diff --git a/server/login.go b/server/login.go
index e2145aaf4edc28d8e673c05963e356ee4f9e78e9..82b86fc3655c504eb1152d0e4d1e341c112837a9 100644
--- a/server/login.go
+++ b/server/login.go
@@ -16,6 +16,7 @@ import (
 	"github.com/gorilla/csrf"
 	"github.com/gorilla/sessions"
 	"github.com/tstranex/u2f"
+	"go.opencensus.io/trace"
 
 	"git.autistici.org/id/auth"
 	authclient "git.autistici.org/id/auth/client"
@@ -293,7 +294,31 @@ func (l *loginHandler) makeAuthRequest(w http.ResponseWriter, req *http.Request,
 		U2FResponse: u2fResponse,
 		U2FAppID:    appID,
 	}
-	return l.authClient.Authenticate(req.Context(), &ar)
+
+	// Trace the authentication request.
+	ctx, span := trace.StartSpan(req.Context(), "auth",
+		trace.WithSpanKind(trace.SpanKindClient))
+	span.AddAttributes(
+		trace.StringAttribute("auth.user", username),
+		trace.StringAttribute("auth.service", l.authService),
+		trace.BoolAttribute("auth.with_password", len(password) > 0),
+		trace.BoolAttribute("auth.with_otp", otp != ""),
+		trace.BoolAttribute("auth.with_u2f", u2fResponse != nil),
+	)
+	defer span.End()
+
+	resp, err := l.authClient.Authenticate(ctx, &ar)
+
+	// Record the authentication response status in the trace.
+	if err != nil {
+		span.SetStatus(trace.Status{Code: trace.StatusCodeUnknown, Message: err.Error()})
+	} else if resp.Status == auth.StatusOK {
+		span.SetStatus(trace.Status{Code: trace.StatusCodeOK, Message: "OK"})
+	} else {
+		span.SetStatus(trace.Status{Code: trace.StatusCodePermissionDenied, Message: resp.Status.String()})
+	}
+
+	return resp, err
 }
 
 // Return a (relative) URL that will redirect the user to the login