diff --git a/.gitmodules b/.gitmodules
index fefdf57df8f..71eed63ea23 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -57,15 +57,6 @@
 [submodule "plugins/DeviceDetectorCache"]
 	path = plugins/DeviceDetectorCache
 	url = https://github.com/matomo-org/plugin-DeviceDetectorCache.git
-[submodule "plugins/Provider"]
-	path = plugins/Provider
-	url = https://github.com/matomo-org/plugin-Provider.git
-
-# Add new Plugin submodule above this line ^^
-# 
-# Note: when you add a submodule that SHOULD be left in the packaged release such as the few submodules below,
-#       then you MUST add these submodules names in the SUBMODULES_PACKAGED_WITH_CORE variable in:
-#       https://github.com/matomo-org/matomo-package/blob/master/scripts/build-package.sh
 [submodule "misc/log-analytics"]
     path = misc/log-analytics
     url = https://github.com/matomo-org/matomo-log-analytics.git
diff --git a/CHANGELOG.md b/CHANGELOG.md
index a3741a87bea..a0efe87536d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,8 +6,12 @@ The Product Changelog at **[matomo.org/changelog](https://matomo.org/changelog)*
 
 ## Matomo 4.0.0
 
-### Breaking Changes
+### New API
+* A new API `UsersManager.createAppSpecificTokenAuth` has been added to create an app specific token for a user.
 
+### Breaking changes
+* The API `UsersManager.getTokenAuth` has been removed. Instead you need to use `UsersManager.createAppSpecificTokenAuth` and store this token in your application.
+* The API `UsersManager.createTokenAuth` has been removed. Instead you need to use `UsersManager.createAppSpecificTokenAuth` and store this token in your application.
 * Deprecated `piwik` font was removed. Use `matomo` font instead
 * The JavaScript AjaxHelper does not longer support synchronous requests. All requests will be sent async instead.
 * The deprecated Platform API method `\Piwik\Plugin::getListHooksRegistered()` has been removed. Use `\Piwik\Plugin::registerEvents()` instead
diff --git a/core/Access.php b/core/Access.php
index d99551c219c..7e4bcd59d85 100644
--- a/core/Access.php
+++ b/core/Access.php
@@ -15,6 +15,7 @@
 use Piwik\Container\StaticContainer;
 use Piwik\Exception\InvalidRequestParameterException;
 use Piwik\Plugins\SitesManager\API as SitesManagerApi;
+use Piwik\Session\SessionAuth;
 
 /**
  * Singleton that manages user access to Piwik resources.
@@ -155,8 +156,32 @@ public function reloadAccess(Auth $auth = null)
             return false;
         }
 
+        $result = null;
+
+        $forceApiSession = Common::getRequestVar('force_api_session', 0, 'int', $_POST);
+        if ($forceApiSession && Piwik::getModule() === 'API' && (Piwik::getAction() === 'index' || !Piwik::getAction())) {
+            $tokenAuth = Common::getRequestVar('token_auth', '', 'string', $_POST);
+            if (!empty($tokenAuth)) {
+                Session::start();
+                $auth = StaticContainer::get(SessionAuth::class);
+                $auth->setTokenAuth($tokenAuth);
+                $result = $auth->authenticate();
+                if (!$result->wasAuthenticationSuccessful()) {
+                    /**
+                     * Ensures brute force logic to be executed
+                     * @ignore
+                     * @internal
+                     */
+                    Piwik::postEvent('API.Request.authenticate.failed');
+                }
+                // if not successful, we will fallback to regular auth
+            }
+        }
+
         // access = array ( idsite => accessIdSite, idsite2 => accessIdSite2)
-        $result = $this->auth->authenticate();
+        if (!$result || !$result->wasAuthenticationSuccessful()) {
+            $result = $this->auth->authenticate();
+        }
 
         if (!$result->wasAuthenticationSuccessful()) {
             return false;
diff --git a/core/CliMulti.php b/core/CliMulti.php
index 863bea1b3b9..751c5fbd3ee 100644
--- a/core/CliMulti.php
+++ b/core/CliMulti.php
@@ -365,8 +365,7 @@ private function executeNotAsyncHttp($url, Output $output)
         }
 
         if ($this->runAsSuperUser) {
-            $tokenAuths = self::getSuperUserTokenAuths();
-            $tokenAuth = reset($tokenAuths);
+            $tokenAuth = self::getSuperUserTokenAuth();
 
             if (strpos($url, '?') === false) {
                 $url .= '?';
@@ -433,18 +432,9 @@ private function requestUrls(array $piwikUrls)
         return $results;
     }
 
-    private static function getSuperUserTokenAuths()
+    private static function getSuperUserTokenAuth()
     {
-        $tokens = array();
-
-        /**
-         * Used to be in CronArchive, moved to CliMulti.
-         *
-         * @ignore
-         */
-        Piwik::postEvent('CronArchive.getTokenAuth', array(&$tokens));
-
-        return $tokens;
+        return Piwik::requestTemporarySystemAuthToken('CliMultiNonAsyncArchive', 36);
     }
 
     public function setUrlToPiwik($urlToPiwik)
diff --git a/core/Db/Schema/Mysql.php b/core/Db/Schema/Mysql.php
index ffe4aa5b655..01ea82492ad 100644
--- a/core/Db/Schema/Mysql.php
+++ b/core/Db/Schema/Mysql.php
@@ -16,6 +16,7 @@
 use Piwik\Db;
 use Piwik\DbHelper;
 use Piwik\Option;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Version;
 
 /**
@@ -45,12 +46,24 @@ public function getTablesCreateSql()
                           alias VARCHAR(45) NOT NULL,
                           email VARCHAR(100) NOT NULL,
                           twofactor_secret VARCHAR(40) NOT NULL DEFAULT '',
-                          token_auth CHAR(32) NOT NULL,
                           superuser_access TINYINT(2) unsigned NOT NULL DEFAULT '0',
                           date_registered TIMESTAMP NULL,
                           ts_password_modified TIMESTAMP NULL,
-                            PRIMARY KEY(login),
-                            UNIQUE KEY uniq_keytoken(token_auth)
+                            PRIMARY KEY(login)
+                          ) ENGINE=$engine DEFAULT CHARSET=utf8
+            ",
+            'user_token_auth' => "CREATE TABLE {$prefixTables}user_token_auth (
+                          idusertokenauth BIGINT UNSIGNED NOT NULL AUTO_INCREMENT,
+                          login VARCHAR(100) NOT NULL,
+                          description VARCHAR(".Model::MAX_LENGTH_TOKEN_DESCRIPTION.") NOT NULL,
+                          password VARCHAR(255) NOT NULL,
+                          hash_algo VARCHAR(30) NOT NULL,
+                          system_token TINYINT(1) NOT NULL DEFAULT 0,
+                          last_used DATETIME NULL,
+                          date_created DATETIME NOT NULL,
+                          date_expired DATETIME NULL,
+                            PRIMARY KEY(idusertokenauth),
+                            UNIQUE KEY uniq_password(password)
                           ) ENGINE=$engine DEFAULT CHARSET=utf8
             ",
 
@@ -504,12 +517,15 @@ public function createTables()
     public function createAnonymousUser()
     {
         $now = Date::factory('now')->getDatetime();
-
         // The anonymous user is the user that is assigned by default
         // note that the token_auth value is anonymous, which is assigned by default as well in the Login plugin
         $db = $this->getDb();
         $db->query("INSERT IGNORE INTO " . Common::prefixTable("user") . "
-                    VALUES ( 'anonymous', '', 'anonymous', 'anonymous@example.org', '', 'anonymous', 0, '$now', '$now' );");
+                    (`login`, `password`, `alias`, `email`, `twofactor_secret`, `superuser_access`, `date_registered`, `ts_password_modified`)
+                    VALUES ( 'anonymous', '', 'anonymous', 'anonymous@example.org', '', 0, '$now', '$now' );");
+
+        $model = new Model();
+        $model->addTokenAuth('anonymous', 'anonymous', 'anonymous default token', $now);
     }
 
     /**
diff --git a/core/Piwik.php b/core/Piwik.php
index 32520ffec40..d16ffca97e3 100644
--- a/core/Piwik.php
+++ b/core/Piwik.php
@@ -16,6 +16,7 @@
 use Piwik\Period\Week;
 use Piwik\Period\Year;
 use Piwik\Plugins\UsersManager\API as APIUsersManager;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Translation\Translator;
 
 /**
@@ -257,6 +258,51 @@ public static function checkUserHasSuperUserAccessOrIsTheUser($theUser)
         }
     }
 
+    /**
+     * Request a token auth to authenticate in a request.
+     *
+     * Note: During one request the token is only being requested once and used throughout the request. So you want to make
+     * sure the token is valid for enough time for the whole request to finish.
+     *
+     * @param string $reason some short string/text explaining the reason for the token generation, eg "CliMultiAsyncHttpArchiving"
+     * @param int $validForHours For how many hours the token should be valid. Should not be valid for more than 14 days.
+     * @return mixed
+     */
+    public static function requestTemporarySystemAuthToken($reason, $validForHours)
+    {
+        static $token = array();
+
+        if (isset($token[$reason])) {
+            // note: For now we do not increase the expire time when it is already requested
+            return $token[$reason];
+        }
+
+        $twoWeeksInHours = 14 * 24;
+        if ($validForHours > $twoWeeksInHours) {
+            throw new Exception('The token cannot be valid for so many hours: ' . $validForHours);
+        }
+
+        $model = new Model();
+        $users = $model->getUsersHavingSuperUserAccess();
+        if (!empty($users)) {
+            $user = reset($users);
+            $expireDate = Date::now()->addHour($validForHours)->getDatetime();
+
+            $token[$reason] = $model->generateRandomTokenAuth();
+
+            $model->addTokenAuth(
+                $user['login'],
+                $token[$reason],
+                'System generated ' . $reason,
+                Date::now()->getDatetime(),
+                $expireDate,
+            true);
+
+            return $token[$reason];
+        }
+
+    }
+
     /**
      * Check whether the given user has superuser access.
      *
diff --git a/core/Session/SessionAuth.php b/core/Session/SessionAuth.php
index 001b3d2bb09..da896b991eb 100644
--- a/core/Session/SessionAuth.php
+++ b/core/Session/SessionAuth.php
@@ -11,8 +11,10 @@
 
 use Piwik\Auth;
 use Piwik\AuthResult;
+use Piwik\Common;
 use Piwik\Config;
 use Piwik\Date;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\Model as UsersModel;
 use Piwik\Session;
 
@@ -42,6 +44,8 @@ class SessionAuth implements Auth
      */
     private $user;
 
+    private $tokenAuth;
+
     public function __construct(UsersModel $userModel = null, $shouldDestroySession = true)
     {
         $this->userModel = $userModel ?: new UsersModel();
@@ -55,7 +59,7 @@ public function getName()
 
     public function setTokenAuth($token_auth)
     {
-        // empty
+        $this->tokenAuth = $token_auth;
     }
 
     public function getLogin()
@@ -113,7 +117,17 @@ public function authenticate()
 
         $this->updateSessionExpireTime($sessionFingerprint);
 
-        return $this->makeAuthSuccess($user);
+        if (!empty($this->tokenAuth) && $this->tokenAuth !== $sessionFingerprint->getSessionTokenAuth()) {
+            return $this->makeAuthFailure();
+        }
+
+        if ($sessionFingerprint->getSessionTokenAuth()) {
+            $tokenAuth = $sessionFingerprint->getSessionTokenAuth();
+        } else {
+            $tokenAuth = $this->userModel->generateRandomTokenAuth();
+        }
+
+        return $this->makeAuthSuccess($user, $tokenAuth);
     }
 
     private function isSessionStartedBeforePasswordChange(SessionFingerprint $sessionFingerprint, $tsPasswordModified)
@@ -137,14 +151,15 @@ private function makeAuthFailure()
         return new AuthResult(AuthResult::FAILURE, null, null);
     }
 
-    private function makeAuthSuccess($user)
+    private function makeAuthSuccess($user, $tokenAuth)
     {
         $this->user = $user;
+        $this->tokenAuth = $tokenAuth;
 
         $isSuperUser = (int) $user['superuser_access'];
         $code = $isSuperUser ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
 
-        return new AuthResult($code, $user['login'], $user['token_auth']);
+        return new AuthResult($code, $user['login'], $tokenAuth);
     }
 
     protected function initNewBlankSession(SessionFingerprint $sessionFingerprint)
@@ -178,7 +193,7 @@ protected function destroyCurrentSession(SessionFingerprint $sessionFingerprint)
 
     public function getTokenAuth()
     {
-        return $this->user['token_auth'];
+        return $this->tokenAuth;
     }
 
     private function updateSessionExpireTime(SessionFingerprint $sessionFingerprint)
diff --git a/core/Session/SessionFingerprint.php b/core/Session/SessionFingerprint.php
index df8a519e5e3..3399fa7a0c0 100644
--- a/core/Session/SessionFingerprint.php
+++ b/core/Session/SessionFingerprint.php
@@ -9,6 +9,7 @@
 
 namespace Piwik\Session;
 
+use Piwik\Common;
 use Piwik\Config;
 use Piwik\Date;
 
@@ -42,6 +43,7 @@ class SessionFingerprint
     const USER_NAME_SESSION_VAR_NAME = 'user.name';
     const SESSION_INFO_SESSION_VAR_NAME = 'session.info';
     const SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED = 'twofactorauth.verified';
+    const SESSION_INFO_TEMP_TOKEN_AUTH = 'user.token_auth_temp';
 
     public function getUser()
     {
@@ -61,6 +63,15 @@ public function getUserInfo()
         return null;
     }
 
+    public function getSessionTokenAuth()
+    {
+        if (!empty($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) {
+            return $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH];
+        }
+
+        return null;
+    }
+
     public function hasVerifiedTwoFactor()
     {
         if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) {
@@ -75,11 +86,12 @@ public function setTwoFactorAuthenticationVerified()
         $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 1;
     }
 
-    public function initialize($userName, $isRemembered = false, $time = null)
+    public function initialize($userName, $tokenAuth, $isRemembered = false, $time = null)
     {
         $time = $time ?: Date::now()->getTimestampUTC();
         $_SESSION[self::USER_NAME_SESSION_VAR_NAME] = $userName;
         $_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED] = 0;
+        $_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH] = $tokenAuth;
         $_SESSION[self::SESSION_INFO_SESSION_VAR_NAME] = [
             'ts' => $time,
             'remembered' => $isRemembered,
@@ -100,6 +112,10 @@ public function clear()
         if (isset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED])) { // may not be available during tests
             unset($_SESSION[self::SESSION_INFO_TWO_FACTOR_AUTH_VERIFIED]);
         }
+
+        if (isset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH])) { // may not be available during tests
+            unset($_SESSION[self::SESSION_INFO_TEMP_TOKEN_AUTH]);
+        }
     }
 
     public function getSessionStartTime()
diff --git a/core/Session/SessionInitializer.php b/core/Session/SessionInitializer.php
index 40218901671..11d753395d0 100644
--- a/core/Session/SessionInitializer.php
+++ b/core/Session/SessionInitializer.php
@@ -83,7 +83,7 @@ protected function processFailedSession()
     protected function processSuccessfulSession(AuthResult $authResult)
     {
         $sessionIdentifier = new SessionFingerprint();
-        $sessionIdentifier->initialize($authResult->getIdentity(), $this->isRemembered());
+        $sessionIdentifier->initialize($authResult->getIdentity(), $authResult->getTokenAuth(), $this->isRemembered());
 
         /**
          * @ignore
diff --git a/core/Tracker/Request.php b/core/Tracker/Request.php
index 7da7f122876..3b9bae24d3f 100644
--- a/core/Tracker/Request.php
+++ b/core/Tracker/Request.php
@@ -208,6 +208,8 @@ public static function authenticateSuperUserOrAdminOrWrite($tokenAuth, $idSite)
         // Now checking the list of admin token_auth cached in the Tracker config file
         if (!empty($idSite) && $idSite > 0) {
             $website = Cache::getCacheWebsiteAttributes($idSite);
+            $userModel = new \Piwik\Plugins\UsersManager\Model();
+            $tokenAuth = $userModel->hashTokenAuth($tokenAuth);
             $hashedToken = UsersManager::hashTrackingToken((string) $tokenAuth, $idSite);
 
             if (array_key_exists('tracking_token_auth', $website)
diff --git a/core/Updater/Migration/Plugin/Uninstall.php b/core/Updater/Migration/Plugin/Uninstall.php
index 77e95d2f24e..ed4b29a08f4 100644
--- a/core/Updater/Migration/Plugin/Uninstall.php
+++ b/core/Updater/Migration/Plugin/Uninstall.php
@@ -48,6 +48,10 @@ public function shouldIgnoreError($exception)
     public function exec()
     {
         $this->pluginManager->uninstallPlugin($this->pluginName);
+
+        // uninstallPlugin() loads all plugins in the filesystem, which we don't want for the rest of the updates
+        $this->pluginManager->unloadPlugins();
+        $this->pluginManager->loadActivatedPlugins();
     }
 
 }
diff --git a/core/Updates/2.0.4-b5.php b/core/Updates/2.0.4-b5.php
index 2282ca1dae9..a96d9e4cc35 100644
--- a/core/Updates/2.0.4-b5.php
+++ b/core/Updates/2.0.4-b5.php
@@ -36,7 +36,7 @@ public function __construct(MigrationFactory $factory)
     public function getMigrations(Updater $updater)
     {
         return array(
-            $this->migration->db->addColumn('user', 'superuser_access', "TINYINT(2) UNSIGNED NOT NULL DEFAULT '0'", 'token_auth')
+            $this->migration->db->addColumn('user', 'superuser_access', "TINYINT(2) UNSIGNED NOT NULL DEFAULT '0'")
         );
     }
 
@@ -82,7 +82,7 @@ private static function migrateConfigSuperUserToDb()
                     'password'   => $superUser['password'],
                     'alias'      => $superUser['login'],
                     'email'      => $superUser['email'],
-                    'token_auth' => $userApi->getTokenAuth($superUser['login'], $superUser['password']),
+                    'token_auth' => md5(Common::getRandomString(32)),
                     'date_registered'  => Date::now()->getDatetime(),
                     'superuser_access' => 1
                 )
diff --git a/core/Updates/4.0.0-b1.php b/core/Updates/4.0.0-b1.php
index c38b1a1eb5b..2b289f6a449 100644
--- a/core/Updates/4.0.0-b1.php
+++ b/core/Updates/4.0.0-b1.php
@@ -9,6 +9,9 @@
 
 namespace Piwik\Updates;
 
+use Piwik\Date;
+use Piwik\DbHelper;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Common;
 use Piwik\Config;
 use Piwik\Plugins\UserCountry\LocationProvider;
@@ -33,10 +36,49 @@ public function __construct(MigrationFactory $factory)
 
     public function getMigrations(Updater $updater)
     {
-        $migrations = [];
+        $migrations = array();
         $migrations[] = $this->migration->db->changeColumnType('log_action', 'name', 'VARCHAR(4096)');
         $migrations[] = $this->migration->db->changeColumnType('log_conversion', 'url', 'VARCHAR(4096)');
 
+        /** APP SPECIFIC TOKEN START */
+        $migrations[] = $this->migration->db->createTable('user_token_auth', array(
+            'idusertokenauth' => 'BIGINT UNSIGNED NOT NULL AUTO_INCREMENT',
+            'login' => 'VARCHAR(100) NOT NULL',
+            'description' => 'VARCHAR('.Model::MAX_LENGTH_TOKEN_DESCRIPTION.') NOT NULL',
+            'password' => 'VARCHAR(255) NOT NULL',
+            'system_token' => 'TINYINT(1) NOT NULL DEFAULT 0',
+            'hash_algo' => 'VARCHAR(30) NOT NULL',
+            'last_used' => 'DATETIME NULL',
+            'date_created' => ' DATETIME NOT NULL',
+            'date_expired' => ' DATETIME NULL',
+        ), 'idusertokenauth');
+        $migrations[] = $this->migration->db->addUniqueKey('user_token_auth', 'password', 'uniq_password');
+
+        $migrations[] = $this->migration->db->dropIndex('user', 'uniq_keytoken');
+
+        $userModel = new Model();
+        foreach ($userModel->getUsers(array()) as $user) {
+            if (!empty($user['token_auth'])) {
+                $migrations[] = $this->migration->db->insert('user_token_auth', array(
+                    'login' => $user['login'],
+                    'description' => 'Created by Matomo 4 migration',
+                    'password' => $userModel->hashTokenAuth($user['token_auth']),
+                    'date_created' => Date::now()->getDatetime()
+                ));
+            }
+        }
+
+        // we don't delete the token_auth column so users can still downgrade to 3.X if they want to. However, the original
+        // token_auth will be regenerated for security reasons to no longer have it in plain text. So this column will be no longer used
+        // unless someone downgrades to 3.x
+        $columns = DbHelper::getTableColumns(Common::prefixTable('user'));
+        if (isset($columns['token_auth'])) {
+            $sql = sprintf('UPDATE %s set token_auth = MD5(CONCAT(NOW(), UUID()))', Common::prefixTable('user'));
+            $migrations[] = $this->migration->db->sql($sql, Updater\Migration\Db::ERROR_CODE_UNKNOWN_COLUMN);
+        }
+
+        /** APP SPECIFIC TOKEN END */
+
         $customTrackerPluginActive = false;
         if (in_array('CustomPiwikJs', Config::getInstance()->Plugins['Plugins'])) {
             $customTrackerPluginActive = true;
diff --git a/lang/en.json b/lang/en.json
index c3c715ea232..cda996a2a26 100644
--- a/lang/en.json
+++ b/lang/en.json
@@ -112,6 +112,7 @@
         "Continue": "Continue",
         "ContinueToPiwik": "Continue to Matomo",
         "CurrentlyUsingUnsecureHttp": "You are currently using Matomo over unsecure HTTP. This can make your Matomo vulnerable to security exploits. You may also be in breach of privacy laws, as some features including opt-out cookies will not work. We recommend you set up Matomo to use SSL (HTTPS) for improved security.",
+        "CreationDate": "Creation date",
         "CreatedByUser": "created by %s",
         "CurrentMonth": "Current Month",
         "CurrentWeek": "Current Week",
@@ -389,6 +390,7 @@
         "Search": "Search",
         "Clear": "Clear",
         "SearchNoResults": "No results",
+        "Security": "Security",
         "SeeAll": "see all",
         "SeeTheOfficialDocumentationForMoreInformation": "See the %1$sofficial documentation%2$s for more information.",
         "SeeThisFaq": "See %1$sthis faq%2$s.",
diff --git a/misc/cron/updatetoken.php b/misc/cron/updatetoken.php
index b10a21d3471..f1c154705b2 100644
--- a/misc/cron/updatetoken.php
+++ b/misc/cron/updatetoken.php
@@ -56,10 +56,7 @@ function getPiwikDomain()
 $environment = new Environment('cli');
 $environment->init();
 
-$token = Db::get()->fetchOne("SELECT token_auth
-                              FROM " . Common::prefixTable("user") . "
-                              WHERE superuser_access = 1
-                              ORDER BY date_registered ASC");
+$token = Piwik::requestTemporarySystemAuthToken('LogImporter', 48);
 
 $filename = $environment->getContainer()->get('path.tmp') . '/cache/token.php';
 
diff --git a/misc/log-analytics b/misc/log-analytics
index b3973f3cd0c..4794df04cb9 160000
--- a/misc/log-analytics
+++ b/misc/log-analytics
@@ -1 +1 @@
-Subproject commit b3973f3cd0cb773eb9cf3bfff439cc43640c5f15
+Subproject commit 4794df04cb9187031a044e79b77351c4f8e8ef08
diff --git a/plugins/API/Controller.php b/plugins/API/Controller.php
index 326b048926c..d46bdf158a6 100644
--- a/plugins/API/Controller.php
+++ b/plugins/API/Controller.php
@@ -26,7 +26,9 @@ class Controller extends \Piwik\Plugin\Controller
 {
     function index()
     {
-        $token = 'token_auth=' . Common::getRequestVar('token_auth', 'anonymous', 'string');
+        $tokenAuth = Common::getRequestVar('token_auth', 'anonymous', 'string');
+
+        $token = 'token_auth=' . $tokenAuth;
 
         // when calling the API through http, we limit the number of returned results
         if (!isset($_GET['filter_limit'])) {
diff --git a/plugins/API/css/styles.css b/plugins/API/css/styles.css
new file mode 100644
index 00000000000..3b52ba995a0
--- /dev/null
+++ b/plugins/API/css/styles.css
@@ -0,0 +1,29 @@
+#token_auth { 
+	background-color:#E8FFE9; 
+	border-color:#00CC3A; 
+	border-style: solid;
+	border-width: 1px;
+	margin: 0pt 0pt 16px 8px;
+	padding: 12px;			
+	line-height:4em;
+}
+.example, .example A {
+	color:#9E9E9E;
+}
+
+.page_api{
+	padding:0px 15px 0 15px; 
+	font-size:13px; 
+}
+
+.page_api h2 {
+	border-bottom:1px solid #DADADA;
+	margin:10px -15px 15px 0px;
+	padding:0pt 0px 5px 0pt;
+	font-size:24px;
+}
+
+.page_api p {
+	line-height:140%;
+	padding-bottom:20px;
+}
diff --git a/plugins/API/lang/en.json b/plugins/API/lang/en.json
index 72dd837fae9..cc43b92313f 100644
--- a/plugins/API/lang/en.json
+++ b/plugins/API/lang/en.json
@@ -9,7 +9,7 @@
         "ReportingApiReference": "Reporting API Reference",
         "TopLinkTooltip": "Access your Web Analytics data programmatically through a simple API in json, xml, etc.",
         "UserAuthentication": "User authentication",
-        "UsingTokenAuth": "If you want to %1$s request data within a script, a crontab, etc. %2$s you need to add the parameter %3$s to the API calls URLs that require authentication.",
+        "UsingTokenAuth": "If you want to %1$s request data within a script, a crontab, etc. %2$s you need to add the URL parameter %3$s to the API calls URLs that require authentication.",
         "Glossary": "Glossary",
         "LearnAboutCommonlyUsedTerms2": "Learn about the commonly used terms to make the most of Matomo Analytics.",
         "EvolutionMetricName": "%s Evolution"
diff --git a/plugins/API/templates/listAllAPI.twig b/plugins/API/templates/listAllAPI.twig
index 17da68de1d6..9c9c2ea70f5 100644
--- a/plugins/API/templates/listAllAPI.twig
+++ b/plugins/API/templates/listAllAPI.twig
@@ -19,13 +19,12 @@
     </div>
     <div piwik-content-block content-title="{{ 'API_UserAuthentication'|translate|e('html_attr') }}">
         <p>
-            {{ 'API_UsingTokenAuth'|translate('','',"")|raw }}<br/>
-            <pre piwik-select-on-focus id='token_auth'>&amp;token_auth=<strong piwik-show-sensitive-data="{{ token_auth }}" data-click-element-selector="#token_auth"></strong></pre><br/>
-            {{ 'API_KeepTokenSecret'|translate('<b>','</b>')|raw }}<br />
-            {{ 'API_ChangeTokenHint'|translate('<a href="' ~ linkTo({
+            {{ 'API_UsingTokenAuth'|translate('','',"<code>token_auth</code>")|raw }} <a target="_blank" rel="noreferrer noopener" href="https://developer.matomo.org/api-reference/reporting-api#authenticate-to-the-api-via-token_auth-parameter">{{ 'CoreAdminHome_LearnMore'|translate }}</a><br/>
+            <br/>
+            <a href="{{ linkTo({
                 'module': 'UsersManager',
-                'action': 'userSettings',
-            }) ~ '">', '</a>')|raw }}
+                'action': 'userSecurity',
+            }) }}#/#authtokens">You can manage your authentication tokens on your security page.</a>
         </p>
     </div>
     {{ list_api_methods_with_links|raw }}
diff --git a/plugins/BulkTracking/tests/Integration/RequestsTest.php b/plugins/BulkTracking/tests/Integration/RequestsTest.php
index 3e4e0fbc7e0..6b67b88ae2e 100644
--- a/plugins/BulkTracking/tests/Integration/RequestsTest.php
+++ b/plugins/BulkTracking/tests/Integration/RequestsTest.php
@@ -8,8 +8,10 @@
 
 namespace Piwik\Plugins\BulkTracking\tests\Integration;
 
+use Piwik\Container\StaticContainer;
 use Piwik\Plugins\BulkTracking\Tracker\Requests;
 use Piwik\Plugins\UsersManager\API;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\UsersManager;
 use Piwik\Tests\Framework\Fixture;
 use Piwik\Tests\Framework\TestCase\IntegrationTestCase;
@@ -88,7 +90,7 @@ public function test_authenticateRequests_shouldThrowAnException_IfTokenIsNotVal
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('token_auth specified does not have Admin permission for idsite=1');
 
-        $dummyToken = API::getInstance()->createTokenAuth('test');
+        $dummyToken = StaticContainer::get(Model::class)->generateRandomTokenAuth();
         $superUserToken = $this->getSuperUserToken();
 
         $requests = array($this->buildDummyRequest($superUserToken), $this->buildDummyRequest($dummyToken));
diff --git a/plugins/CoreHome/angularjs/common/services/piwik-api.js b/plugins/CoreHome/angularjs/common/services/piwik-api.js
index e2195f7ff1d..e34ca415932 100644
--- a/plugins/CoreHome/angularjs/common/services/piwik-api.js
+++ b/plugins/CoreHome/angularjs/common/services/piwik-api.js
@@ -49,6 +49,7 @@ var hasBlockedContent = false;
         function withTokenInUrl()
         {
             postParams['token_auth'] = piwik.token_auth;
+            postParams['force_api_session'] = '1';
         }
 
         function isRequestToApiMethod() {
@@ -191,6 +192,7 @@ var hasBlockedContent = false;
         function getPostParams (params) {
             if (isRequestToApiMethod() || piwik.shouldPropagateTokenAuth) {
                 params.token_auth = piwik.token_auth;
+                params.force_api_session = '1';
             }
 
             return params;
@@ -276,6 +278,7 @@ var hasBlockedContent = false;
             if (_postParams_) {
                 if (postParams && postParams.token_auth && !_postParams_.token_auth) {
                     _postParams_.token_auth = postParams.token_auth;
+                    _postParams_.force_api_session = '1';
                 }
                 postParams = _postParams_;
             }
diff --git a/plugins/CoreHome/angularjs/common/services/piwik-api.spec.js b/plugins/CoreHome/angularjs/common/services/piwik-api.spec.js
index e33fa329e22..916c5b73e10 100644
--- a/plugins/CoreHome/angularjs/common/services/piwik-api.spec.js
+++ b/plugins/CoreHome/angularjs/common/services/piwik-api.spec.js
@@ -218,7 +218,7 @@
             ]).then(function (response) {
                 var restOfExpected = "index.php?method=API.getBulkRequest&module=API&format=JSON2&idSite=1&period=day&date= - "
                     + "urls%5B%5D=%3Fmethod%3DSomePlugin.action%26param%3Dvalue&urls%5B%5D=%3Fmethod%3DSomeOtherPlugin.action"
-                    + "&token_auth=100bf5eeeed1468f3f9d93750044d3dd";
+                    + "&token_auth=100bf5eeeed1468f3f9d93750044d3dd&force_api_session=1";
 
                 expect(response.length).to.equal(2);
                 expect(response[0]).to.equal("Response #1: " + restOfExpected);
diff --git a/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js b/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
index 16a5a91105b..d3c35b11155 100644
--- a/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
+++ b/plugins/CoreHome/angularjs/widget-loader/widgetloader.directive.js
@@ -113,7 +113,7 @@
                         }
 
                         if (piwik.shouldPropagateTokenAuth && broadcast.getValueFromUrl('token_auth')) {
-                            url += '&token_auth=' + broadcast.getValueFromUrl('token_auth');
+                            url += '&force_api_session=1&token_auth=' + broadcast.getValueFromUrl('token_auth');
                         }
 
                         url += '&random=' + parseInt(Math.random() * 10000);
@@ -198,4 +198,4 @@
             }
         };
     }
-})();
\ No newline at end of file
+})();
diff --git a/plugins/Dashboard/tests/UI/Dashboard_spec.js b/plugins/Dashboard/tests/UI/Dashboard_spec.js
index 6ac640b7a89..b3914f3bc3b 100644
--- a/plugins/Dashboard/tests/UI/Dashboard_spec.js
+++ b/plugins/Dashboard/tests/UI/Dashboard_spec.js
@@ -299,7 +299,7 @@ describe("Dashboard", function () {
         testEnvironment.testUseMockAuth = 0;
         testEnvironment.save();
 
-        var tokenAuth = "9ad1de7f8b329ab919d854c556f860c1";
+        var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b";
         await page.goto(url.replace("idDashboard=5", "idDashboard=1") + '&token_auth=' + tokenAuth);
 
         expect(await page.screenshot({ fullPage: true })).to.matchImage('loaded_token_auth');
diff --git a/plugins/Feedback/tests/Integration/FeedbackTest.php b/plugins/Feedback/tests/Integration/FeedbackTest.php
index 072a12186ba..33c88e13364 100644
--- a/plugins/Feedback/tests/Integration/FeedbackTest.php
+++ b/plugins/Feedback/tests/Integration/FeedbackTest.php
@@ -39,7 +39,6 @@ public function setUp(): void
             'a98732d98732',
             'user1@example.com',
             'user1',
-            'ab9879dc23876f19',
             '2019-03-03'
         );
         FakeAccess::$identity = 'user1';
diff --git a/plugins/Login/Auth.php b/plugins/Login/Auth.php
index 3d572abcf92..a196b48b156 100644
--- a/plugins/Login/Auth.php
+++ b/plugins/Login/Auth.php
@@ -10,6 +10,7 @@
 
 use Piwik\AuthResult;
 use Piwik\Auth\Password;
+use Piwik\Date;
 use Piwik\Piwik;
 use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\UsersManager;
@@ -76,8 +77,9 @@ private function authenticateWithPassword($login, $passwordHash)
             if ($this->passwordHelper->needsRehash($user['password'])) {
                 $newPasswordHash = $this->passwordHelper->hash($passwordHash);
 
-                $this->userModel->updateUser($login, $newPasswordHash, $user['email'], $user['alias'], $user['token_auth']);
+                $this->userModel->updateUser($login, $newPasswordHash, $user['email'], $user['alias']);
             }
+            $this->token_auth = null; // make sure to generate a random token 
 
             return $this->authenticationSuccess($user);
         }
@@ -90,6 +92,7 @@ private function authenticateWithToken($token)
         $user = $this->userModel->getUserByTokenAuth($token);
 
         if (!empty($user['login'])) {
+            $this->userModel->setTokenAuthWasUsed($token, Date::now()->getDatetime());
             return $this->authenticationSuccess($user);
         }
 
@@ -98,13 +101,10 @@ private function authenticateWithToken($token)
 
     private function authenticateWithLoginAndToken($token, $login)
     {
-        $user = $this->userModel->getUser($login);
+        $user = $this->userModel->getUserByTokenAuth($token);
 
-        if (!empty($user['token_auth'])
-            // authenticate either with the token or the "hash token"
-            && ((SessionInitializer::getHashTokenAuth($login, $user['token_auth']) === $token)
-                || $user['token_auth'] === $token)
-        ) {
+        if (!empty($user['login']) && $user['login'] === $login) {
+            $this->userModel->setTokenAuthWasUsed($token, Date::now()->getDatetime());
             return $this->authenticationSuccess($user);
         }
 
@@ -113,12 +113,15 @@ private function authenticateWithLoginAndToken($token, $login)
 
     private function authenticationSuccess(array $user)
     {
-        $this->setTokenAuth($user['token_auth']);
+        if (empty($this->token_auth)) {
+            $this->token_auth = $this->userModel->generateRandomTokenAuth();
+            // we generated one randomly which will then be stored in the session and used across the session
+        }
 
         $isSuperUser = (int) $user['superuser_access'];
         $code = $isSuperUser ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
 
-        return new AuthResult($code, $user['login'], $user['token_auth']);
+        return new AuthResult($code, $user['login'], $this->token_auth);
     }
 
     /**
diff --git a/plugins/Login/Login.php b/plugins/Login/Login.php
index d60358c7096..9f6ed6f8200 100644
--- a/plugins/Login/Login.php
+++ b/plugins/Login/Login.php
@@ -41,7 +41,7 @@ public function registerEvents()
 
             // for brute force prevention of all tracking + reporting api requests
             'Request.initAuthenticationObject' => 'onInitAuthenticationObject',
-            'API.UsersManager.getTokenAuth' => 'beforeLoginCheckBruteForce', // doesn't require auth but can be used to authenticate
+            'API.UsersManager.createAppSpecificTokenAuth' => 'beforeLoginCheckBruteForce', // doesn't require auth but can be used to authenticate
 
             // for brute force prevention of all UI requests
             'Controller.Login.logme'           => 'beforeLoginCheckBruteForce',
diff --git a/plugins/Login/SessionInitializer.php b/plugins/Login/SessionInitializer.php
index 0b31f62114d..b997358a4b6 100644
--- a/plugins/Login/SessionInitializer.php
+++ b/plugins/Login/SessionInitializer.php
@@ -182,8 +182,6 @@ protected function processFailedSession($rememberMe)
     protected function processSuccessfulSession(AuthResult $authResult, $rememberMe)
     {
         $cookie = $this->getAuthCookie($rememberMe);
-        $cookie->set('login', $authResult->getIdentity());
-        $cookie->set('token_auth', $this->getHashTokenAuth($authResult->getIdentity(), $authResult->getTokenAuth()));
         $cookie->setSecure(ProxyHttp::isHttps());
         $cookie->setHttpOnly(true);
         $cookie->save();
diff --git a/plugins/Login/tests/Integration/LoginTest.php b/plugins/Login/tests/Integration/LoginTest.php
index a0351b5ea1f..8a45a53096c 100644
--- a/plugins/Login/tests/Integration/LoginTest.php
+++ b/plugins/Login/tests/Integration/LoginTest.php
@@ -11,6 +11,7 @@
 use Piwik\AuthResult;
 use Piwik\Common;
 use Piwik\Config;
+use Piwik\Date;
 use Piwik\DbHelper;
 use Piwik\NoAccessException;
 use Piwik\Plugins\Login\Auth;
@@ -243,6 +244,17 @@ public function test_authenticate_successUserWithSuperUserAccessByTokenAuth()
         $this->assertSuperUserLogin($rc, 'user');
     }
 
+    public function test_authenticate_successUserLoginAndTokenAuthWithAnonymous()
+    {
+        DbHelper::createAnonymousUser();
+
+        $user = $this->_setUpUser();
+
+        // valid login & token auth
+        $rc = $this->authenticate('anonymous', 'anonymous');
+        $this->assertUserLogin($rc, 'anonymous', strlen('anonymous'));
+    }
+
     public function test_authenticate_successUserLoginAndTokenAuth()
     {
         $user = $this->_setUpUser();
@@ -271,7 +283,8 @@ public function test_authenticate_successWithValidPassword()
         $rc = $this->auth->authenticate();
         $this->assertUserLogin($rc);
         // Check that the token auth is correct in the result
-        $this->assertEquals($user['tokenAuth'], $rc->getTokenAuth());
+        $this->assertEquals(32, strlen($rc->getTokenAuth()));
+        $this->assertTrue(ctype_xdigit($rc->getTokenAuth()));
     }
 
     public function test_authenticate_successWithSuperUserPassword()
@@ -307,7 +320,8 @@ public function test_authenticate_prioritizesPasswordAuthentication()
         $rc = $this->auth->authenticate();
         $this->assertUserLogin($rc);
         // Check that the token auth is correct in the result
-        $this->assertEquals($user['tokenAuth'], $rc->getTokenAuth());
+        $this->assertEquals(32, strlen($rc->getTokenAuth()));
+        $this->assertTrue(ctype_xdigit($rc->getTokenAuth()));
     }
 
     /**
@@ -324,7 +338,8 @@ public function test_authenticate_withPasswordIsCaseInsensitiveForLogin()
         $this->assertUserLogin($rc);
         // Check that the login + token auth is correct in the result
         $this->assertEquals($user['login'], $rc->getIdentity());
-        $this->assertEquals($user['tokenAuth'], $rc->getTokenAuth());
+        $this->assertEquals(32, strlen($rc->getTokenAuth()));
+        $this->assertTrue(ctype_xdigit($rc->getTokenAuth()));
     }
 
     protected function _setUpUser()
@@ -338,9 +353,10 @@ protected function _setUpUser()
         API::getInstance()->addUser($user['login'], $user['password'], $user['email'], $user['alias']);
 
         $model  = new \Piwik\Plugins\UsersManager\Model();
-        $dbUser = $model->getUser($user['login']);
+        $tokenAuth = $model->generateRandomTokenAuth();
+        $model->addTokenAuth($user['login'], $tokenAuth, 'many users test', Date::now()->getDatetime());
 
-        $user['tokenAuth'] = $dbUser['token_auth'];
+        $user['tokenAuth'] = $tokenAuth;
 
         return $user;
     }
diff --git a/plugins/Login/tests/Integration/SessionInitializerTest.php b/plugins/Login/tests/Integration/SessionInitializerTest.php
index c2215de7a9a..7be28c174c8 100644
--- a/plugins/Login/tests/Integration/SessionInitializerTest.php
+++ b/plugins/Login/tests/Integration/SessionInitializerTest.php
@@ -36,6 +36,7 @@ public function test_initSession_CreatesCookie_WhenAuthenticationIsSuccessful()
         $this->assertAuthCookieIsAbsent();
 
         $sessionInitializer = new TestSessionInitializer();
+        $this->assertEmpty($sessionInitializer->cookie);
         $sessionInitializer->initSession($this->makeMockAuth(AuthResult::SUCCESS), true);
 
         $this->assertAuthCookieIsCreated($sessionInitializer->cookie);
@@ -69,8 +70,7 @@ private function assertAuthCookieIsAbsent()
 
     private function assertAuthCookieIsCreated(Cookie $cookie)
     {
-        self::assertStringContainsString('login=czo5OiJ0ZXN0bG9naW4iOw==:token_auth=czozMjoiOWU5MDYxZjk2MDI0YTY3NWFmOGFkNWZmNmNiZGY2ZGMiOw==',
-            $cookie->generateContentString());
+        $this->assertSame('', $cookie->generateContentString());
     }
 
     private function createAuthCookie()
diff --git a/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_noentries.png b/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_noentries.png
index 02fe11e89e1..7c129e3f469 100644
--- a/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_noentries.png
+++ b/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_noentries.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:524375b5af2cbabc68f4973e66340276339deb907f9f0406a36f4fefc6fae014
-size 88970
+oid sha256:11249006c3f0eca81d59dc3b0334283d736d4d1e5c47ee698b53dc7a6b1acb2a
+size 89496
diff --git a/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_withentries.png b/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_withentries.png
index 93e8f1d9aac..0233d765039 100644
--- a/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_withentries.png
+++ b/plugins/Login/tests/UI/expected-screenshots/Login_bruteforcelog_withentries.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:6fa4a84825aafc43395995ee62a3f7d4830506381d782ddbd841168fee818cc3
-size 106683
+oid sha256:3e698b7fa581131093a71889d3fecee464d1f1ecb830a058aad8fa1fb3db8765
+size 107286
diff --git a/plugins/Morpheus/javascripts/ajaxHelper.js b/plugins/Morpheus/javascripts/ajaxHelper.js
index 03d15be8911..38ec2f287eb 100644
--- a/plugins/Morpheus/javascripts/ajaxHelper.js
+++ b/plugins/Morpheus/javascripts/ajaxHelper.js
@@ -492,7 +492,8 @@ function ajaxHelper() {
     this._getDefaultPostParams = function () {
         if (this.withToken || this._isRequestToApiMethod() || piwik.shouldPropagateTokenAuth) {
             return {
-                token_auth: piwik.token_auth
+                token_auth: piwik.token_auth,
+                force_api_session: '1'
             };
         }
 
diff --git a/plugins/Overlay/javascripts/Overlay_Helper.js b/plugins/Overlay/javascripts/Overlay_Helper.js
index c7fe53e986e..6f2208d4943 100644
--- a/plugins/Overlay/javascripts/Overlay_Helper.js
+++ b/plugins/Overlay/javascripts/Overlay_Helper.js
@@ -29,7 +29,7 @@ var Overlay_Helper = {
 
         var token_auth = piwik.broadcast.getValueFromUrl("token_auth");
         if (token_auth.length && piwik.shouldPropagateTokenAuth) {
-            url += '&token_auth='  + encodeURIComponent(token_auth);
+            url += '&force_api_session=1&token_auth='  + encodeURIComponent(token_auth);
         }
 
         if (link) {
diff --git a/plugins/Overlay/templates/index.twig b/plugins/Overlay/templates/index.twig
index c98d310787e..42294e2ae4d 100644
--- a/plugins/Overlay/templates/index.twig
+++ b/plugins/Overlay/templates/index.twig
@@ -69,7 +69,7 @@
 
             var iframeSrc = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ rawDate }}&segment={{ segment }}';
             if (piwik.shouldPropagateTokenAuth) {
-                iframeSrc += '&token_auth=' + piwik.token_auth;
+                iframeSrc += '&force_api_session=1&token_auth=' + piwik.token_auth;
             }
 
             Piwik_Overlay.init(iframeSrc, '{{ idSite }}', '{{ period }}', '{{ rawDate }}', '{{ segment }}');
diff --git a/plugins/Overlay/templates/index_noframe.twig b/plugins/Overlay/templates/index_noframe.twig
index 78c18bf2816..c3f32be6b6f 100644
--- a/plugins/Overlay/templates/index_noframe.twig
+++ b/plugins/Overlay/templates/index_noframe.twig
@@ -8,7 +8,7 @@
     <script type="text/javascript">
         var newLocation = 'index.php?module=Overlay&action=startOverlaySession&idSite={{ idSite }}&period={{ period }}&date={{ date }}&segment={{ segment }}';
         if (piwik.shouldPropagateTokenAuth) {
-            newLocation += '&token_auth=' + piwik.token_auth;
+            newLocation += '&force_api_session=1&token_auth=' + piwik.token_auth;
         }
 
         var locationParts = window.location.href.split('#');
diff --git a/plugins/Provider b/plugins/Provider
deleted file mode 160000
index 65ad2d63ab2..00000000000
--- a/plugins/Provider
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 65ad2d63ab289ca3dc032a3e4dc4d28c35582cc0
diff --git a/plugins/TwoFactorAuth/Controller.php b/plugins/TwoFactorAuth/Controller.php
index bb37cd5a64d..cb9dedf7ab5 100644
--- a/plugins/TwoFactorAuth/Controller.php
+++ b/plugins/TwoFactorAuth/Controller.php
@@ -148,7 +148,7 @@ public function disableTwoFactorAuth()
             $this->twoFa->disable2FAforUser(Piwik::getCurrentUserLogin());
             $this->passwordVerify->forgetVerifiedPassword();
 
-            $this->redirectToIndex('UsersManager', 'userSettings', null, null, null, array(
+            $this->redirectToIndex('UsersManager', 'userSecurity', null, null, null, array(
                 'disableNonce' => false
             ));
         }
diff --git a/plugins/TwoFactorAuth/TwoFactorAuth.php b/plugins/TwoFactorAuth/TwoFactorAuth.php
index 9b86925b363..f5d17aff948 100644
--- a/plugins/TwoFactorAuth/TwoFactorAuth.php
+++ b/plugins/TwoFactorAuth/TwoFactorAuth.php
@@ -32,9 +32,9 @@ public function registerEvents()
             'AssetManager.getJavaScriptFiles' => 'getJsFiles',
             'AssetManager.getStylesheetFiles' => 'getStylesheetFiles',
             'API.UsersManager.deleteUser.end' => 'deleteRecoveryCodes',
-            'API.UsersManager.getTokenAuth.end' => 'onApiGetTokenAuth',
+            'API.UsersManager.createAppSpecificTokenAuth.end' => 'onCreateAppSpecificTokenAuth',
             'Request.dispatch.end' => array('function' => 'onRequestDispatchEnd', 'after' => true),
-            'Template.userSettings.afterTokenAuth' => 'render2FaUserSettings',
+            'Template.userSecurity.afterPassword' => 'render2FaUserSettings',
             'Login.authenticate.processSuccessfulSession.end' => 'onSuccessfulSession'
         );
     }
@@ -107,7 +107,7 @@ private function isValidTokenAuth($tokenAuth)
         return !empty($user);
     }
 
-    public function onApiGetTokenAuth($returnedValue, $params)
+    public function onCreateAppSpecificTokenAuth($returnedValue, $params)
     {
         if (!SettingsPiwik::isMatomoInstalled()) {
             return;
diff --git a/plugins/TwoFactorAuth/templates/setupFinished.twig b/plugins/TwoFactorAuth/templates/setupFinished.twig
index 456e8f51896..02dec629f1e 100644
--- a/plugins/TwoFactorAuth/templates/setupFinished.twig
+++ b/plugins/TwoFactorAuth/templates/setupFinished.twig
@@ -6,6 +6,6 @@
         </h2>
         <h3>{{ 'TwoFactorAuth_SetupFinishedSubtitle'|translate }}</h3>
         <p><br />
-        <a class="btn" href="{{ linkTo({'module': 'UsersManager', 'action': 'userSettings'}) }}">{{ 'General_Continue'|translate }}</a></p>
+        <a class="btn" href="{{ linkTo({'module': 'UsersManager', 'action': 'userSecurity'}) }}">{{ 'General_Continue'|translate }}</a></p>
     </div>
 {% endblock %}
diff --git a/plugins/TwoFactorAuth/tests/Fixtures/TwoFactorFixture.php b/plugins/TwoFactorAuth/tests/Fixtures/TwoFactorFixture.php
index f5b047ced5c..181595f5820 100644
--- a/plugins/TwoFactorAuth/tests/Fixtures/TwoFactorFixture.php
+++ b/plugins/TwoFactorAuth/tests/Fixtures/TwoFactorFixture.php
@@ -82,7 +82,7 @@ public function setUpUsers()
 
             if ($this->userWith2Fa === $user) {
                 $userModel = new Model();
-                $userModel->updateUserTokenAuth($user, 'c4ca4238a0b923820dcc509a6f75849b');
+                $userModel->addTokenAuth($user, 'c4ca4238a0b923820dcc509a6f75849b', 'twofa test', Date::now()->getDatetime());
             }
         }
 
diff --git a/plugins/TwoFactorAuth/tests/Integration/TwoFactorAuthTest.php b/plugins/TwoFactorAuth/tests/Integration/TwoFactorAuthTest.php
index 797620443c8..1df67e1e36b 100644
--- a/plugins/TwoFactorAuth/tests/Integration/TwoFactorAuthTest.php
+++ b/plugins/TwoFactorAuth/tests/Integration/TwoFactorAuthTest.php
@@ -69,53 +69,59 @@ public function tearDown(): void
         unset($_GET['authCode']);
     }
 
-    public function test_onApiGetTokenAuth_canAuthenticateWhenUserNotUsesTwoFA()
+    public function test_onCreateAppSpecificTokenAuth_canAuthenticateWhenUserNotUsesTwoFA()
     {
-        $token = Request::processRequest('UsersManager.getTokenAuth', array(
+        $token = Request::processRequest('UsersManager.createAppSpecificTokenAuth', array(
             'userLogin' => $this->userWithout2Fa,
-            'md5Password' => md5($this->userPassword)
+            'md5Password' => md5($this->userPassword),
+            'description' => 'twofa test'
         ));
         $this->assertEquals(32, strlen($token));
     }
 
-    public function test_onApiGetTokenAuth_returnsRandomTokenWhenNotAuthenticatedEvenWhen2FAenabled()
+    public function test_onCreateAppSpecificTokenAuth_returnsRandomTokenWhenNotAuthenticatedEvenWhen2FAenabled()
     {
-        $token = Request::processRequest('UsersManager.getTokenAuth', array(
+        $token = Request::processRequest('UsersManager.createAppSpecificTokenAuth', array(
             'userLogin' => $this->userWith2Fa,
-            'md5Password' => md5('invalidPAssword')
+            'md5Password' => md5('invalidPAssword'),
+            'description' => 'twofa test'
         ));
         $this->assertEquals(32, strlen($token));
     }
 
-    public function test_onApiGetTokenAuth_throwsErrorWhenMissingTokenWhenUsing2FaAndAuthenticatedCorrectly()
+    public function test_onCreateAppSpecificTokenAuth_throwsErrorWhenMissingTokenWhenUsing2FaAndAuthenticatedCorrectly()
     {
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('TwoFactorAuth_MissingAuthCodeAPI');
 
-        Request::processRequest('UsersManager.getTokenAuth', array(
+        Request::processRequest('UsersManager.createAppSpecificTokenAuth', array(
+
             'userLogin' => $this->userWith2Fa,
-            'md5Password' => md5($this->userPassword)
+            'md5Password' => md5($this->userPassword),
+            'description' => 'twofa test'
         ));
     }
 
-    public function test_onApiGetTokenAuth_throwsErrorWhenInvalidTokenWhenUsing2FaAndAuthenticatedCorrectly()
+    public function test_onCreateAppSpecificTokenAuth_throwsErrorWhenInvalidTokenWhenUsing2FaAndAuthenticatedCorrectly()
     {
         $this->expectException(\Exception::class);
         $this->expectExceptionMessage('TwoFactorAuth_InvalidAuthCode');
 
         $_GET['authCode'] = '111222';
-        Request::processRequest('UsersManager.getTokenAuth', array(
+        Request::processRequest('UsersManager.createAppSpecificTokenAuth', array(
             'userLogin' => $this->userWith2Fa,
-            'md5Password' => md5($this->userPassword)
+            'md5Password' => md5($this->userPassword),
+            'description' => 'twofa test'
         ));
     }
 
-    public function test_onApiGetTokenAuth_returnsCorrectTokenWhenProvidingCorrectAuthTokenOnAuthentication()
+    public function test_onCreateAppSpecificTokenAuth_returnsCorrectTokenWhenProvidingCorrectAuthTokenOnAuthentication()
     {
         $_GET['authCode'] = $this->generateValidAuthCode($this->user2faSecret);
-        $token = Request::processRequest('UsersManager.getTokenAuth', array(
+        $token = Request::processRequest('UsersManager.createAppSpecificTokenAuth', array(
             'userLogin' => $this->userWith2Fa,
-            'md5Password' => md5($this->userPassword)
+            'md5Password' => md5($this->userPassword),
+            'description' => 'twofa test'
         ));
         $this->assertEquals(32, strlen($token));
     }
diff --git a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuth_spec.js b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuth_spec.js
index 368ec0632f0..cdfcb10c959 100644
--- a/plugins/TwoFactorAuth/tests/UI/TwoFactorAuth_spec.js
+++ b/plugins/TwoFactorAuth/tests/UI/TwoFactorAuth_spec.js
@@ -13,7 +13,7 @@ describe("TwoFactorAuth", function () {
     this.fixture = "Piwik\\Plugins\\TwoFactorAuth\\tests\\Fixtures\\TwoFactorFixture";
 
     var generalParams = 'idSite=1&period=day&date=2010-01-03',
-        userSettings = '?module=UsersManager&action=userSettings&' + generalParams,
+        userSettings = '?module=UsersManager&action=userSecurity&' + generalParams,
         logoutUrl = '?module=Login&action=logout&period=day&date=yesterday';
 
 
diff --git a/plugins/UserCountry/Columns/City.php b/plugins/UserCountry/Columns/City.php
index 95bf56cb1cd..b9f8d0a38a5 100644
--- a/plugins/UserCountry/Columns/City.php
+++ b/plugins/UserCountry/Columns/City.php
@@ -33,8 +33,8 @@ class City extends Base
     public function onNewVisit(Request $request, Visitor $visitor, $action)
     {
         $value = $this->getUrlOverrideValueIfAllowed('city', $request);
-
         if ($value !== false) {
+            $value = substr($value, 0, 255);
             return $value;
         }
 
diff --git a/plugins/UserCountry/Columns/Country.php b/plugins/UserCountry/Columns/Country.php
index 608be68e6bc..139e9877467 100644
--- a/plugins/UserCountry/Columns/Country.php
+++ b/plugins/UserCountry/Columns/Country.php
@@ -82,8 +82,8 @@ public function formatValue($value, $idSite, Formatter $formatter)
     public function onNewVisit(Request $request, Visitor $visitor, $action)
     {
         $value = $this->getUrlOverrideValueIfAllowed('country', $request);
-
         if ($value !== false) {
+            $value = substr($value, 0, 3);
             return $value;
         }
 
diff --git a/plugins/UserCountry/Columns/Region.php b/plugins/UserCountry/Columns/Region.php
index 71af217b530..99f578ae73f 100644
--- a/plugins/UserCountry/Columns/Region.php
+++ b/plugins/UserCountry/Columns/Region.php
@@ -33,8 +33,8 @@ class Region extends Base
     public function onNewVisit(Request $request, Visitor $visitor, $action)
     {
         $value = $this->getUrlOverrideValueIfAllowed('region', $request);
-
         if ($value !== false) {
+            $value = substr($value, 0, 3);
             return $value;
         }
 
diff --git a/plugins/UserCountryMap/javascripts/realtime-map.js b/plugins/UserCountryMap/javascripts/realtime-map.js
index 39d97a7497a..2f420488189 100644
--- a/plugins/UserCountryMap/javascripts/realtime-map.js
+++ b/plugins/UserCountryMap/javascripts/realtime-map.js
@@ -148,7 +148,7 @@
                 return $.ajax({
                     url: 'index.php?' + $.param(params),
                     dataType: 'json',
-                    data: { token_auth: tokenAuth },
+                    data: { token_auth: tokenAuth, force_api_session: '1' },
                     type: 'POST'
                 });
             }
diff --git a/plugins/UserCountryMap/javascripts/visitor-map.js b/plugins/UserCountryMap/javascripts/visitor-map.js
index 396fac73a33..82bdb13852b 100644
--- a/plugins/UserCountryMap/javascripts/visitor-map.js
+++ b/plugins/UserCountryMap/javascripts/visitor-map.js
@@ -122,7 +122,7 @@
                 return $.ajax({
                     url: 'index.php?' + $.param(params),
                     dataType: dataType,
-                    data: { token_auth: token_auth },
+                    data: { token_auth: token_auth, force_api_session: '1' },
                     type: 'POST'
                 });
             }
diff --git a/plugins/UsersManager/API.php b/plugins/UsersManager/API.php
index 08cf1312c08..c2d4dba6aa1 100644
--- a/plugins/UsersManager/API.php
+++ b/plugins/UsersManager/API.php
@@ -684,9 +684,8 @@ public function addUser($userLogin, $password, $email, $alias = false, $_isPassw
 
         $alias               = $this->getCleanAlias($alias, $userLogin);
         $passwordTransformed = $this->password->hash($passwordTransformed);
-        $token_auth          = $this->createTokenAuth($userLogin);
 
-        $this->model->addUser($userLogin, $passwordTransformed, $email, $alias, $token_auth, Date::now()->getDatetime());
+        $this->model->addUser($userLogin, $passwordTransformed, $email, $alias, Date::now()->getDatetime());
 
         // we reload the access list which doesn't yet take in consideration this new user
         Access::getInstance()->reloadAccess();
@@ -843,29 +842,6 @@ private function enrichUser($user)
         return $newUser;
     }
 
-    /**
-     * Regenerate the token_auth associated with a user.
-     *
-     * If the user currently logged in regenerates his own token, he will be logged out.
-     * His previous token will be rendered invalid.
-     *
-     * @param   string  $userLogin
-     * @throws  Exception
-     */
-    public function regenerateTokenAuth($userLogin)
-    {
-        $this->checkUserIsNotAnonymous($userLogin);
-
-        Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
-
-        $this->model->updateUserTokenAuth(
-            $userLogin,
-            $this->createTokenAuth($userLogin)
-        );
-
-        Cache::deleteTrackerCache();
-    }
-
     /**
      * Updates a user in the database.
      * Only login and password are required (case when we update the password).
@@ -889,7 +865,6 @@ public function updateUser($userLogin, $password = false, $email = false, $alias
         $this->checkUserExists($userLogin);
 
         $userInfo   = $this->model->getUser($userLogin);
-        $token_auth = $userInfo['token_auth'];
         $changeShouldRequirePasswordConfirmation = false;
 
         $passwordHasBeenUpdated = false;
@@ -936,7 +911,7 @@ public function updateUser($userLogin, $password = false, $email = false, $alias
 
         $alias = $this->getCleanAlias($alias, $userLogin);
 
-        $this->model->updateUser($userLogin, $password, $email, $alias, $token_auth);
+        $this->model->updateUser($userLogin, $password, $email, $alias);
 
         Cache::deleteTrackerCache();
 
@@ -1336,34 +1311,27 @@ private function isUserTheOnlyUserHavingSuperUserAccess($userLogin)
     }
 
     /**
-     * Generates a new random authentication token.
-     *
-     * @param string $userLogin Login
-     * @return string
-     */
-    public function createTokenAuth($userLogin)
-    {
-        return md5($userLogin . microtime(true) . Common::generateUniqId() . SettingsPiwik::getSalt());
-    }
-
-    /**
-     * Returns the user's API token.
+     * Generates an app specific API token every time you call this method. You should ideally store this token securely
+     * in your app and not generate a new token every time.
      *
      * If the username/password combination is incorrect an invalid token will be returned.
      *
      * @param string $userLogin Login or Email address
      * @param string $md5Password hashed string of the password (using current hash function; MD5-named for historical reasons)
+     * @param string $description The description for this app specific password, for example your app name. Max 100 characters are allowed
+     * @param string $expireDate Optionally a date when the token should expire
+     * @param string $expireHours Optionally number of hours for how long the token should be valid before it expires. 
+     *                            If expireDate is set and expireHours, then expireDate will be used.
+     *                            If expireDate is set and expireHours, then expireDate will be used.
      * @return string
      */
-    public function getTokenAuth($userLogin, $md5Password)
+    public function createAppSpecificTokenAuth($userLogin, $md5Password, $description, $expireDate = null, $expireHours = 0)
     {
         UsersManager::checkPasswordHash($md5Password, Piwik::translate('UsersManager_ExceptionPasswordMD5HashExpected'));
 
         $user = $this->model->getUser($userLogin);
-
         if (empty($user) && Piwik::isValidEmailString($userLogin)) {
             $user = $this->model->getUserByEmail($userLogin);
-            
             if (!empty($user['login'])) {
                 $userLogin = $user['login'];
             }
@@ -1384,7 +1352,16 @@ public function getTokenAuth($userLogin, $md5Password)
             $userUpdater->updateUserWithoutCurrentPassword($userLogin, $this->password->hash($md5Password));
         }
 
-        return $user['token_auth'];
+        if (empty($expireDate) && !empty($expireHours) && is_numeric($expireHours)) {
+            $expireDate = Date::now()->addHour($expireHours)->getDatetime();
+        } elseif (!empty($expireDate)) {
+            $expireDate = Date::factory($expireDate)->getDatetime();
+        }
+
+        $generatedToken = $this->model->generateRandomTokenAuth();
+        $this->model->addTokenAuth($userLogin, $generatedToken, $description, Date::now()->getDatetime(), $expireDate);
+
+        return $generatedToken;
     }
 
     public function newsletterSignup()
diff --git a/plugins/UsersManager/Controller.php b/plugins/UsersManager/Controller.php
index 49fb7bd563a..f75bb81b35d 100644
--- a/plugins/UsersManager/Controller.php
+++ b/plugins/UsersManager/Controller.php
@@ -13,31 +13,55 @@
 use Piwik\API\ResponseBuilder;
 use Piwik\Common;
 use Piwik\Container\StaticContainer;
+use Piwik\Date;
+use Piwik\Nonce;
+use Piwik\Notification;
 use Piwik\Option;
 use Piwik\Piwik;
 use Piwik\Plugin;
 use Piwik\Plugin\ControllerAdmin;
 use Piwik\Plugins\LanguagesManager\API as APILanguagesManager;
 use Piwik\Plugins\LanguagesManager\LanguagesManager;
+use Piwik\Plugins\Login\PasswordVerifier;
+use Piwik\Plugins\TagManager\Validators\TriggerIds;
 use Piwik\Plugins\UsersManager\API as APIUsersManager;
 use Piwik\SettingsPiwik;
 use Piwik\Site;
 use Piwik\Tracker\IgnoreCookie;
 use Piwik\Translation\Translator;
 use Piwik\Url;
+use Piwik\Validators\BaseValidator;
+use Piwik\Validators\CharacterLength;
+use Piwik\Validators\NotEmpty;
 use Piwik\View;
 use Piwik\Session\SessionInitializer;
 
 class Controller extends ControllerAdmin
 {
+    const NONCE_CHANGE_PASSWORD = 'changePasswordNonce';
+    const NONCE_ADD_AUTH_TOKEN = 'addAuthTokenNonce';
+    const NONCE_DELETE_AUTH_TOKEN = 'deleteAuthTokenNonce';
+
     /**
      * @var Translator
      */
     private $translator;
 
-    public function __construct(Translator $translator)
+    /**
+     * @var PasswordVerifier
+     */
+    private $passwordVerify;
+
+    /**
+     * @var Model
+     */
+    private $userModel;
+
+    public function __construct(Translator $translator, PasswordVerifier $passwordVerify, Model $userModel)
     {
         $this->translator = $translator;
+        $this->passwordVerify = $passwordVerify;
+        $this->userModel = $userModel;
 
         parent::__construct();
     }
@@ -248,6 +272,112 @@ public function userSettings()
         return $view->render();
     }
 
+    /**
+     * The "User Security" admin UI screen view
+     */
+    public function userSecurity()
+    {
+        Piwik::checkUserIsNotAnonymous();
+
+        $tokens = $this->userModel->getAllNonSystemTokensForLogin(Piwik::getCurrentUserLogin());
+        $tokens = array_map(function ($token){
+            foreach (['date_created', 'last_used', 'date_expired'] as $key) {
+                if (!empty($token[$key])) {
+                    $token[$key] = Date::factory($token[$key])->getLocalized(Date::DATE_FORMAT_LONG);
+                }
+            }
+
+            return $token;
+        }, $tokens);
+        $hasTokensWithExpireDate = !empty(array_filter(array_column($tokens, 'date_expired')));
+
+        return $this->renderTemplate('userSecurity', array(
+            'isUsersAdminEnabled' => UsersManager::isUsersAdminEnabled(),
+            'changePasswordNonce' => Nonce::getNonce(self::NONCE_CHANGE_PASSWORD),
+            'deleteTokenNonce' => Nonce::getNonce(self::NONCE_DELETE_AUTH_TOKEN),
+            'hasTokensWithExpireDate' => $hasTokensWithExpireDate,
+            'tokens' => $tokens
+        ));
+    }
+
+    /**
+     * The "User Security" admin UI screen view
+     */
+    public function deleteToken()
+    {
+        Piwik::checkUserIsNotAnonymous();
+
+        $idTokenAuth = Common::getRequestVar('idtokenauth', '', 'string', $_POST);
+
+        if (!empty($idTokenAuth)) {
+            $params = array(
+                'module' => 'UsersManager',
+                'action' => 'deleteToken',
+                'idtokenauth' => $idTokenAuth,
+                'nonce' => Nonce::getNonce(self::NONCE_DELETE_AUTH_TOKEN)
+            );
+
+            if (!$this->passwordVerify->requirePasswordVerifiedRecently($params)) {
+                throw new Exception('Not allowed');
+            }
+
+            Nonce::checkNonce(self::NONCE_DELETE_AUTH_TOKEN);
+
+            if ($idTokenAuth === 'all') {
+                $this->userModel->deleteAllTokensForUser(Piwik::getCurrentUserLogin());
+
+                $notification = new Notification(Piwik::translate('UsersManager_TokensSuccessfullyDeleted'));
+                $notification->context = Notification::CONTEXT_SUCCESS;
+                Notification\Manager::notify('successdeletetokens', $notification);
+
+            } elseif (is_numeric($idTokenAuth)) {
+                $this->userModel->deleteToken($idTokenAuth, Piwik::getCurrentUserLogin());
+
+                $notification = new Notification(Piwik::translate('UsersManager_TokenSuccessfullyDeleted'));
+                $notification->context = Notification::CONTEXT_SUCCESS;
+                Notification\Manager::notify('successdeletetoken', $notification);
+            }
+        }
+
+        $this->redirectToIndex('UsersManager', 'userSecurity');
+    }
+
+    /**
+     * The "User Security" admin UI screen view
+     */
+    public function addNewToken()
+    {
+        Piwik::checkUserIsNotAnonymous();
+
+        $params = array('module' => 'UsersManager', 'action' => 'addNewToken');
+
+        if (!$this->passwordVerify->requirePasswordVerifiedRecently($params)) {
+            throw new Exception('Not allowed');
+        }
+
+        $noDescription = false;
+
+        if (!empty($_POST['description'])) {
+            Nonce::checkNonce(self::NONCE_ADD_AUTH_TOKEN);
+
+            $description = Common::getRequestVar('description', '', 'string');
+            $login = Piwik::getCurrentUserLogin();
+
+            $generatedToken = $this->userModel->generateRandomTokenAuth();
+
+            $this->userModel->addTokenAuth($login, $generatedToken, $description, Date::now()->getDatetime());
+
+            return $this->renderTemplate('addNewTokenSuccess', array('generatedToken' => $generatedToken));
+        } elseif (isset($_POST['description'])) {
+            $noDescription = true;
+        }
+
+        return $this->renderTemplate('addNewToken', array(
+           'nonce' => Nonce::getNonce(self::NONCE_ADD_AUTH_TOKEN),
+           'noDescription' => $noDescription
+        ));
+    }
+
     /**
      * The "Anonymous Settings" admin UI screen view
      */
@@ -389,9 +519,7 @@ public function recordUserSettings()
 
             Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
 
-            if (UsersManager::isUsersAdminEnabled()) {
-                $this->processPasswordChange($userLogin);
-            }
+            $this->processEmailChange($userLogin);
 
             LanguagesManager::setLanguageForSession($language);
 
@@ -418,6 +546,26 @@ public function recordUserSettings()
         return $toReturn;
     }
 
+
+    /**
+     * Records settings from the "User Settings" page
+     * @throws Exception
+     */
+    public function recordPasswordChange()
+    {
+        $userLogin = Piwik::getCurrentUserLogin();
+
+        Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
+        Nonce::checkNonce(self::NONCE_CHANGE_PASSWORD);
+
+        $this->processPasswordChange($userLogin);
+
+        $notification = new Notification(Piwik::translate('CoreAdminHome_SettingsSaveSuccess'));
+        $notification->context = Notification::CONTEXT_SUCCESS;
+        Notification\Manager::notify('successpass', $notification);
+        $this->redirectToIndex('UsersManager',  'userSecurity');
+    }
+
     private function noAdminAccessToWebsite($idSiteSelected, $defaultReportSiteName, $message)
     {
         $view = new View('@UsersManager/noWebsiteAdminAccess');
@@ -430,43 +578,60 @@ private function noAdminAccessToWebsite($idSiteSelected, $defaultReportSiteName,
         return $view->render();
     }
 
-    private function processPasswordChange($userLogin)
+    private function processEmailChange($userLogin)
     {
-        $email = Common::getRequestVar('email');
-        $password = Common::getRequestVar('password', false);
-        $passwordBis = Common::getRequestVar('passwordBis', false);
-        $passwordCurrent = Common::getRequestVar('passwordConfirmation', false);
-
-        $newPassword = false;
-        if (!empty($password) || !empty($passwordBis)) {
-            if ($password != $passwordBis) {
-                throw new Exception($this->translator->translate('Login_PasswordsDoNotMatch'));
-            }
-            $newPassword = $password;
+        if (!UsersManager::isUsersAdminEnabled()) {
+            return;
         }
 
-        if ($newPassword !== false && !Url::isValidHost()) {
-            throw new Exception("Cannot change password or email with untrusted hostname!");
+        if (!Url::isValidHost()) {
+            throw new Exception("Cannot change email with untrusted hostname!");
         }
-        
+
+        $email = Common::getRequestVar('email');
+        $passwordCurrent = Common::getRequestvar('passwordConfirmation', false);
+
         // UI disables password change on invalid host, but check here anyway
         Request::processRequest('UsersManager.updateUser', [
             'userLogin' => $userLogin,
-            'password' => $newPassword,
             'email' => $email,
             'passwordConfirmation' => $passwordCurrent
         ], $default = []);
+    }
+
+    private function processPasswordChange($userLogin)
+    {
+        if (!UsersManager::isUsersAdminEnabled()) {
+            return;
+        }
+
+        if (!Url::isValidHost()) {
+            // UI disables password change on invalid host, but check here anyway
+            throw new Exception("Cannot change password with untrusted hostname!");
+        }
 
-        if ($newPassword !== false) {
-            // logs the user in with the new password
-            $newPassword = Common::unsanitizeInputValue($newPassword);
-            $sessionInitializer = new SessionInitializer();
-            $auth = StaticContainer::get('Piwik\Auth');
-            $auth->setTokenAuth(null); // ensure authenticated through password
-            $auth->setLogin($userLogin);
-            $auth->setPassword($newPassword);
-            $sessionInitializer->initSession($auth);
+        $newPassword = Common::getRequestvar('password', false);
+        $passwordBis = Common::getRequestvar('passwordBis', false);
+        $passwordCurrent = Common::getRequestvar('passwordConfirmation', false);
+
+        if ($newPassword !== $passwordBis) {
+            throw new Exception($this->translator->translate('Login_PasswordsDoNotMatch'));
         }
+
+        Request::processRequest('UsersManager.updateUser', [
+            'userLogin' => $userLogin,
+            'password' => $newPassword,
+            'passwordConfirmation' => $passwordCurrent
+        ], $default = []);
+
+        // logs the user in with the new password
+        $newPassword = Common::unsanitizeInputValue($newPassword);
+        $sessionInitializer = new SessionInitializer();
+        $auth = StaticContainer::get('Piwik\Auth');
+        $auth->setTokenAuth(null); // ensure authenticated through password
+        $auth->setLogin($userLogin);
+        $auth->setPassword($newPassword);
+        $sessionInitializer->initSession($auth);
     }
 
     /**
diff --git a/plugins/UsersManager/Menu.php b/plugins/UsersManager/Menu.php
index 7945480d4e5..25d345f52cf 100644
--- a/plugins/UsersManager/Menu.php
+++ b/plugins/UsersManager/Menu.php
@@ -25,6 +25,7 @@ public function configureAdminMenu(MenuAdmin $menu)
 
         if (!Piwik::isUserIsAnonymous()) {
             $menu->addItem('UsersManager_MenuPersonal', 'General_Settings', $this->urlForAction('userSettings'), 0);
+            $menu->addItem('UsersManager_MenuPersonal', 'General_Security', $this->urlForAction('userSecurity'), 1);
         }
     }
 }
diff --git a/plugins/UsersManager/Model.php b/plugins/UsersManager/Model.php
index 839fdbd5785..15dd22c40bf 100644
--- a/plugins/UsersManager/Model.php
+++ b/plugins/UsersManager/Model.php
@@ -10,6 +10,7 @@
 
 use Piwik\Auth\Password;
 use Piwik\Common;
+use Piwik\Config;
 use Piwik\Date;
 use Piwik\Db;
 use Piwik\Option;
@@ -17,6 +18,10 @@
 use Piwik\Plugins\SitesManager\SitesManager;
 use Piwik\Plugins\UsersManager\Sql\SiteAccessFilter;
 use Piwik\Plugins\UsersManager\Sql\UserTableFilter;
+use Piwik\SettingsPiwik;
+use Piwik\Validators\BaseValidator;
+use Piwik\Validators\CharacterLength;
+use Piwik\Validators\NotEmpty;
 
 /**
  * The UsersManager API lets you Manage Users and their permissions to access specific websites.
@@ -32,8 +37,12 @@
  */
 class Model
 {
+    const MAX_LENGTH_TOKEN_DESCRIPTION = 100;
+    const TOKEN_HASH_ALGO = 'sha512';
+
     private static $rawPrefix = 'user';
-    private $table;
+    private $userTable;
+    private $tokenTable;
 
     /**
      * @var Password
@@ -43,7 +52,8 @@ class Model
     public function __construct()
     {
         $this->passwordHelper = new Password();
-        $this->table = Common::prefixTable(self::$rawPrefix);
+        $this->userTable = Common::prefixTable(self::$rawPrefix);
+        $this->tokenTable = Common::prefixTable('user_token_auth');
     }
 
     /**
@@ -63,7 +73,7 @@ public function getUsers(array $userLogins)
         }
 
         $db = $this->getDb();
-        $users = $db->fetchAll("SELECT * FROM " . $this->table . "
+        $users = $db->fetchAll("SELECT * FROM " . $this->userTable . "
                                 $where
                                 ORDER BY login ASC", $bind);
 
@@ -78,7 +88,7 @@ public function getUsers(array $userLogins)
     public function getUsersLogin()
     {
         $db = $this->getDb();
-        $users = $db->fetchAll("SELECT login FROM " . $this->table . " ORDER BY login ASC");
+        $users = $db->fetchAll("SELECT login FROM " . $this->userTable . " ORDER BY login ASC");
 
         $return = array();
         foreach ($users as $login) {
@@ -229,7 +239,7 @@ public function getUser($userLogin)
     {
         $db = $this->getDb();
 
-        $matchedUsers = $db->fetchAll("SELECT * FROM {$this->table} WHERE login = ?", $userLogin);
+        $matchedUsers = $db->fetchAll("SELECT * FROM {$this->userTable} WHERE login = ?", $userLogin);
 
         // for BC in 2.15 LTS, if there is a user w/ an exact match to the requested login, return that user.
         // this is done since before this change, login was case sensitive. until 3.0, we want to maintain
@@ -243,33 +253,190 @@ public function getUser($userLogin)
         return reset($matchedUsers);
     }
 
+    public function hashTokenAuth($tokenAuth)
+    {
+        $salt = SettingsPiwik::getSalt();
+        return hash(self::TOKEN_HASH_ALGO, $tokenAuth . $salt);
+    }
+
+    public function generateRandomTokenAuth()
+    {
+        $count = 0;
+
+        do {
+            $token = $this->generateTokenAuth();
+
+            $count++;
+            if ($count > 20) {
+                // something seems wrong as the odds of that happening is basically 0. Only catching it to prevent
+                // endless loop in case there is some bug somewhere
+                throw new \Exception('Failed to generate token');
+            }
+
+        } while ($this->getUserByTokenAuth($token));
+
+        return $token;
+    }
+
+    private function generateTokenAuth()
+    {
+        return md5(Common::getRandomString(32, 'abcdef1234567890') . microtime(true) . Common::generateUniqId() . SettingsPiwik::getSalt());
+    }
+
+    public function addTokenAuth($login, $tokenAuth, $description, $dateCreated, $dateExpired = null, $isSystemToken = false)
+    {
+        if (!$this->getUser($login)) {
+            throw new \Exception('User ' . $login . ' does not exist');
+        }
+
+        BaseValidator::check('Description', $description, [new NotEmpty(), new CharacterLength(1, self::MAX_LENGTH_TOKEN_DESCRIPTION)]);
+
+        if (empty($dateExpired)) {
+            $dateExpired = null;
+        }
+
+        $isSystemToken = (int) $isSystemToken;
+
+        $insertSql = "INSERT INTO " . $this->tokenTable . ' (login, description, password, date_created, date_expired, system_token, hash_algo) VALUES (?, ?, ?, ?, ?, ?, ?)';
+
+        $tokenAuth = $this->hashTokenAuth($tokenAuth);
+
+        $db = $this->getDb();
+        $db->query($insertSql, [$login, $description, $tokenAuth, $dateCreated, $dateExpired, $isSystemToken, self::TOKEN_HASH_ALGO]);
+
+        return $db->lastInsertId();
+    }
+
+    private function getTokenByTokenAuth($tokenAuth)
+    {
+        $tokenAuth = $this->hashTokenAuth($tokenAuth);
+        $db = $this->getDb();
+
+        return $db->fetchRow("SELECT * FROM " . $this->tokenTable . " WHERE `password` = ?", $tokenAuth);
+    }
+
+    private function getQueryNotExpiredToken()
+    {
+        return array(
+            'sql' => ' (date_expired is null or date_expired > ?)',
+            'bind' => array(Date::now()->getDatetime())
+        );
+    }
+
+    private function getTokenByTokenAuthIfNotExpired($tokenAuth)
+    {
+        $tokenAuth = $this->hashTokenAuth($tokenAuth);
+        $db = $this->getDb();
+
+        $expired = $this->getQueryNotExpiredToken();
+        $bind = array_merge(array($tokenAuth), $expired['bind']);
+
+        $token = $db->fetchRow("SELECT * FROM " . $this->tokenTable . " WHERE `password` = ? and " . $expired['sql'], $bind);
+
+        return $token;
+    }
+
+    public function deleteExpiredTokens($expiredSince)
+    {
+        $db = $this->getDb();
+
+        return $db->query("DELETE FROM " . $this->tokenTable . " WHERE `date_expired` is not null and date_expired < ?", $expiredSince);
+    }
+
+    public function deleteAllTokensForUser($login)
+    {
+        $db = $this->getDb();
+
+        return $db->query("DELETE FROM " . $this->tokenTable . " WHERE `login` = ?", $login);
+    }
+
+    public function getAllNonSystemTokensForLogin($login)
+    {
+        $db = $this->getDb();
+
+
+        $expired = $this->getQueryNotExpiredToken();
+        $bind = array_merge(array($login), $expired['bind']);
+
+        return $db->fetchAll("SELECT * FROM " . $this->tokenTable . " WHERE `login` = ? and system_token = 0 and " . $expired['sql'] . ' order by idusertokenauth ASC', $bind);
+    }
+
+    public function getAllHashedTokensForLogins($logins)
+    {
+        if (empty($logins)) {
+            return array();
+        }
+
+        $db = $this->getDb();
+        $placeholder = Common::getSqlStringFieldsArray($logins);
+
+        $expired = $this->getQueryNotExpiredToken();
+        $bind = array_merge($logins, $expired['bind']);
+
+        $tokens = $db->fetchAll("SELECT password FROM " . $this->tokenTable . " WHERE `login` IN (".$placeholder.") and " . $expired['sql'], $bind);
+        return array_column($tokens, 'password');
+    }
+
+    public function deleteToken($idTokenAuth, $login)
+    {
+        $db = $this->getDb();
+
+        return $db->query("DELETE FROM " . $this->tokenTable . " WHERE `idusertokenauth` = ? and login = ?", array($idTokenAuth, $login));
+    }
+
+    public function setTokenAuthWasUsed($tokenAuth, $dateLastUsed)
+    {
+        $token = $this->getTokenByTokenAuth($tokenAuth);
+        if (!empty($token)) {
+            $this->updateTokenAuthTable($token['idusertokenauth'], array(
+                'last_used' => $dateLastUsed
+            ));
+        }
+    }
+
+    private function updateTokenAuthTable($idTokenAuth, $fields) {
+        $set  = array();
+        $bind = array();
+        foreach ($fields as $key => $val) {
+            $set[]  = "`$key` = ?";
+            $bind[] = $val;
+        }
+
+        $bind[] = $idTokenAuth;
+
+        $db = $this->getDb();
+        $db->query(sprintf('UPDATE `%s` SET %s WHERE `idusertokenauth` = ?', $this->tokenTable, implode(', ', $set)), $bind);
+    }
+
     public function getUserByEmail($userEmail)
     {
         $db = $this->getDb();
-        return $db->fetchRow("SELECT * FROM " . $this->table . " WHERE email = ?", $userEmail);
+        return $db->fetchRow("SELECT * FROM " . $this->userTable . " WHERE email = ?", $userEmail);
     }
 
     public function getUserByTokenAuth($tokenAuth)
     {
-        $db = $this->getDb();
-        return $db->fetchRow('SELECT * FROM ' . $this->table . ' WHERE token_auth = ?', $tokenAuth);
+        $token = $this->getTokenByTokenAuthIfNotExpired($tokenAuth);
+        if (!empty($token)) {
+            $db = $this->getDb();
+            return $db->fetchRow("SELECT * FROM " . $this->userTable . " WHERE `login` = ?", $token['login']);
+        }
     }
 
-    public function addUser($userLogin, $hashedPassword, $email, $alias, $tokenAuth, $dateRegistered)
+    public function addUser($userLogin, $hashedPassword, $email, $alias, $dateRegistered)
     {
         $user = array(
             'login'            => $userLogin,
             'password'         => $hashedPassword,
             'alias'            => $alias,
             'email'            => $email,
-            'token_auth'       => $tokenAuth,
             'date_registered'  => $dateRegistered,
             'superuser_access' => 0,
             'ts_password_modified' => Date::now()->getDatetime(),
         );
 
         $db = $this->getDb();
-        $db->insert($this->table, $user);
+        $db->insert($this->userTable, $user);
     }
 
     public function setSuperUserAccess($userLogin, $hasSuperUserAccess)
@@ -297,7 +464,7 @@ public function updateUserFields($userLogin, $fields)
         $bind[] = $userLogin;
 
         $db = $this->getDb();
-        $db->query(sprintf('UPDATE `%s` SET %s WHERE `login` = ?', $this->table, implode(', ', $set)), $bind);
+        $db->query(sprintf('UPDATE `%s` SET %s WHERE `login` = ?', $this->userTable, implode(', ', $set)), $bind);
     }
 
     /**
@@ -308,7 +475,7 @@ public function updateUserFields($userLogin, $fields)
     public function getUsersHavingSuperUserAccess()
     {
         $db = $this->getDb();
-        $users = $db->fetchAll("SELECT login, email, token_auth, superuser_access
+        $users = $db->fetchAll("SELECT login, email, superuser_access
                                 FROM " . Common::prefixTable("user") . "
                                 WHERE superuser_access = 1
                                 ORDER BY date_registered ASC");
@@ -316,12 +483,11 @@ public function getUsersHavingSuperUserAccess()
         return $users;
     }
 
-    public function updateUser($userLogin, $hashedPassword, $email, $alias, $tokenAuth)
+    public function updateUser($userLogin, $hashedPassword, $email, $alias)
     {
         $fields = array(
             'alias'      => $alias,
             'email'      => $email,
-            'token_auth' => $tokenAuth
         );
         if (!empty($hashedPassword)) {
             $fields['password'] = $hashedPassword;
@@ -329,17 +495,10 @@ public function updateUser($userLogin, $hashedPassword, $email, $alias, $tokenAu
         $this->updateUserFields($userLogin, $fields);
     }
 
-    public function updateUserTokenAuth($userLogin, $tokenAuth)
-    {
-        $this->updateUserFields($userLogin, array(
-            'token_auth' => $tokenAuth
-        ));
-    }
-
     public function userExists($userLogin)
     {
         $db = $this->getDb();
-        $count = $db->fetchOne("SELECT count(*) FROM " . $this->table . " WHERE login = ?", $userLogin);
+        $count = $db->fetchOne("SELECT count(*) FROM " . $this->userTable . " WHERE login = ?", $userLogin);
 
         return $count != 0;
     }
@@ -347,7 +506,7 @@ public function userExists($userLogin)
     public function userEmailExists($userEmail)
     {
         $db = $this->getDb();
-        $count = $db->fetchOne("SELECT count(*) FROM " . $this->table . " WHERE email = ?", $userEmail);
+        $count = $db->fetchOne("SELECT count(*) FROM " . $this->userTable . " WHERE email = ?", $userEmail);
 
         return $count != 0;
     }
@@ -380,7 +539,8 @@ public function addUserAccess($userLogin, $access, $idSites)
     public function deleteUserOnly($userLogin)
     {
         $db = $this->getDb();
-        $db->query("DELETE FROM " . $this->table . " WHERE login = ?", $userLogin);
+        $db->query("DELETE FROM " . $this->userTable . " WHERE login = ?", $userLogin);
+        $db->query("DELETE FROM " . $this->tokenTable . " WHERE login = ?", $userLogin);
 
         /**
          * Triggered after a user has been deleted.
@@ -428,7 +588,7 @@ public function getUserLoginsMatching($idSite = null, $pattern = null, $access =
 
         $bind = array_merge($bind, $whereBind);
 
-        $sql = 'SELECT u.login FROM ' . $this->table . " u $joins $where";
+        $sql = 'SELECT u.login FROM ' . $this->userTable . " u $joins $where";
 
         $db = $this->getDb();
 
@@ -468,7 +628,7 @@ public function getUsersWithRole($idSite, $limit = null, $offset = null, $patter
         }
 
         $sql = 'SELECT SQL_CALC_FOUND_ROWS u.*, GROUP_CONCAT(a.access SEPARATOR "|") as access
-                  FROM ' . $this->table . " u
+                  FROM ' . $this->userTable . " u
                 $joins
                 $where
               GROUP BY u.login
diff --git a/plugins/UsersManager/Tasks.php b/plugins/UsersManager/Tasks.php
index f3f6a35528e..29ea9ed3baa 100644
--- a/plugins/UsersManager/Tasks.php
+++ b/plugins/UsersManager/Tasks.php
@@ -8,6 +8,7 @@
 namespace Piwik\Plugins\UsersManager;
 
 use Piwik\Access;
+use Piwik\Date;
 
 class Tasks extends \Piwik\Plugin\Tasks
 {
@@ -29,9 +30,14 @@ public function __construct(Model $usersModel, API $usersManagerApi)
 
     public function schedule()
     {
+        $this->daily("cleanupExpiredTokens");
         $this->daily("setUserDefaultReportPreference");
     }
 
+    public function cleanupExpiredTokens() {
+        $this->usersModel->deleteExpiredTokens(Date::now()->getDatetime());
+    }
+
     public function setUserDefaultReportPreference()
     {
         // We initialize the default report user preference for each user (if it hasn't been inited before) for performance,
diff --git a/plugins/UsersManager/UsersManager.php b/plugins/UsersManager/UsersManager.php
index 0340acda20d..405d17c1cf9 100644
--- a/plugins/UsersManager/UsersManager.php
+++ b/plugins/UsersManager/UsersManager.php
@@ -43,7 +43,6 @@ public function registerEvents()
             'Translate.getClientSideTranslationKeys' => 'getClientSideTranslationKeys',
             'Platform.initialized'                   => 'onPlatformInitialized',
             'System.addSystemSummaryItems'           => 'addSystemSummaryItems',
-            'CronArchive.getTokenAuth'               => 'getCronArchiveTokenAuth'
         );
     }
 
@@ -94,22 +93,17 @@ public function onPlatformInitialized()
     public function recordAdminUsersInCache(&$attributes, $idSite)
     {
         $model = new Model();
-        $adminLogins = $model->getUsersLoginWithSiteAccess($idSite, Admin::ID);
+        $logins = $model->getUsersLoginWithSiteAccess($idSite, Admin::ID);
         $writeLogins = $model->getUsersLoginWithSiteAccess($idSite, Write::ID);
+        $logins = array_merge($logins, $writeLogins);
 
-        $attributes['tracking_token_auth'] = array();
+        $token_auths = $model->getAllHashedTokensForLogins($logins);
 
-        if (!empty($adminLogins)) {
-            $users = $model->getUsers($adminLogins);
-            foreach ($users as $user) {
-                $attributes['tracking_token_auth'][] = self::hashTrackingToken($user['token_auth'], $idSite);
-            }
-        }
+        $attributes['tracking_token_auth'] = array();
 
-        if (!empty($writeLogins)) {
-            $users = $model->getUsers($writeLogins);
-            foreach ($users as $user) {
-                $attributes['tracking_token_auth'][] = self::hashTrackingToken($user['token_auth'], $idSite);
+        if (!empty($token_auths)) {
+            foreach ($token_auths as $token_auth) {
+                $attributes['tracking_token_auth'][] = self::hashTrackingToken($token_auth, $idSite);
             }
         }
     }
@@ -119,16 +113,6 @@ public static function hashTrackingToken($tokenAuth, $idSite)
         return sha1($idSite . $tokenAuth . SettingsPiwik::getSalt());
     }
 
-    public function getCronArchiveTokenAuth(&$tokens)
-    {
-        $model      = new Model();
-        $superUsers = $model->getUsersHavingSuperUserAccess();
-
-        foreach($superUsers as $superUser) {
-            $tokens[] = $superUser['token_auth'];
-        }
-    }
-
     /**
      * Delete user preferences associated with a particular site
      */
@@ -247,7 +231,7 @@ public static function checkBasicPasswordStrength($password)
      */
     public static function checkPasswordHash($passwordHash, $exceptionMessage)
     {
-        if (strlen($passwordHash) != 32) {  // MD5 hash length
+        if (strlen($passwordHash) != 32 || !ctype_xdigit($passwordHash)) {  // MD5 hash length
             throw new Exception($exceptionMessage);
         }
     }
diff --git a/plugins/UsersManager/angularjs/personal-settings/personal-settings.controller.js b/plugins/UsersManager/angularjs/personal-settings/personal-settings.controller.js
index 635d6e93db0..047b08cb10c 100644
--- a/plugins/UsersManager/angularjs/personal-settings/personal-settings.controller.js
+++ b/plugins/UsersManager/angularjs/personal-settings/personal-settings.controller.js
@@ -34,7 +34,7 @@
                     id: 'PersonalSettingsSuccess', context: 'success'});
                 notification.scrollToNotification();
 
-                self.doesRequirePasswordConfirmation = !!self.password;
+                self.doesRequirePasswordConfirmation = false;
                 self.passwordCurrent = '';
                 self.loading = false;
             }, function (errorMessage) {
@@ -74,25 +74,6 @@
             });
         };
 
-        this.regenerateTokenAuth = function () {
-            var parameters = { userLogin: piwik.userLogin };
-
-            self.loading = true;
-
-            piwikHelper.modalConfirm('#confirmTokenRegenerate', {yes: function () {
-                piwikApi.withTokenInUrl();
-                piwikApi.post({
-                    module: 'API',
-                    method: 'UsersManager.regenerateTokenAuth'
-                }, parameters).then(function (success) {
-                    $window.location.reload();
-                    self.loading = false;
-                }, function (errorMessage) {
-                    self.loading = false;
-                });
-            }});
-        };
-
         this.cancelSave = function () {
             this.passwordCurrent = '';
         };
@@ -116,14 +97,6 @@
                 timeformat: this.timeformat,
             };
 
-            if (this.password) {
-                postParams.password = this.password;
-            }
-
-            if (this.passwordBis) {
-                postParams.passwordBis = this.passwordBis;
-            }
-
             if (this.passwordCurrent) {
                 postParams.passwordConfirmation = this.passwordCurrent;
             }
diff --git a/plugins/UsersManager/lang/en.json b/plugins/UsersManager/lang/en.json
index c8f7e4de475..8f23bae7c74 100644
--- a/plugins/UsersManager/lang/en.json
+++ b/plugins/UsersManager/lang/en.json
@@ -13,6 +13,16 @@
         "SaveBasicInfo": "Save Basic Info",
         "Alias": "Alias",
         "AllWebsites": "All websites",
+        "LastUsed": "Last used",
+        "ExpireDate": "Expire date",
+        "AuthTokens": "Auth tokens",
+        "AuthTokenPurpose": "What are you using this token for?",
+        "NoTokenCreatedYetCreateNow": "No token created yet, %1$screate a new token now%2$s.",
+        "TokenSuccessfullyGenerated": "Token successfully generated",
+        "ConfirmTokenCopied": "I confirm I copied the token.",
+        "GoBackSecurityPage": "Go back to security page.",
+        "PleaseStoreToken": "Please store your token securely as you will not be able to access or see the token again.",
+        "CreateNewToken": "Create new token",
         "AnonymousAccessConfirmation": "You are about to grant the anonymous user the 'view' access to this website. This means your analytics reports and your visitors information will be publicly viewable by anyone even without a login. Are you sure you want to proceed?",
         "AnonymousUser": "Anonymous user",
         "AnonymousUserHasViewAccess": "Note: the %1$s user has %2$s access to this website.",
@@ -90,7 +100,14 @@
         "TokenAuth": "API Authentication Token",
         "TokenRegenerateConfirmSelf": "Changing the API authentication token will invalidate your own token. If the current token is in use, you need to update all API clients with the newly generated token. Do you really want to change your authentication token?",
         "TokenRegenerateTitle": "Regenerate",
+        "TokensSuccessfullyDeleted": "All tokens were successfully deleted",
+        "TokenSuccessfullyDeleted": "Token was successfully deleted",
+        "DeleteAllTokens": "Delete all tokens",
+        "ExpiredTokensDeleteAutomatically": "Tokens with an expire date will be deleted automatically.",
+        "TokensWithExpireDateCreationBySystem": "Tokens with expire date can currently only be created by the system",
+        "TokenAuthIntro": "Tokens you have generated can be used to access the Matomo reporting API, Matomo tracking API, and exported Matomo widgets and have the same permissions as your regular user login. You can use these tokens also for the Matomo Mobile app.",
         "TypeYourPasswordAgain": "Type your new password again.",
+        "TypeYourCurrentPassword": "Please type your current password to confirm the password change.",
         "User": "User",
         "UserHasPermission":"%1$s currently has %2$s access for %3$s.",
         "UserHasNoPermission":"%1$s currently has %2$s to %3$s",
diff --git a/plugins/UsersManager/stylesheets/usersManager.less b/plugins/UsersManager/stylesheets/usersManager.less
index 3def95dce63..c3a47dd7bf7 100644
--- a/plugins/UsersManager/stylesheets/usersManager.less
+++ b/plugins/UsersManager/stylesheets/usersManager.less
@@ -97,4 +97,11 @@
     margin-right: 1em;
     margin-top: 1em;
   }
+}
+
+.uiTest pre.generatedTokenAuth {
+  visibility: hidden;
+}
+.uiTest .listAuthTokens .creationDate {
+  visibility: hidden;
 }
\ No newline at end of file
diff --git a/plugins/UsersManager/templates/addNewToken.twig b/plugins/UsersManager/templates/addNewToken.twig
new file mode 100644
index 00000000000..fa04b2f26bc
--- /dev/null
+++ b/plugins/UsersManager/templates/addNewToken.twig
@@ -0,0 +1,37 @@
+{% extends 'admin.twig' %}
+
+{% set title %}{{ 'General_Security'|translate }}{% endset %}
+
+{% block content %}
+
+    <div piwik-content-block content-title="{{ 'UsersManager_AuthTokens'|translate|e('html_attr') }}">
+        <p>
+            {{ 'UsersManager_TokenAuthIntro'|translate }}
+        </p>
+
+        {% if noDescription %}
+            <br>
+            <div class="alert alert-danger">
+                {{ 'General_Description'|translate }}: {{ 'General_ValidatorErrorEmptyValue'|translate }}
+            </div>
+        {% endif %}
+
+        <form  action="{{ linkTo({'module': 'UsersManager', 'action': 'addNewToken'}) }}" method="post" class="addTokenForm">
+            <div piwik-field uicontrol="text" name="description"
+                 data-title="{{ 'General_Description'|translate|e('html_attr') }}"
+                 maxlength="100" required
+                 inline-help="{{ 'UsersManager_AuthTokenPurpose'|translate|e('html_attr') }}">
+            </div>
+
+            <input type="hidden" value="{{ nonce|e('html_attr') }}" name="nonce">
+
+            <input type="submit"
+                   value="{{ 'UsersManager_CreateNewToken'|translate|e('html_attr') }}"
+                   class="btn"/>
+            {% set backlink = linkTo({'module': 'UsersManager', 'action': 'userSecurity'}) %}
+            {{ 'General_OrCancel'|translate("<a class='entityCancelLink' href='" ~ backlink ~ "'>","</a>")|raw }}
+
+        </form>
+    </div>
+
+{% endblock %}
diff --git a/plugins/UsersManager/templates/addNewTokenSuccess.twig b/plugins/UsersManager/templates/addNewTokenSuccess.twig
new file mode 100644
index 00000000000..ba0ac62b09e
--- /dev/null
+++ b/plugins/UsersManager/templates/addNewTokenSuccess.twig
@@ -0,0 +1,17 @@
+{% extends 'admin.twig' %}
+
+{% set title %}{{ 'General_Security'|translate }}{% endset %}
+
+{% block content %}
+
+    <div piwik-content-block content-title="{{ 'UsersManager_TokenSuccessfullyGenerated'|translate|e('html_attr') }}">
+        <p>
+            {{ 'UsersManager_PleaseStoreToken'|translate }}
+        </p>
+        <pre piwik-select-on-focus style="font-size: 40px;" class="generatedTokenAuth"><code>{{ generatedToken }}</code></pre>
+
+        <a href="{{ linkTo({'module': 'UsersManager', 'action': 'userSecurity'}) }}" class="btn"
+        >{{ 'UsersManager_ConfirmTokenCopied'|translate }} {{ 'UsersManager_GoBackSecurityPage'|translate }}</a>
+    </div>
+
+{% endblock %}
diff --git a/plugins/UsersManager/templates/userSecurity.twig b/plugins/UsersManager/templates/userSecurity.twig
new file mode 100644
index 00000000000..58c03b571e9
--- /dev/null
+++ b/plugins/UsersManager/templates/userSecurity.twig
@@ -0,0 +1,121 @@
+{% extends 'admin.twig' %}
+
+{% set title %}{{ 'General_Security'|translate }}{% endset %}
+
+{% block content %}
+{% if isUsersAdminEnabled %}
+    <div piwik-content-block content-title="{{ 'General_ChangePassword'|translate|e('html_attr') }}" feature="true">
+        <form id="userSettingsTable" method="post" action="{{ linkTo({'module': 'UsersManager', 'action': 'recordPasswordChange'}) }}">
+
+            <input type="hidden" value="{{ changePasswordNonce|e('html_attr') }}" name="nonce">
+
+            {% if isValidHost is defined and isValidHost %}
+
+                <div piwik-field uicontrol="password" name="password" autocomplete="off"
+                     ng-model="personalSettings.password"
+                     ng-change="personalSettings.requirePasswordConfirmation()"
+                     data-title="{{ 'Login_NewPassword'|translate|e('html_attr') }}"
+                     value="" inline-help="{{ 'UsersManager_IfYouWouldLikeToChangeThePasswordTypeANewOne'|translate|e('html_attr') }}">
+                </div>
+
+                <div piwik-field uicontrol="password" name="passwordBis" autocomplete="off"
+                     ng-model="personalSettings.passwordBis"
+                     ng-change="personalSettings.requirePasswordConfirmation()"
+                     data-title="{{ 'Login_NewPasswordRepeat'|translate|e('html_attr') }}"
+                     value="" inline-help="{{ 'UsersManager_TypeYourPasswordAgain'|translate|e('html_attr') }}">
+                </div>
+
+                <div piwik-field uicontrol="password" name="passwordConfirmation" autocomplete="off"
+                     ng-model="personalSettings.current_password"
+                     data-title="{{ 'UsersManager_YourCurrentPassword'|translate|e('html_attr') }}"
+                     value="" inline-help="{{ 'UsersManager_TypeYourCurrentPassword'|translate|e('html_attr') }}">
+                </div>
+
+                <input type="submit"
+                       value="{{ 'General_Save'|translate|e('html_attr') }}"
+                       class="btn"/>
+            {% endif %}
+
+            {% if isValidHost is not defined or not isValidHost %}
+                <div class="alert alert-danger">
+                    {{ 'UsersManager_InjectedHostCannotChangePwd'|translate(invalidHost) }}
+                    {% if not isSuperUser %}{{ 'UsersManager_EmailYourAdministrator'|translate(invalidHostMailLinkStart,'</a>')|raw }}{% endif %}
+                </div>
+            {% endif %}
+
+        </form>
+    </div>
+
+    {{ postEvent('Template.userSecurity.afterPassword') }}
+{% endif %}
+
+    <a name="authtokens" id="authtokens"></a>
+    <div piwik-content-block content-title="{{ 'UsersManager_AuthTokens'|translate|e('html_attr') }}">
+        <p>
+            {{ 'UsersManager_TokenAuthIntro'|translate }}
+            {% if hasTokensWithExpireDate %}{{ 'UsersManager_ExpiredTokensDeleteAutomatically'|translate }}{% endif %}
+        </p>
+        <table piwik-content-table class="listAuthTokens">
+            <thead>
+            <tr>
+                <th>{{ 'General_CreationDate'|translate }}</th>
+                <th>{{ 'General_Description'|translate }}</th>
+                <th>{{ 'UsersManager_LastUsed'|translate }}</th>
+                {% if hasTokensWithExpireDate %}<th title="{{ 'UsersManager_TokensWithExpireDateCreationBySystem'|translate|e('html_attr') }}">{{ 'UsersManager_ExpireDate'|translate }}</th>{% endif %}
+                <th>{{ 'General_Actions'|translate }}</th>
+            </tr>
+            </thead>
+            <tbody>
+            {% if tokens is empty %}
+            <tr>
+                <td colspan="{% if hasTokensWithExpireDate %}5{% else %}4{% endif %}">
+                    {{ 'UsersManager_NoTokenCreatedYetCreateNow'|translate('<a href="' ~ (linkTo({'module': 'UsersManager', 'action': 'addNewToken'})|e('html_attr'))~ '">', '</a>')|raw }}
+                </td></tr>
+            {% else %}
+                {% for theToken in tokens %}
+                    <tr>
+                        <td><span class="creationDate">{{ theToken.date_created }}</span></td>
+                        <td>{{ theToken.description }}</td>
+                        <td>{% if theToken.last_used %}{{ theToken.last_used }}{% else %}{{ 'General_Never'|translate }}{% endif %}</td>
+                        {% if hasTokensWithExpireDate %}
+                            <td title="{{ 'UsersManager_TokensWithExpireDateCreationBySystem'|translate|e('html_attr') }}">
+                            {% if theToken.date_expired %}{{ theToken.date_expired }}{% else %}{{ 'General_Never'|translate }}{% endif %}
+                            </td>
+                        {% endif %}
+                        <td>
+                            <form method="post" action="{{ linkTo({'module': 'UsersManager', 'action': 'deleteToken'}) }}" style="display: inline">
+                                <input name="nonce" type="hidden" value="{{ deleteTokenNonce|e('html_attr')  }}">
+                                <input name="idtokenauth" type="hidden" value="{{ theToken.idusertokenauth|e('html_attr') }}">
+                                <button type="submit" class="table-action"
+                                        title="{{ 'General_Delete'|translate|e('html_attr') }}">
+                                    <span class="icon-delete"></span>
+                                </button>
+                            </form>
+                        </td>
+                    </tr>
+                {% endfor %}
+            {% endif %}
+            </tbody>
+        </table>
+
+        <div class="tableActionBar">
+            <a href="{{ linkTo({'module': 'UsersManager', 'action': 'addNewToken'})|e('html_attr') }}" class="addNewToken">
+                <span class="icon-add"></span>
+               {{ 'UsersManager_CreateNewToken'|translate }}
+            </a>
+
+            {% if tokens is not empty %}
+            <form method="post" action="{{ linkTo({'module': 'UsersManager', 'action': 'deleteToken'}) }}" style="display: inline">
+                <input name="nonce" type="hidden" value="{{ deleteTokenNonce|e('html_attr')  }}">
+                <input name="idtokenauth" type="hidden" value="all">
+                <button type="submit" class="table-action">
+                    <span class="icon-delete"></span> {{ 'UsersManager_DeleteAllTokens'|translate }}
+                </button>
+            </form>
+            {% endif %}
+        </div>
+
+    </div>
+
+
+{% endblock %}
diff --git a/plugins/UsersManager/templates/userSettings.twig b/plugins/UsersManager/templates/userSettings.twig
index 22c9a58ccb2..370c710cc8d 100644
--- a/plugins/UsersManager/templates/userSettings.twig
+++ b/plugins/UsersManager/templates/userSettings.twig
@@ -4,12 +4,6 @@
 
 {% block content %}
 
-<div class="ui-confirm" id="confirmTokenRegenerate">
-    <h2>{{ 'UsersManager_TokenRegenerateConfirmSelf'|translate }}</h2>
-    <input role="yes" type="button" value="{{ 'General_Yes'|translate }}"/>
-    <input role="no" type="button" value="{{ 'General_No'|translate }}"/>
-</div>
-
 <div piwik-content-block content-title="{{ title|e('html_attr') }}" feature="true">
     <form id="userSettingsTable" piwik-form ng-controller="PersonalSettingsController as personalSettings">
 
@@ -74,31 +68,6 @@
              value="{{ defaultDate }}" options="{{ availableDefaultDates|json_encode }}">
         </div>
 
-        {% if isValidHost is defined and isValidHost and isUsersAdminEnabled %}
-
-            <div piwik-field uicontrol="password" name="password" autocomplete="off"
-                 ng-model="personalSettings.password"
-                 ng-change="personalSettings.requirePasswordConfirmation()"
-                 introduction="{{ 'General_ChangePassword'|translate|e('html_attr') }}"
-                 data-title="{{ 'Login_NewPassword'|translate|e('html_attr') }}"
-                 value="" inline-help="{{ 'UsersManager_IfYouWouldLikeToChangeThePasswordTypeANewOne'|translate|e('html_attr') }}">
-            </div>
-
-            <div piwik-field uicontrol="password" name="passwordBis" autocomplete="off"
-                 ng-model="personalSettings.passwordBis"
-                 ng-change="personalSettings.requirePasswordConfirmation()"
-                 data-title="{{ 'Login_NewPasswordRepeat'|translate|e('html_attr') }}"
-                 value="" inline-help="{{ 'UsersManager_TypeYourPasswordAgain'|translate|e('html_attr') }}">
-            </div>
-        {% endif %}
-
-        {% if isValidHost is not defined or not isValidHost %}
-            <div class="alert alert-danger">
-                {{ 'UsersManager_InjectedHostCannotChangePwd'|translate(invalidHost) }}
-                {% if not isSuperUser %}{{ 'UsersManager_EmailYourAdministrator'|translate(invalidHostMailLinkStart,'</a>')|raw }}{% endif %}
-            </div>
-        {% endif %}
-
         <div piwik-save-button onconfirm="personalSettings.save()"
              saving="personalSettings.loading"></div>
 
@@ -122,40 +91,31 @@
     </form>
 </div>
 
+{% endblock %}
+
 {% if showNewsletterSignup %}
-<div ng-controller="PersonalSettingsController as personalSettings">
-    <div piwik-content-block id="newsletterSignup"
-         ng-show="personalSettings.showNewsletterSignup"
-         content-title="{{ 'UsersManager_NewsletterSignupTitle'|translate|e('html_attr') }}">
-
-        <div piwik-field uicontrol="checkbox" name="newsletterSignupCheckbox"
-             ng-model="personalSettings.newsletterSignupCheckbox"
-             full-width="true"
-             data-title="{{ 'UsersManager_NewsletterSignupMessage'|translate('<a href="https://matomo.org/privacy-policy/" target="_blank">', '</a>')|e('html_attr') }}"
-             >
-        </div>
+    <div ng-controller="PersonalSettingsController as personalSettings">
+        <div piwik-content-block id="newsletterSignup"
+             ng-show="personalSettings.showNewsletterSignup"
+             content-title="{{ 'UsersManager_NewsletterSignupTitle'|translate|e('html_attr') }}">
+
+            <div piwik-field uicontrol="checkbox" name="newsletterSignupCheckbox"
+                 ng-model="personalSettings.newsletterSignupCheckbox"
+                 full-width="true"
+                 data-title="{{ 'UsersManager_NewsletterSignupMessage'|translate('<a href="https://matomo.org/privacy-policy/" target="_blank">', '</a>')|e('html_attr') }}"
+            >
+            </div>
 
-        <div piwik-save-button id="newsletterSignupBtn"
-             onconfirm="personalSettings.signupForNewsletter()"
-             data-disabled="!personalSettings.newsletterSignupCheckbox"
-             value="{{ '{{ personalSettings.newsletterSignupButtonTitle }}'|raw }}"
-             saving="personalSettings.isProcessingNewsletterSignup">
+            <div piwik-save-button id="newsletterSignupBtn"
+                 onconfirm="personalSettings.signupForNewsletter()"
+                 data-disabled="!personalSettings.newsletterSignupCheckbox"
+                 value="{{ '{{ personalSettings.newsletterSignupButtonTitle }}'|raw }}"
+                 saving="personalSettings.isProcessingNewsletterSignup">
+            </div>
         </div>
     </div>
-</div>
 {% endif %}
 
-<div piwik-content-block
-     content-title="{{ 'UsersManager_TokenAuth'|translate|e('html_attr') }}">
-    <pre piwik-select-on-focus id="token_auth_user" piwik-show-sensitive-data="{{ userTokenAuth }}"></pre>
-
-    <button class="btn btn-link"
-            ng-controller="PersonalSettingsController as personalSettings"
-            ng-click="personalSettings.regenerateTokenAuth()">{{ 'UsersManager_TokenRegenerateTitle'|translate }}</button>
-</div>
-
-{{ postEvent('Template.userSettings.afterTokenAuth') }}
-
 <div piwik-plugin-settings mode="user"></div>
 
 <div piwik-content-block
@@ -174,4 +134,4 @@
     </a></span>
 </div>
 
-{% endblock %}
+{% endblock %}
\ No newline at end of file
diff --git a/plugins/UsersManager/tests/Fixtures/ManyUsers.php b/plugins/UsersManager/tests/Fixtures/ManyUsers.php
index 9eba719d2ab..4497ed319d5 100644
--- a/plugins/UsersManager/tests/Fixtures/ManyUsers.php
+++ b/plugins/UsersManager/tests/Fixtures/ManyUsers.php
@@ -7,6 +7,7 @@
  */
 namespace Piwik\Plugins\UsersManager\tests\Fixtures;
 
+use Piwik\Date;
 use Piwik\Plugins\UsersManager\API;
 use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\UserUpdater;
@@ -27,6 +28,7 @@ class ManyUsers extends Fixture
     public $siteCopyCount;
     public $userCopyCount;
     public $addTextSuffixes;
+    public $users = array();
 
     public $baseUsers = array(
         'login1' => array('superuser' => 1),
@@ -129,8 +131,11 @@ protected function setUpUsers()
                     }
                 }
 
+                $tokenAuth = $model->generateRandomTokenAuth();
+                $model->addTokenAuth($login, $tokenAuth, 'many users test', Date::now()->getDatetime());
+
                 $user = $model->getUser($login);
-                $this->users[$login]['token'] = $user['token_auth'];
+                $this->users[$login]['token'] = $tokenAuth;
             }
         }
     }
diff --git a/plugins/UsersManager/tests/Integration/ModelTest.php b/plugins/UsersManager/tests/Integration/ModelTest.php
index be2c79d3337..0a99be16ded 100644
--- a/plugins/UsersManager/tests/Integration/ModelTest.php
+++ b/plugins/UsersManager/tests/Integration/ModelTest.php
@@ -43,6 +43,7 @@ class ModelTest extends IntegrationTestCase
     private $model;
 
     private $login = 'userLogin';
+    private $login2 = 'userLogin2';
 
     public function setUp(): void
     {
@@ -58,6 +59,7 @@ public function setUp(): void
         Fixture::createWebsite('2014-01-01 00:00:00');
         Fixture::createWebsite('2014-01-01 00:00:00');
         $this->api->addUser($this->login, 'password', 'userlogin@password.de');
+        $this->api->addUser($this->login2, 'password2', 'userlogin2@password.de');
     }
 
     public function test_getSitesAccessFromUser_noAccess()
@@ -109,4 +111,262 @@ public function test_getSitesAccessFromUser_siteDeletedManually()
         ), $this->model->getSitesAccessFromUser($this->login));
     }
 
+    public function test_getAllNonSystemTokensForLogin_whenNoTokenConfigured()
+    {
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertSame(array(), $tokens);
+    }
+
+    public function test_addTokenAuth_minimal()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05');
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertEquals(array(array(
+            'idusertokenauth' => '1',
+            'login' => 'userLogin',
+            'description' => 'MyDescription',
+            'password' => '2265daba0872fc3aef169d079365e590f0cbc8ed46c2a7984c8a642803cfd96cb47804a63cf22a79f6ca469268c29ee9e72a5059b62d0a598fe42dfc8dcc51bc',
+            'hash_algo' => 'sha512',
+            'system_token' => '0',
+            'last_used' => null,
+            'date_created' => '2020-01-02 03:04:05',
+            'date_expired' => null
+        )), $tokens);
+    }
+
+    public function test_addTokenAuth_expire()
+    {
+        $id = $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', '2030-01-05 03:04:05');
+        $this->assertEquals(1, $id);
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertEquals(array(array(
+            'idusertokenauth' => '1',
+            'login' => 'userLogin',
+            'description' => 'MyDescription',
+            'password' => '2265daba0872fc3aef169d079365e590f0cbc8ed46c2a7984c8a642803cfd96cb47804a63cf22a79f6ca469268c29ee9e72a5059b62d0a598fe42dfc8dcc51bc',
+            'hash_algo' => 'sha512',
+            'system_token' => '0',
+            'last_used' => null,
+            'date_created' => '2020-01-02 03:04:05',
+            'date_expired' => '2030-01-05 03:04:05'
+        )), $tokens);
+    }
+
+    /**
+     * @expectedException  \Exception
+     * @expectedExceptionMessage  does not exist
+     */
+    public function test_addTokenAuth_throwsException_ifUserNotExists()
+    {
+        $this->model->addTokenAuth('foobar', 'token', 'MyDescription', '2020-01-02 03:04:05', '2030-01-05 03:04:05');
+    }
+
+    /**
+     * @expectedException  \Exception
+     * @expectedExceptionMessage  Duplicate entry
+     */
+    public function test_addTokenAuth_throwsException_FailsAddingSameTwice()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'My description', '2020-01-02 03:04:05');
+        $this->model->addTokenAuth($this->login, 'token', 'My duplicate', '2020-01-03 03:04:05');
+    }
+
+    public function test_addTokenAuth_returnsId()
+    {
+        $id = $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05');
+        $this->assertEquals(1, $id);
+        $id = $this->model->addTokenAuth($this->login, 'token2', 'MyDescription', '2020-01-02 03:04:05');
+        $this->assertEquals(2, $id);
+    }
+
+    /**
+     * @expectedException  \Exception
+     * @expectedExceptionMessage  General_ValidatorErrorEmptyValue
+     */
+    public function test_addTokenAuth_throwsException_NoDescription()
+    {
+        $this->model->addTokenAuth($this->login, 'token', '', '2020-01-02 03:04:05');
+    }
+
+    public function test_getAllNonSystemTokensForLogin_doesNotReturnSystemTokens()
+    {
+        $this->model->addTokenAuth($this->login, 'token2', 'api usage token', '2020-01-02 03:04:05', null, true);
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertEquals(array(), $tokens);
+    }
+
+    public function test_getAllNonSystemTokensForLogin_doesNotReturnExpiredTokens()
+    {
+        $this->model->addTokenAuth($this->login, 'token2', 'api usage token', '2020-01-02 03:04:05', '2019-01-05 03:04:05');
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertEquals(array(), $tokens);
+    }
+
+    public function test_getAllNonSystemTokensForLogin_returnsNotExpiredToken()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', '2030-01-05 03:04:05');
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertEquals(array(array(
+            'idusertokenauth' => '1',
+            'login' => 'userLogin',
+            'description' => 'MyDescription',
+            'password' => '2265daba0872fc3aef169d079365e590f0cbc8ed46c2a7984c8a642803cfd96cb47804a63cf22a79f6ca469268c29ee9e72a5059b62d0a598fe42dfc8dcc51bc',
+            'hash_algo' => 'sha512',
+            'system_token' => '0',
+            'last_used' => null,
+            'date_created' => '2020-01-02 03:04:05',
+            'date_expired' => '2030-01-05 03:04:05'
+        )), $tokens);
+    }
+
+    public function test_getUserByTokenAuth_findsUserWhenTokenNotYetExpired()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', '2030-01-05 03:04:05');
+        $user = $this->model->getUserByTokenAuth('token');
+        $this->assertSame($this->login, $user['login']);
+    }
+
+    public function test_getUserByTokenAuth_findsUserWhenNoExpireDateSet()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05');
+        $user = $this->model->getUserByTokenAuth('token');
+        $this->assertSame($this->login, $user['login']);
+    }
+
+    public function test_getUserByTokenAuth_notFindsUserWhenTokenIsExpired()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', '2019-03-04 00:05:06');
+        $user = $this->model->getUserByTokenAuth('token');
+        $this->assertEmpty($user);
+    }
+
+    public function test_getUserByTokenAuth_findsUserWhenTokenIsSystemToken()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', null, true);
+        $user = $this->model->getUserByTokenAuth('token');
+        $this->assertSame($this->login, $user['login']);
+    }
+
+    public function test_generateRandomTokenAuth_correctFormat()
+    {
+        $token = $this->model->generateRandomTokenAuth();
+        $this->assertSame(32, strlen($token));
+        $this->assertTrue(ctype_xdigit($token));
+    }
+
+    public function test_generateRandomTokenAuth_isAlwaysDifferent()
+    {
+        $this->assertNotEquals($this->model->generateRandomTokenAuth(), $this->model->generateRandomTokenAuth());
+    }
+
+    public function test_hashTokenAuth()
+    {
+        $this->assertSame('2265daba0872fc3aef169d079365e590f0cbc8ed46c2a7984c8a642803cfd96cb47804a63cf22a79f6ca469268c29ee9e72a5059b62d0a598fe42dfc8dcc51bc', $this->model->hashTokenAuth('token'));
+        $this->assertSame('02c2e43dcb393097a1221465812a4e9b1e1e80f16e92b313fd4ce8c5ee5b8272a17cd8cdc1ce63578494eaba739c6f7abba7890506ef6bf8d607538778f2a849', $this->model->hashTokenAuth('token2'));
+    }
+
+    public function test_getAllHashedTokensForLogins_noLoginsSet()
+    {
+        $this->assertSame(array(), $this->model->getAllHashedTokensForLogins(array()));
+    }
+
+    public function test_getAllHashedTokensForLogins_noTokensExist()
+    {
+        $this->assertSame(array(), $this->model->getAllHashedTokensForLogins(array('foo', 'bar')));
+    }
+
+    public function test_getAllHashedTokensForLogins()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription', '2020-01-02 03:04:05', null, true);
+        $this->model->addTokenAuth($this->login, 'token2', 'MyDescription', '2020-01-02 03:04:05', null, false);
+        // does not return expired tokens
+        $this->model->addTokenAuth($this->login, 'token3', 'MyDescription', '2020-01-02 03:04:05', '2019-02-03 00:01:02', true);
+
+        $this->assertSame(array(), $this->model->getAllHashedTokensForLogins(array('foo', 'bar')));
+
+        $this->assertSame(array(
+            '2265daba0872fc3aef169d079365e590f0cbc8ed46c2a7984c8a642803cfd96cb47804a63cf22a79f6ca469268c29ee9e72a5059b62d0a598fe42dfc8dcc51bc',
+            '02c2e43dcb393097a1221465812a4e9b1e1e80f16e92b313fd4ce8c5ee5b8272a17cd8cdc1ce63578494eaba739c6f7abba7890506ef6bf8d607538778f2a849'
+        ), $this->model->getAllHashedTokensForLogins(array('foo', $this->login, 'bar')));
+    }
+
+    public function test_deleteToken()
+    {
+        $id1 = $this->model->addTokenAuth($this->login, 'token', 'MyDescription1', '2020-01-02 03:04:05');
+        $id2 = $this->model->addTokenAuth($this->login, 'token2', 'MyDescription2', '2020-01-03 03:04:05');
+
+        // should not have deleted anything as it doesn't match
+        $this->model->deleteToken(999, $this->login);
+        $this->model->deleteToken($id1, 'foobar');
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertCount(2, $tokens);
+        $this->assertEquals($id1, $tokens[0]['idusertokenauth']);
+        $this->assertEquals($id2, $tokens[1]['idusertokenauth']);
+
+        // should only delete that id
+        $this->model->deleteToken($id1, $this->login);
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertCount(1, $tokens);
+        $this->assertEquals($id2, $tokens[0]['idusertokenauth']);
+    }
+
+    public function test_deleteAllTokensForUser()
+    {
+        $this->model->addTokenAuth($this->login, 'token', 'MyDescription1', '2020-01-02 03:04:05');
+        $this->model->addTokenAuth($this->login, 'token2', 'MyDescription2', '2020-01-03 03:04:05');
+        $this->model->addTokenAuth($this->login2, 'token3', 'MyDescription2', '2020-01-03 03:04:05');
+
+        // should not have deleted anything as it doesn't match
+        $this->model->deleteAllTokensForUser('foobar');
+
+        $this->assertCount(2, $this->model->getAllNonSystemTokensForLogin($this->login));
+        $this->assertCount(1, $this->model->getAllNonSystemTokensForLogin($this->login2));
+
+        // should only delete tokens for that login
+        $this->model->deleteAllTokensForUser($this->login);
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertCount(0, $this->model->getAllNonSystemTokensForLogin($this->login));
+        $this->assertCount(1, $this->model->getAllNonSystemTokensForLogin($this->login2));
+    }
+
+    public function test_setTokenAuthWasUsed()
+    {
+        $this->model->addTokenAuth($this->login, 'token2', 'MyDescription', '2020-01-02 03:04:05');
+        $this->model->setTokenAuthWasUsed('token2',  '2025-01-02 03:04:05');
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertSame('2025-01-02 03:04:05', $tokens[0]['last_used']);
+    }
+
+    public function test_setTokenAuthWasUsed_doesNotFailWhenTokenNotExists()
+    {
+        $this->model->setTokenAuthWasUsed('tokenFooBar',  '2025-01-02 03:04:05');
+    }
+
+    public function test_deleteExpiredTokens()
+    {
+        $id1 = $this->model->addTokenAuth($this->login, 'token', 'MyDescription1', '2020-01-01 03:04:05', '2020-01-02 03:04:05');
+        $id2 = $this->model->addTokenAuth($this->login, 'token2', 'MyDescription2', '2020-01-02 03:04:05');
+        $id3 = $this->model->addTokenAuth($this->login, 'token3', 'MyDescription3', '2020-01-03 03:04:05', '2022-01-02 03:04:05');
+        $id4 = $this->model->addTokenAuth($this->login2, 'token4', 'MyDescription4', '2020-01-04 03:04:05', '2024-01-02 03:04:05');
+        $id5 = $this->model->addTokenAuth($this->login2, 'token5', 'MyDescription5', '2020-01-05 03:04:05');
+        $id6 = $this->model->addTokenAuth($this->login2, 'token6', 'MyDescription6', '2020-01-06 03:04:05', '2018-01-02 03:04:05');
+
+        // id1 and id6 are expired and should have been deleted
+        $this->model->deleteExpiredTokens('2021-01-02 03:04:05');
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login);
+        $this->assertSame($id2, $tokens[0]['idusertokenauth']);
+        $this->assertSame($id3, $tokens[1]['idusertokenauth']);
+        $this->assertCount(2, $tokens);
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin($this->login2);
+        $this->assertSame($id4, $tokens[0]['idusertokenauth']);
+        $this->assertSame($id5, $tokens[1]['idusertokenauth']);
+        $this->assertCount(2, $tokens);
+    }
+
 }
diff --git a/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php b/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php
index 86c150e2eda..5dacff9e16a 100644
--- a/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php
+++ b/plugins/UsersManager/tests/Integration/UserAccessFilterTest.php
@@ -283,16 +283,16 @@ private function getAllLogins()
 
     private function createManyUsers()
     {
-        $this->model->addUser('login1', md5('pass'), 'email1@example.com', 'alias1', md5('token1'), '2008-01-01 00:00:00');
-        $this->model->addUser('login2', md5('pass'), 'email2@example.com', 'alias2', md5('token2'), '2008-01-01 00:00:00');
+        $this->model->addUser('login1', md5('pass'), 'email1@example.com', 'alias1', '2008-01-01 00:00:00');
+        $this->model->addUser('login2', md5('pass'), 'email2@example.com', 'alias2', '2008-01-01 00:00:00');
         // login3 won't have access to any site
-        $this->model->addUser('login3', md5('pass'), 'email3@example.com', 'alias3', md5('token3'), '2008-01-01 00:00:00');
-        $this->model->addUser('login4', md5('pass'), 'email4@example.com', 'alias4', md5('token4'), '2008-01-01 00:00:00');
-        $this->model->addUser('login5', md5('pass'), 'email5@example.com', 'alias5', md5('token5'), '2008-01-01 00:00:00');
-        $this->model->addUser('login6', md5('pass'), 'email6@example.com', 'alias6', md5('token6'), '2008-01-01 00:00:00');
-        $this->model->addUser('login7', md5('pass'), 'email7@example.com', 'alias7', md5('token7'), '2008-01-01 00:00:00');
-        $this->model->addUser('login8', md5('pass'), 'email8@example.com', 'alias8', md5('token8'), '2008-01-01 00:00:00');
-        $this->model->addUser('anonymous', '',       'ano@example.com',   'anonymous', 'anonymous', '2008-01-01 00:00:00');
+        $this->model->addUser('login3', md5('pass'), 'email3@example.com', 'alias3', '2008-01-01 00:00:00');
+        $this->model->addUser('login4', md5('pass'), 'email4@example.com', 'alias4', '2008-01-01 00:00:00');
+        $this->model->addUser('login5', md5('pass'), 'email5@example.com', 'alias5', '2008-01-01 00:00:00');
+        $this->model->addUser('login6', md5('pass'), 'email6@example.com', 'alias6', '2008-01-01 00:00:00');
+        $this->model->addUser('login7', md5('pass'), 'email7@example.com', 'alias7', '2008-01-01 00:00:00');
+        $this->model->addUser('login8', md5('pass'), 'email8@example.com', 'alias8', '2008-01-01 00:00:00');
+        $this->model->addUser('anonymous', '',       'ano@example.com',   'anonymous', '2008-01-01 00:00:00');
 
         $this->model->setSuperUserAccess('login1', true); // we treat this one as our superuser
 
diff --git a/plugins/UsersManager/tests/Integration/UsersManagerTest.php b/plugins/UsersManager/tests/Integration/UsersManagerTest.php
index d7ae784bf17..2a66f9dad29 100644
--- a/plugins/UsersManager/tests/Integration/UsersManagerTest.php
+++ b/plugins/UsersManager/tests/Integration/UsersManagerTest.php
@@ -109,11 +109,6 @@ private function _checkUserHasNotChanged($user, $newPassword, $newEmail = null,
         unset($userAfter['password']);
 
         // implicitly checks password!
-        $userModel = $this->model->getUser($user['login']);
-        $userAfter['token_auth'] = $userModel['token_auth'];
-
-        $user['token_auth'] = $this->api->getTokenAuth($user["login"], md5($newPassword));
-
         $user['email']            = $newEmail;
         $user['alias']            = $newAlias;
         $user['superuser_access'] = 0;
@@ -282,12 +277,6 @@ public function testAddUser()
         // check that password and token are properly set
         $this->assertEquals(60, strlen($user['password']));
 
-        $userModel = $this->model->getUser($login);
-        $this->assertEquals(32, strlen($userModel['token_auth']));
-
-        $userModel = $this->model->getUser($login);
-        $this->assertEquals($userModel['token_auth'], $this->api->getTokenAuth($login, UsersManager::getPasswordHash($password)));
-
         // check that all fields are the same
         $this->assertEquals($login, $user['login']);
         $this->assertEquals($email, $user['email']);
diff --git a/plugins/UsersManager/tests/System/ApiTest.php b/plugins/UsersManager/tests/System/ApiTest.php
index 0a7d808ffbb..5908f9245c5 100644
--- a/plugins/UsersManager/tests/System/ApiTest.php
+++ b/plugins/UsersManager/tests/System/ApiTest.php
@@ -8,6 +8,9 @@
 
 namespace Piwik\Plugins\UsersManager\tests\System;
 
+use Piwik\Date;
+use Piwik\Plugins\UsersManager\API;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\tests\Fixtures\ManyUsers;
 use Piwik\Tests\Framework\TestCase\SystemTestCase;
 
@@ -23,6 +26,24 @@ class ApiTest extends SystemTestCase
      */
     public static $fixture = null; // initialized below class definition
 
+    /**
+     * @var API
+     */
+    private $api;
+
+    /**
+     * @var Model
+     */
+    private $model;
+
+    public function setUp() : void
+    {
+        parent::setUp(); // TODO: Change the autogenerated stub
+
+        $this->api = API::getInstance();
+        $this->model = new Model();
+    }
+
     /**
      * @dataProvider getApiForTesting
      */
@@ -62,6 +83,81 @@ public function getApiForTesting()
         return $apiToTest;
     }
 
+    public function test_createAppSpecificTokenAuth()
+    {
+        $this->model->deleteAllTokensForUser('login1');
+        $token = $this->api->createAppSpecificTokenAuth('login1', md5('password'), 'test');
+        $this->assertMd5($token);
+
+        $user = $this->model->getUserByTokenAuth($token);
+        $this->assertSame('login1', $user['login']);
+    }
+
+    public function test_createAppSpecificTokenAuth_canLoginByEmail()
+    {
+        $this->model->deleteAllTokensForUser('login1');
+        $token = $this->api->createAppSpecificTokenAuth('login1@example.com', md5('password'), 'test');
+        $this->assertMd5($token);
+
+        $user = $this->model->getUserByTokenAuth($token);
+        $this->assertSame('login1', $user['login']);
+    }
+
+    /**
+     * @expectedException \Exception
+     * @expectedExceptionMessage  is expecting a MD5-hashed password
+     */
+    public function test_createAppSpecificTokenAuth_notValidPasswordFormat()
+    {
+        $this->api->createAppSpecificTokenAuth('login1', 'foobar', 'test');
+    }
+
+    public function test_createAppSpecificTokenAuth_generatesRandomTokenWhenPasswordNotValid()
+    {
+        $this->model->deleteAllTokensForUser('login1');
+        $token = $this->api->createAppSpecificTokenAuth('login1', md5('foooooo'), 'test');
+        $this->assertMd5($token);
+
+        $user = $this->model->getUserByTokenAuth($token);
+        $this->assertEmpty($user);
+    }
+
+    public function test_createAppSpecificTokenAuth_withExpireDate()
+    {
+        $this->model->deleteAllTokensForUser('login1');
+        $token = $this->api->createAppSpecificTokenAuth('login1', md5('password'), 'test', '2026-01-02 03:04:05');
+        $this->assertMd5($token);
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin('login1');
+        $this->assertEquals($this->model->hashTokenAuth($token), $tokens[0]['password']);
+        $this->assertEquals('login1', $tokens[0]['login']);
+        $this->assertEquals('test', $tokens[0]['description']);
+        $this->assertEquals('2026-01-02 03:04:05', $tokens[0]['date_expired']);
+    }
+
+    public function test_createAppSpecificTokenAuth_withExpireHours()
+    {
+        $expireInHours = 48;
+        $this->model->deleteAllTokensForUser('login1');
+        $token = $this->api->createAppSpecificTokenAuth('login1', md5('password'), 'test', null, $expireInHours);
+        $this->assertMd5($token);
+
+        $tokens = $this->model->getAllNonSystemTokensForLogin('login1');
+        $this->assertEquals($this->model->hashTokenAuth($token), $tokens[0]['password']);
+        $this->assertEquals('login1', $tokens[0]['login']);
+        $this->assertNotEmpty($tokens[0]['date_expired']);
+
+        $dateExpired = Date::factory($tokens[0]['date_expired']);
+        $dateExpired->isLater(Date::now()->addHour($expireInHours - 1 ));
+        $dateExpired->isEarlier(Date::now()->addHour($expireInHours + 1));
+    }
+
+    private function assertMd5($string)
+    {
+        $this->assertSame(32, strlen($string));
+        $this->assertTrue(ctype_xdigit($string));
+    }
+
     public static function getOutputPrefix()
     {
         return '';
diff --git a/plugins/UsersManager/tests/UI/UserSettings_spec.js b/plugins/UsersManager/tests/UI/UserSettings_spec.js
index 190673c6ca4..1f4dc719b0f 100644
--- a/plugins/UsersManager/tests/UI/UserSettings_spec.js
+++ b/plugins/UsersManager/tests/UI/UserSettings_spec.js
@@ -11,7 +11,8 @@ describe("UserSettings", function () {
     this.timeout(0);
     this.fixture = "Piwik\\Plugins\\UsersManager\\tests\\Fixtures\\ManyUsers";
 
-    var url = "?module=UsersManager&action=userSettings";
+    var userSettingsUrl = "?module=UsersManager&action=userSettings";
+    var userSecurityUrl = "?module=UsersManager&action=userSecurity";
 
     before(async function() {
         await page.webpage.setViewport({
@@ -20,8 +21,35 @@ describe("UserSettings", function () {
         });
     });
 
+    it('should show user security page', async function () {
+        await page.goto(userSecurityUrl);
+        expect(await page.screenshotSelector('.admin')).to.matchImage('load_security');
+    });
+
+    it('should ask for password when trying to add token', async function () {
+        await page.click('.addNewToken');
+        await page.waitForNetworkIdle();
+        await page.waitForSelector('.loginSection');
+        expect(await page.screenshotSelector('.loginSection')).to.matchImage('add_token_check_password');
+    });
+
+    it('should accept correct password', async function () {
+        await page.type('#login_form_password', 'superUserPass');
+        await page.click('#login_form_submit');
+        await page.waitForNetworkIdle();
+        await page.waitForSelector('.addTokenForm');
+        expect(await page.screenshotSelector('.admin')).to.matchImage('add_token');
+    });
+
+    it('should create new token', async function () {
+        await page.type('.addTokenForm input[id=description]', 'test description');
+        await page.click('.addTokenForm .btn');
+        await page.waitForNetworkIdle();
+        expect(await page.screenshotSelector('.admin')).to.matchImage('add_token_success');
+    });
+
     it('should show user settings page', async function () {
-        await page.goto(url);
+        await page.goto(userSettingsUrl);
         expect(await page.screenshotSelector('.admin')).to.matchImage('load');
     });
 
@@ -34,7 +62,7 @@ describe("UserSettings", function () {
 
     it('should not prompt user to subscribe to newsletter again', async function () {
         // Assumes previous test has clicked on the signup button - so we shouldn't see it this time
-        await page.goto(url);
+        await page.goto(userSettingsUrl);
         expect(await page.screenshotSelector('.admin')).to.matchImage('already_signed_up');
     });
 
diff --git a/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token.png b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token.png
new file mode 100644
index 00000000000..8f8b683dac1
--- /dev/null
+++ b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0a217eaf00dd0e60598067698cdcff92c794433438122b07284c89093d84ae2
+size 30211
diff --git a/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_check_password.png b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_check_password.png
new file mode 100644
index 00000000000..d511b3665a0
--- /dev/null
+++ b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_check_password.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bf4e7b2dd1d68df9db0826eb9051f796bf3c25426659a9e84792ae4879835f17
+size 13422
diff --git a/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_success.png b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_success.png
new file mode 100644
index 00000000000..45a8da92a33
--- /dev/null
+++ b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_add_token_success.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c2117369cad613d3fccc5848a29ec09212a49a355266db0f57058cd7af639544
+size 19921
diff --git a/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_load_security.png b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_load_security.png
new file mode 100644
index 00000000000..f0312d59588
--- /dev/null
+++ b/plugins/UsersManager/tests/UI/expected-screenshots/UserSettings_load_security.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:13053d0f3133b73a4f4c9cff719d1c6cd735dfffda162e7e775acb1db6b81162
+size 115909
diff --git a/plugins/Widgetize/templates/index.twig b/plugins/Widgetize/templates/index.twig
index 3c4d1529e07..2ab204877c8 100644
--- a/plugins/Widgetize/templates/index.twig
+++ b/plugins/Widgetize/templates/index.twig
@@ -21,8 +21,8 @@
         If you want your widgets to be viewable by everybody, you first have to set the 'view' permissions
         to the anonymous user in the <a href='index.php?module=UsersManager' rel='noreferrer noopener' target='_blank'>Users Management section</a>.
         <br/>Alternatively, if you are publishing widgets on a password protected or private page,
-        you don't necessarily have to allow 'anonymous' to view your reports. In this case, you can add the secret token_auth parameter (found in the
-        <a href='{{ linkTo({'module':'API','action':'listAllAPI'}) }}' rel='noreferrer noopener' target='_blank'>API page</a>) in the widget URL.
+        you don't necessarily have to allow 'anonymous' to view your reports. In this case, you can add the secret <code>token_auth</code> parameter in the widget URL.
+        You can manage your auth tokens on your <a href='{{ linkTo({'module':'UsersManager','action':'userSecurity'}) }}' rel='noreferrer noopener' target='_blank'>Security page</a>.
     </p>
 </div>
 <div piwik-content-block content-title="Widgetize dashboards">
diff --git a/tests/PHPUnit/Fixtures/OmniFixture.php b/tests/PHPUnit/Fixtures/OmniFixture.php
index 626580574cf..10730fc6743 100644
--- a/tests/PHPUnit/Fixtures/OmniFixture.php
+++ b/tests/PHPUnit/Fixtures/OmniFixture.php
@@ -12,6 +12,7 @@
 use Piwik\Date;
 use Piwik\Db;
 use Piwik\Option;
+use Piwik\Plugins\UsersManager\Model;
 use ReflectionClass;
 use Piwik\Plugins\SitesManager\API as SitesManagerAPI;
 use Piwik\Tests\Framework\Fixture;
@@ -23,9 +24,11 @@
 class OmniFixture extends Fixture
 {
     const DEFAULT_SEGMENT = "browserCode==FF";
+    const OMNIFIXTURE_SUPERUSER_TOKEN = '9ad1de7f8b329ab919d854c556f860c1';
 
     public $month = '2012-01';
     public $idSite = 'all';
+
     public $dateTime = '2012-02-01';
 
     /**
@@ -122,6 +125,19 @@ private function adjustDateTime($dateTime, $adjustToDate)
         return $result;
     }
 
+    public static function getTokenAuth()
+    {
+        $model = new \Piwik\Plugins\UsersManager\Model();
+        $user  = $model->getUser(self::ADMIN_USER_LOGIN);
+
+        if (!empty($user)) {
+            if ($model->getUserByTokenAuth(self::OMNIFIXTURE_SUPERUSER_TOKEN)) {
+                return self::OMNIFIXTURE_SUPERUSER_TOKEN;
+            }
+        }
+        return parent::getTokenAuth();
+    }
+
     public function setUp(): void
     {
         $firstFixture = array_shift($this->fixtures);
@@ -135,7 +151,14 @@ public function setUp(): void
             $this->setUpFixture($fixture);
         }
 
-        Db::query(sprintf('UPDATE %s SET token_auth = "9ad1de7f8b329ab919d854c556f860c1" WHERE login = "superUserLogin"', Common::prefixTable('user')));
+        $model = new Model();
+
+        if (!$model->getUserByTokenAuth(self::OMNIFIXTURE_SUPERUSER_TOKEN)) {
+            $model->addTokenAuth(self::ADMIN_USER_LOGIN, self::OMNIFIXTURE_SUPERUSER_TOKEN, 'omnifixture token', Date::now()->getDatetime());
+        }
+        if (!$model->getUserByTokenAuth(self::ADMIN_USER_TOKEN)) {
+            $model->addTokenAuth(self::ADMIN_USER_LOGIN, self::ADMIN_USER_TOKEN, 'omnifixture token default', Date::now()->getDatetime());
+        }
 
         Option::set("Tests.forcedNowTimestamp", $this->now->getTimestamp());
     }
diff --git a/tests/PHPUnit/Fixtures/SqlDump.php b/tests/PHPUnit/Fixtures/SqlDump.php
index 94cddf0bc59..abfcb313380 100644
--- a/tests/PHPUnit/Fixtures/SqlDump.php
+++ b/tests/PHPUnit/Fixtures/SqlDump.php
@@ -63,7 +63,9 @@ public function setUp(): void
         $host = Config::getInstance()->database['host'];
         Config::getInstance()->database['tables_prefix'] = $this->tablesPrefix;
 
-        $cmd = "mysql -h \"$host\" -u \"$user\" \"--password=$password\" {$this->dbName} < \"" . $deflatedDumpPath . "\" 2>&1";
+        $defaultsFile = $this->makeMysqlDefaultsFile($user, $password);
+
+        $cmd = "mysql --defaults-extra-file=\"$defaultsFile\" -h \"$host\" {$this->dbName} < \"" . $deflatedDumpPath . "\" 2>&1";
         exec($cmd, $output, $return);
         if ($return !== 0) {
             throw new Exception("Failed to load sql dump: " . implode("\n", $output));
@@ -105,4 +107,16 @@ protected function downloadDumpInPath($dumpPath)
         fclose($outfile);
         return $bytesRead;
     }
+
+    private function makeMysqlDefaultsFile($user, $password)
+    {
+        $contents = "[client]
+user=$user
+password=$password\n";
+
+        $path = PIWIK_INCLUDE_PATH . '/mysqldefaults.conf';
+        file_put_contents($path, $contents);
+
+        return $path;
+    }
 }
\ No newline at end of file
diff --git a/tests/PHPUnit/Fixtures/UITestFixture.php b/tests/PHPUnit/Fixtures/UITestFixture.php
index dd4dadea0a2..1d0cc5ff5c5 100644
--- a/tests/PHPUnit/Fixtures/UITestFixture.php
+++ b/tests/PHPUnit/Fixtures/UITestFixture.php
@@ -35,6 +35,7 @@
 use Piwik\Plugins\UserCountry\LocationProvider;
 use Piwik\Plugins\UsersManager\API as UsersManagerAPI;
 use Piwik\Plugins\SitesManager\API as SitesManagerAPI;
+use Piwik\Plugins\UsersManager\Model;
 use Piwik\Plugins\UsersManager\UserUpdater;
 use Piwik\Plugins\VisitsSummary\API as VisitsSummaryAPI;
 use Piwik\ReportRenderer;
@@ -85,6 +86,8 @@ public function setUp(): void
         LocationProvider::setCurrentProvider(GeoIp2\Php::ID);
         IPAnonymizer::deactivate();
 
+        self::createSuperUser(false);
+
         $this->addOverlayVisits();
         $this->addNewSitesForSiteSelector();
 
@@ -137,6 +140,8 @@ public function performSetUp($setupEnvironmentOnly = false)
 
         parent::performSetUp($setupEnvironmentOnly);
 
+        self::createSuperUser(false);
+
         $this->createSegments();
         $this->setupDashboards();
 
@@ -299,7 +304,7 @@ public function setupDashboards()
 
         $oldGet = $_GET;
         $_GET['idSite'] = 1;
-        $_GET['token_auth'] = Piwik::getCurrentUserTokenAuth();
+        $_GET['token_auth'] = \Piwik\Piwik::getCurrentUserTokenAuth();
 
         // collect widgets & sort them so widget order is not important
         $allWidgets = Request::processRequest('API.getWidgetMetadata', array(
diff --git a/tests/PHPUnit/Framework/Fixture.php b/tests/PHPUnit/Framework/Fixture.php
index 307daa838ce..5fb6dae988c 100644
--- a/tests/PHPUnit/Framework/Fixture.php
+++ b/tests/PHPUnit/Framework/Fixture.php
@@ -81,6 +81,7 @@ class Fixture extends \PHPUnit\Framework\Assert
 
     const ADMIN_USER_LOGIN = 'superUserLogin';
     const ADMIN_USER_PASSWORD = 'superUserPass';
+    const ADMIN_USER_TOKEN = 'c4ca4238a0b923820dcc509a6f75849b';
 
     const PERSIST_FIXTURE_DATA_ENV = 'PERSIST_FIXTURE_DATA';
 
@@ -716,7 +717,9 @@ public static function getTokenAuth()
         $model = new \Piwik\Plugins\UsersManager\Model();
         $user  = $model->getUser(self::ADMIN_USER_LOGIN);
 
-        return $user['token_auth'];
+        if (!empty($user)) {
+            return self::ADMIN_USER_TOKEN;
+        }
     }
 
     public static function createSuperUser($removeExisting = true)
@@ -725,7 +728,6 @@ public static function createSuperUser($removeExisting = true)
 
         $login    = self::ADMIN_USER_LOGIN;
         $password = $passwordHelper->hash(UsersManager::getPasswordHash(self::ADMIN_USER_PASSWORD));
-        $token    = APIUsersManager::getInstance()->createTokenAuth($login);
 
         $model = new \Piwik\Plugins\UsersManager\Model();
         $user  = $model->getUser($login);
@@ -734,19 +736,26 @@ public static function createSuperUser($removeExisting = true)
             $model->deleteUserOnly($login);
         }
 
-        if (!empty($user) && !$removeExisting) {
-            $token = $user['token_auth'];
-        }
         if (empty($user) || $removeExisting) {
-            $model->addUser($login, $password, 'hello@example.org', $login, $token, Date::now()->getDatetime());
+            $model->addUser($login, $password, 'hello@example.org', $login, Date::now()->getDatetime());
         } else {
-            $model->updateUser($login, $password, 'hello@example.org', $login, $token);
+            $model->updateUser($login, $password, 'hello@example.org', $login);
+        }
+        try {
+            if (!$model->getUserByTokenAuth(self::ADMIN_USER_TOKEN)) {
+                $model->addTokenAuth($login,self::ADMIN_USER_TOKEN, 'Admin user token', Date::now()->getDatetime());
+            }
+        } catch (Exception $e) {
+            // duplicate entry errors are expected
+            if (strpos($e->getMessage(), 'Duplicate entry') === false) {
+                throw $e;
+            }
         }
 
         $setSuperUser = empty($user) || !empty($user['superuser_access']);
         $model->setSuperUserAccess($login, $setSuperUser);
 
-        return $model->getUserByTokenAuth($token);
+        return $model->getUser($login);
     }
 
     /**
diff --git a/tests/PHPUnit/Integration/FrontControllerTest.php b/tests/PHPUnit/Integration/FrontControllerTest.php
index ca666618d21..dd9afe0e797 100644
--- a/tests/PHPUnit/Integration/FrontControllerTest.php
+++ b/tests/PHPUnit/Integration/FrontControllerTest.php
@@ -48,9 +48,8 @@ public function test_thrownExceptionInFrontControllerPrintsBacktrace()
         $this->assertEquals('error', $response['result']);
 
         $expectedFormat = <<<FORMAT
-test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(756): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(570): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
+test message on {includePath}/tests/resources/trigger-fatal-exception.php(23) #0 [internal function]: {closure}('CoreHome', 'index', Array) #1 {includePath}/core/EventDispatcher.php(141): call_user_func_array(Object(Closure), Array) #2 {includePath}/core/Piwik.php(802): Piwik\EventDispatcher-&gt;postEvent('Request.dispatc...', Array, false, Array) #3 {includePath}/core/FrontController.php(570): Piwik\Piwik::postEvent('Request.dispatc...', Array) #4 {includePath}/core/FrontController.php(165): Piwik\FrontController-&gt;doDispatch('CoreHome', 'index', Array) #5 {includePath}/tests/resources/trigger-fatal-exception.php(31): Piwik\FrontController-&gt;dispatch('CoreHome', 'index') #6 {main}
 FORMAT;
-
         $this->assertStringMatchesFormat($expectedFormat, $response['message']);
     }
 
@@ -64,7 +63,7 @@ public function test_authImplementationConfigured_EvenIfSessionAuthSucceeds()
         Access::getInstance()->setSuperUserAccess(false);
 
         $sessionFingerprint = new SessionFingerprint();
-        $sessionFingerprint->initialize('superUserLogin');
+        $sessionFingerprint->initialize('superUserLogin', Fixture::getTokenAuth());
 
         FrontController::getInstance()->init();
 
diff --git a/tests/PHPUnit/Integration/Session/SessionAuthTest.php b/tests/PHPUnit/Integration/Session/SessionAuthTest.php
index 4f4c7eccb33..9225f6d425f 100644
--- a/tests/PHPUnit/Integration/Session/SessionAuthTest.php
+++ b/tests/PHPUnit/Integration/Session/SessionAuthTest.php
@@ -135,7 +135,7 @@ public function test_authenticate_ReturnsFailure_IfSessionIsExpiredWhenRememberM
     private function initializeSession($userLogin, $isRemembered = false)
     {
         $sessionFingerprint = new SessionFingerprint();
-        $sessionFingerprint->initialize($userLogin, $isRemembered);
+        $sessionFingerprint->initialize($userLogin, Fixture::getTokenAuth(), $isRemembered);
     }
 
     protected static function configureFixture($fixture)
diff --git a/tests/PHPUnit/Integration/Tracker/RequestTest.php b/tests/PHPUnit/Integration/Tracker/RequestTest.php
index 2de6b0e92f2..2323420e3da 100644
--- a/tests/PHPUnit/Integration/Tracker/RequestTest.php
+++ b/tests/PHPUnit/Integration/Tracker/RequestTest.php
@@ -395,11 +395,12 @@ private function createAdminUserForSite($idSite)
         $login = 'myadmin';
         $passwordHash = UsersManager::getPasswordHash('password');
 
-        $token = API::getInstance()->createTokenAuth($login);
-
         $user = new Model();
-        $user->addUser($login, $passwordHash, 'admin@piwik', 'alias', $token, '2014-01-01 00:00:00');
+        $token = $user->generateRandomTokenAuth();
+
+        $user->addUser($login, $passwordHash, 'admin@piwik', 'alias', '2014-01-01 00:00:00');
         $user->addUserAccess($login, 'admin', array($idSite));
+        $user->addTokenAuth($login, $token, 'createAdminUserForSite', '2014-01-01 00:00:00');
 
         return $token;
     }
diff --git a/tests/PHPUnit/System/AllWebsitesTest.php b/tests/PHPUnit/System/AllWebsitesTest.php
index eaa6f08e16b..4c936c01d8c 100644
--- a/tests/PHPUnit/System/AllWebsitesTest.php
+++ b/tests/PHPUnit/System/AllWebsitesTest.php
@@ -35,7 +35,7 @@ private static function createUser()
             UsersManagerAPI::getInstance()->addUser('limitedUser', 'smartypants', 'user@limited.com');
             UsersManagerAPI::getInstance()->setUserAccess('limitedUser', 'view', array(2, 3));
             $userModel = new UsersManagerModel();
-            $userModel->updateUserTokenAuth('limitedUser', self::$userTokenAuth);
+            $userModel->addTokenAuth('limitedUser', self::$userTokenAuth, 'desc', '2020-01-02 03:04:05');
         }
     }
 
diff --git a/tests/PHPUnit/Unit/CommonTest.php b/tests/PHPUnit/Unit/CommonTest.php
index a09c68aa73c..7a3975420d2 100644
--- a/tests/PHPUnit/Unit/CommonTest.php
+++ b/tests/PHPUnit/Unit/CommonTest.php
@@ -24,6 +24,7 @@
  */
 class CommonTest extends TestCase
 {
+
     public function test_getProcessId()
     {
         $this->assertEquals(getmypid(), Common::getProcessId());
diff --git a/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php b/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
index 62c50bd062b..3bc43a0a70d 100644
--- a/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
+++ b/tests/PHPUnit/Unit/Session/SessionFingerprintTest.php
@@ -12,6 +12,7 @@
 
 use Piwik\Date;
 use Piwik\Session\SessionFingerprint;
+use Piwik\Tests\Framework\Fixture;
 
 class SessionFingerprintTest extends \PHPUnit\Framework\TestCase
 {
@@ -64,9 +65,10 @@ public function test_getUserInfo_ReturnsNull_WhenSessionVarIsNotSet()
 
     public function test_initialize_SetsSessionVarsToCurrentRequest()
     {
-        $this->testInstance->initialize('testuser', true, self::TEST_TIME_VALUE);
+        $this->testInstance->initialize('testuser', Fixture::ADMIN_USER_TOKEN, true, self::TEST_TIME_VALUE);
 
         $this->assertEquals('testuser', $_SESSION[SessionFingerprint::USER_NAME_SESSION_VAR_NAME]);
+        $this->assertEquals(Fixture::ADMIN_USER_TOKEN, $_SESSION[SessionFingerprint::SESSION_INFO_TEMP_TOKEN_AUTH]);
         $this->assertEquals(
             ['ts' => self::TEST_TIME_VALUE, 'remembered' => true, 'expiration' => self::TEST_TIME_VALUE + 3600],
             $_SESSION[SessionFingerprint::SESSION_INFO_SESSION_VAR_NAME]
@@ -75,7 +77,7 @@ public function test_initialize_SetsSessionVarsToCurrentRequest()
 
     public function test_initialize_hasVerifiedTwoFactor()
     {
-        $this->testInstance->initialize('testuser', self::TEST_TIME_VALUE);
+        $this->testInstance->initialize('testuser', Fixture::ADMIN_USER_TOKEN, self::TEST_TIME_VALUE);
 
         // after logging in, the user has by default not verified two factor, important
         $this->assertFalse($this->testInstance->hasVerifiedTwoFactor());
@@ -87,7 +89,7 @@ public function test_initialize_hasVerifiedTwoFactor()
 
     public function test_updateSessionExpireTime_SetsANewExpirationTime()
     {
-        $this->testInstance->initialize('testuser', false, self::TEST_TIME_VALUE);
+        $this->testInstance->initialize('testuser', Fixture::ADMIN_USER_TOKEN, false, self::TEST_TIME_VALUE);
 
         Date::$now = self::TEST_TIME_VALUE + 100;
 
diff --git a/tests/UI/expected-screenshots/Menus_admin_changed.png b/tests/UI/expected-screenshots/Menus_admin_changed.png
index 5878a7921f7..3c5fed55d7e 100644
--- a/tests/UI/expected-screenshots/Menus_admin_changed.png
+++ b/tests/UI/expected-screenshots/Menus_admin_changed.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b7d4b7614c4f3a40b39951751a816bed9dcb047ab9ac54116a5c22ae6f0394bf
-size 58130
+oid sha256:59b7f618ddfa675ac6f7015e3a9e80126e174d0761ad874dc89725f36c943a22
+size 59289
diff --git a/tests/UI/expected-screenshots/Menus_admin_loaded.png b/tests/UI/expected-screenshots/Menus_admin_loaded.png
index ffe64f47081..6ef69198b9f 100644
--- a/tests/UI/expected-screenshots/Menus_admin_loaded.png
+++ b/tests/UI/expected-screenshots/Menus_admin_loaded.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7bc3958996fdec4854c6d6f744fdbcd68ec03be45463c12a949591632173048f
-size 58154
+oid sha256:d7c9df46e7a2ac1a4792ab4f12ba06ec42dc8e1d67f97beeee7f63f38ca506f7
+size 59317
diff --git a/tests/UI/expected-screenshots/OptOutForm_opted-out2.png b/tests/UI/expected-screenshots/OptOutForm_opted-out2.png
new file mode 100644
index 00000000000..152f97f608a
--- /dev/null
+++ b/tests/UI/expected-screenshots/OptOutForm_opted-out2.png
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:375f8b477c06ee4477d7976f347dae645ea04a97c0acd21b9f154bd61edfc71b
+size 23291
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png b/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png
index 95c558ba9c6..6bc95d9e0bb 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_api_listing.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7260e83828e9510616e2786fad99724630a22013444115be8f8fa28c392d362c
-size 4944235
+oid sha256:6d9c9e496c7bc56ab968df2942dc566ffcb7c2b93dd2ef6b89acb81c0860c511
+size 4923271
diff --git a/tests/UI/expected-screenshots/UIIntegrationTest_widgets_listing.png b/tests/UI/expected-screenshots/UIIntegrationTest_widgets_listing.png
index 3da6cd00d53..21f91a9316b 100644
--- a/tests/UI/expected-screenshots/UIIntegrationTest_widgets_listing.png
+++ b/tests/UI/expected-screenshots/UIIntegrationTest_widgets_listing.png
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5fbd69449c1d5c892d380fc4dd7e1c4f72c5b32ab6a8f73dde863ae0fce0a2a6
-size 187953
+oid sha256:1e5aba4ff1b36aeff4bcfeb2fca49525a174812e9d58a9590024a7bb41462408
+size 190316
diff --git a/tests/UI/specs/BarGraph_spec.js b/tests/UI/specs/BarGraph_spec.js
index 7b1e8ff54cc..f9888a82256 100644
--- a/tests/UI/specs/BarGraph_spec.js
+++ b/tests/UI/specs/BarGraph_spec.js
@@ -8,7 +8,7 @@
  */
 
 describe("BarGraph", function () {
-    var tokenAuth = "9ad1de7f8b329ab919d854c556f860c1", // md5('superUserLogin' . md5('superUserPass'))
+    var tokenAuth = "c4ca4238a0b923820dcc509a6f75849b", // md5('superUserLogin' . md5('superUserPass'))
         url = "?module=Widgetize&action=iframe&moduleToWidgetize=Referrers&idSite=1&period=year&date=2012-08-09&"
             + "actionToWidgetize=getKeywords&viewDataTable=graphVerticalBar&isFooterExpandedInDashboard=1&"
             + "token_auth=" + tokenAuth;
diff --git a/tests/UI/specs/Comparison_spec.js b/tests/UI/specs/Comparison_spec.js
index 220ed48a7a8..6bb4d732ee7 100644
--- a/tests/UI/specs/Comparison_spec.js
+++ b/tests/UI/specs/Comparison_spec.js
@@ -11,7 +11,7 @@ describe("Comparison", function () {
     const generalParams = 'idSite=1&period=range&date=2012-01-12,2012-01-17',
         urlBase = 'module=CoreHome&action=index&' + generalParams,
         dashboardUrl = "?" + urlBase + "#?" + generalParams + "&category=Dashboard_Dashboard&subcategory=5",
-        tokenAuth = "9ad1de7f8b329ab919d854c556f860c1", // md5('superUserLogin' . md5('superUserPass'))
+        tokenAuth = "c4ca4238a0b923820dcc509a6f75849b", // md5('superUserLogin' . md5('superUserPass'))
         comparePeriod = "&compareDates[]=2012-01-01,2012-01-31&comparePeriods[]=range",
         compareSegment = "&compareSegments[]=continentCode%3D%3Deur",
         compareParams = comparePeriod + compareSegment,
diff --git a/tests/resources/install-matomo.php b/tests/resources/install-matomo.php
index d43cc699f60..741471c6bcb 100644
--- a/tests/resources/install-matomo.php
+++ b/tests/resources/install-matomo.php
@@ -86,24 +86,20 @@ function createSuperUser() {
 
     $login    = 'superUserLogin';
     $password = $passwordHelper->hash(UsersManager::getPasswordHash('superUserPass'));
-    $token    = UsersManagerAPI::getInstance()->createTokenAuth($login);
 
     $model = new \Piwik\Plugins\UsersManager\Model();
     $user  = $model->getUser($login);
 
-    if (!empty($user)) {
-        $token = $user['token_auth'];
-    }
     if (empty($user)) {
-        $model->addUser($login, $password, 'hello@example.org', $login, $token, Date::now()->getDatetime());
+        $model->addUser($login, $password, 'hello@example.org', $login, Date::now()->getDatetime());
     } else {
-        $model->updateUser($login, $password, 'hello@example.org', $login, $token);
+        $model->updateUser($login, $password, 'hello@example.org', $login);
     }
 
     $setSuperUser = empty($user) || !empty($user['superuser_access']);
     $model->setSuperUserAccess($login, $setSuperUser);
 
-    return $model->getUserByTokenAuth($token);
+    return $model->getUser($login);
 }
 
 function createWebsite($dateTime)