    it 'routes to #login' do
-      expect(get: '/registrar/login').to route_to('registrar/sessions#login')
-    end
-  end
-end
diff --git a/spec/support/features/session_helpers.rb b/spec/support/features/session_helpers.rb
index df02691d2..11724f420 100644
--- a/spec/support/features/session_helpers.rb
+++ b/spec/support/features/session_helpers.rb
@@ -1,19 +1,19 @@
 module Features
   module SessionHelpers
     def sign_in_to_admin_area(user: create(:admin_user))
-      visit admin_login_url
+      visit new_admin_user_session_url
 
       fill_in 'admin_user[username]', with: user.username
       fill_in 'admin_user[password]', with: user.password
 
-      click_button 'Log in'
+      click_button 'Sign in'
     end
 
     def sign_in_to_registrar_area(user: create(:api_user))
-      visit registrar_login_url
+      visit new_registrar_user_session_url
 
-      fill_in 'depp_user_tag', with: user.username
-      fill_in 'depp_user_password', with: user.password
+      fill_in 'registrar_user_username', with: user.username
+      fill_in 'registrar_user_password', with: user.plain_text_password
 
       click_button 'Login'
     end
diff --git a/spec/support/requests/session_helpers.rb b/spec/support/requests/session_helpers.rb
index 84cb9c701..1a7b90138 100644
--- a/spec/support/requests/session_helpers.rb
+++ b/spec/support/requests/session_helpers.rb
@@ -1,11 +1,11 @@
 module Requests
   module SessionHelpers
     def sign_in_to_admin_area(user: create(:admin_user))
-      post admin_sessions_path, admin_user: { username: user.username, password: user.password }
+      post admin_user_session_path, admin_user: { username: user.username, password: user.password }
     end
 
     def sign_in_to_registrar_area(user: create(:api_user))
-      post registrar_sessions_path, { depp_user: { tag: user.username, password: user.password } }
+      post registrar_user_session_path, { registrar_user: { username: user.username, password: user.plain_text_password } }
     end
   end
-end
+end
\ No newline at end of file
diff --git a/test/fixtures/contacts.yml b/test/fixtures/contacts.yml
index 1f2e4b8da..cb9387090 100644
--- a/test/fixtures/contacts.yml
+++ b/test/fixtures/contacts.yml
@@ -14,7 +14,7 @@ william: &william
   name: William
   email: william@inbox.test
   phone: '+555.555'
-  fax: +555.555
+  fax: '+666.6'
   ident: 1234
   ident_type: priv
   ident_country_code: US
diff --git a/test/fixtures/registrars.yml b/test/fixtures/registrars.yml
index 6ff6d2dc9..65400bf13 100644
--- a/test/fixtures/registrars.yml
+++ b/test/fixtures/registrars.yml
@@ -40,13 +40,4 @@ complete:
   accounting_customer_code: US0001
   language: en
   vat_no: US12345
-  vat_rate: 0.05
-
-not_in_use:
-  name: any
-  reg_no: any
-  code: any
-  email: any@example.com
-  country_code: US
-  accounting_customer_code: any
-  language: en
+  vat_rate: 0.05
\ No newline at end of file
diff --git a/test/fixtures/users.yml b/test/fixtures/users.yml
index 5fd2dc925..057a64557 100644
--- a/test/fixtures/users.yml
+++ b/test/fixtures/users.yml
@@ -1,6 +1,6 @@
 api_bestnames:
   username: test_bestnames
-  password: testtest
+  plain_text_password: testtest
   type: ApiUser
   registrar: bestnames
   active: true
@@ -9,7 +9,7 @@ api_bestnames:
 
 api_goodnames:
   username: test_goodnames
-  password: testtest
+  plain_text_password: testtest
   type: ApiUser
   registrar: goodnames
   active: true
@@ -18,6 +18,7 @@ api_goodnames:
 
 admin:
   username: test
+  encrypted_password: <%= Devise::Encryptor.digest(AdminUser, 'testtest') %>
   type: AdminUser
   country_code: US
   roles:
diff --git a/test/integration/epp/login/password_change_test.rb b/test/integration/epp/login/password_change_test.rb
new file mode 100644
index 000000000..69c3140b6
--- /dev/null
+++ b/test/integration/epp/login/password_change_test.rb
@@ -0,0 +1,33 @@
+require 'test_helper'
+
+class EppLoginPasswordChangeTest < ActionDispatch::IntegrationTest
+  def test_password_change
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>test_bestnames</clID>
+            <pw>testtest</pw>
+            <newPW>new-password</newPW>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+
+    post '/epp/session/login', { frame: request_xml }, { 'HTTP_COOKIE' => 'session=new_session_id' }
+    assert_equal 'new-password', users(:api_bestnames).plain_text_password
+    assert_equal '1000', Nokogiri::XML(response.body).at_css('result')[:code]
+    assert_equal 1, Nokogiri::XML(response.body).css('result').size
+  end
+end
\ No newline at end of file
diff --git a/test/system/admin_area/api_users/new_test.rb b/test/system/admin_area/api_users/new_test.rb
new file mode 100644
index 000000000..aed012fdc
--- /dev/null
+++ b/test/system/admin_area/api_users/new_test.rb
@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class AdminAreaNewApiUserTest < ApplicationSystemTestCase
+  setup do
+    sign_in users(:admin)
+  end
+
+  def test_new_api_user_creation_with_required_params
+    visit admin_api_users_url
+    click_link_or_button 'New API user'
+
+    fill_in 'Username', with: 'newtest'
+    fill_in 'Password', with: 'testtest'
+    find('#api_user_registrar_id', visible: false).set(registrars(:bestnames).id)
+
+    assert_difference 'ApiUser.count' do
+      click_link_or_button 'Save'
+    end
+
+    assert_current_path admin_api_user_path(ApiUser.last)
+    assert_text 'Record created'
+    assert_text 'Username newtest'
+    assert_text 'Password testtest'
+  end
+end
\ No newline at end of file
diff --git a/test/system/admin_area/protected_area_test.rb b/test/system/admin_area/protected_area_test.rb
new file mode 100644
index 000000000..9390348f0
--- /dev/null
+++ b/test/system/admin_area/protected_area_test.rb
@@ -0,0 +1,22 @@
+require 'test_helper'
+
+class AdminAreaProtectedAreaTest < ApplicationSystemTestCase
+  def test_anonymous_user_is_asked_to_authenticate_when_navigating_to_protected_area
+    visit admin_domains_url
+    assert_text 'You need to sign in before continuing'
+    assert_current_path new_admin_user_session_path
+  end
+
+  def test_authenticated_user_can_access_protected_area
+    sign_in users(:admin)
+    visit admin_domains_url
+    assert_current_path admin_domains_path
+  end
+
+  def test_authenticated_user_is_not_asked_to_authenticate_again
+    sign_in users(:admin)
+    visit new_admin_user_session_url
+    assert_text 'You are already signed in'
+    assert_current_path admin_domains_path
+  end
+end
\ No newline at end of file
diff --git a/test/system/admin_area/sign_in_test.rb b/test/system/admin_area/sign_in_test.rb
new file mode 100644
index 000000000..dd264aa5e
--- /dev/null
+++ b/test/system/admin_area/sign_in_test.rb
@@ -0,0 +1,44 @@
+require 'test_helper'
+
+class AdminAreaSignInTest < ApplicationSystemTestCase
+  setup do
+    @user = users(:admin)
+  end
+
+  def test_correct_username_and_password
+    visit new_admin_user_session_url
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'testtest'
+    click_button 'Sign in'
+
+    assert_text 'Signed in successfully'
+    assert_current_path admin_domains_path
+  end
+
+  def test_wrong_password
+    visit new_admin_user_session_url
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'wrong'
+    click_button 'Sign in'
+
+    assert_text 'Invalid Username or password'
+    assert_current_path new_admin_user_session_path
+  end
+
+  def test_retry_with_correct_username_and_password
+    visit new_admin_user_session_url
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'wrong'
+    click_button 'Sign in'
+
+    assert_text 'Invalid Username or password'
+    assert_current_path new_admin_user_session_path
+
+    fill_in 'admin_user_username', with: @user.username
+    fill_in 'admin_user_password', with: 'testtest'
+    click_button 'Sign in'
+
+    assert_text 'Signed in successfully'
+    assert_current_path admin_domains_path
+  end
+end
\ No newline at end of file
diff --git a/test/system/admin_area/sign_out_test.rb b/test/system/admin_area/sign_out_test.rb
new file mode 100644
index 000000000..f85ea0bd2
--- /dev/null
+++ b/test/system/admin_area/sign_out_test.rb
@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class AdminAreaSignOutTest < ApplicationSystemTestCase
+  setup do
+    sign_in users(:admin)
+  end
+
+  def test_logout
+    visit admin_root_url
+    click_on 'Sign out'
+
+    assert_text 'Signed out successfully'
+    assert_current_path new_admin_user_session_path
+  end
+end
\ No newline at end of file
diff --git a/test/system/registrar_area/protected_area_test.rb b/test/system/registrar_area/protected_area_test.rb
new file mode 100644
index 000000000..f3ec06302
--- /dev/null
+++ b/test/system/registrar_area/protected_area_test.rb
@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class RegistrarAreaProtectedAreaTest < ApplicationSystemTestCase
+  def test_anonymous_user_is_asked_to_authenticate_when_navigating_to_protected_area
+    visit registrar_domains_url
+    assert_text 'You need to sign in before continuing'
+    assert_current_path new_registrar_user_session_path
+  end
+
+  def test_authenticated_user_can_access_protected_area
+    sign_in users(:api_bestnames)
+    visit registrar_domains_url
+
+    assert_no_text 'You need to sign in before continuing'
+    assert_current_path registrar_domains_path
+  end
+
+  def test_authenticated_user_is_not_asked_to_authenticate_again
+    sign_in users(:api_bestnames)
+    visit new_registrar_user_session_url
+
+    assert_text 'You are already signed in'
+    assert_current_path registrar_root_path
+  end
+end
\ No newline at end of file
diff --git a/test/system/registrar_area/sign_in_test.rb b/test/system/registrar_area/sign_in/mobile_id_test.rb
similarity index 85%
rename from test/system/registrar_area/sign_in_test.rb
rename to test/system/registrar_area/sign_in/mobile_id_test.rb
index 9af5522f9..ecca00c56 100644
--- a/test/system/registrar_area/sign_in_test.rb
+++ b/test/system/registrar_area/sign_in/mobile_id_test.rb
@@ -1,6 +1,6 @@
 require 'test_helper'
 
-class RegistrarAreaSignInTest < JavaScriptApplicationSystemTestCase
+class RegistrarAreaMobileIDSignInTest < JavaScriptApplicationSystemTestCase
   def setup
     super
     WebMock.allow_net_connect!
@@ -10,7 +10,7 @@ class RegistrarAreaSignInTest < JavaScriptApplicationSystemTestCase
     @user.save
   end
 
-  def test_mobile_id_sign_in_page
+  def test_valid_phone_number
     mock_client = Minitest::Mock.new
     mock_client.expect(:authenticate,
                        OpenStruct.new(user_id_code: '1234', challenge_id: '1234'),
@@ -20,7 +20,7 @@ class RegistrarAreaSignInTest < JavaScriptApplicationSystemTestCase
     mock_client.expect(:session_code, 1234)
 
     Digidoc::Client.stub(:new, mock_client) do
-      visit registrar_login_path
+      visit new_registrar_user_session_path
 
       click_on 'login-with-mobile-id-btn'
 
diff --git a/test/system/registrar_area/sign_in/password_test.rb b/test/system/registrar_area/sign_in/password_test.rb
new file mode 100644
index 000000000..04dffd07b
--- /dev/null
+++ b/test/system/registrar_area/sign_in/password_test.rb
@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class RegistrarAreaPasswordSignInTest < ApplicationSystemTestCase
+  setup do
+    @user = users(:api_bestnames)
+  end
+
+  def test_correct_username_and_password
+    login_with_correct_credentials
+    assert_text 'Log out'
+    assert_current_path registrar_root_path
+  end
+
+  def test_after_successful_sign_in_super_user_sees_service_message_list
+    @user.update!(roles: [ApiUser::SUPER])
+    login_with_correct_credentials
+    assert_current_path registrar_root_path
+  end
+
+  def test_after_successful_sign_in_billing_user_sees_profile
+    @user.update!(roles: [ApiUser::BILLING])
+    login_with_correct_credentials
+    assert_current_path registrar_profile_path
+  end
+
+  def test_wrong_password
+    visit new_registrar_user_session_url
+    fill_in 'registrar_user_username', with: @user.username
+    fill_in 'registrar_user_password', with: 'wrong'
+    click_button 'Login'
+
+    assert_text 'No such user'
+    assert_current_path new_registrar_user_session_path
+  end
+
+  def test_inactive_user
+    @user.update!(active: false)
+    login_with_correct_credentials
+
+    assert_text 'User is not active'
+    assert_current_path new_registrar_user_session_path
+  end
+
+  private
+
+  def login_with_correct_credentials
+    visit new_registrar_user_session_url
+    fill_in 'registrar_user_username', with: @user.username
+    fill_in 'registrar_user_password', with: 'testtest'
+    click_button 'Login'
+  end
+end
\ No newline at end of file
diff --git a/test/system/registrar_area/sign_out_test.rb b/test/system/registrar_area/sign_out_test.rb
new file mode 100644
index 000000000..8fd48db21
--- /dev/null
+++ b/test/system/registrar_area/sign_out_test.rb
@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class RegistrarAreaSignOutTest < ApplicationSystemTestCase
+  setup do
+    sign_in users(:api_bestnames)
+  end
+
+  def test_logout
+    visit registrar_root_url
+    click_on 'Log out'
+
+    assert_text 'Signed out successfully'
+    assert_current_path new_registrar_user_session_path
+  end
+end
\ No newline at end of file