diff --git a/src/cli.rs b/src/cli.rs
index 1584be6..bcffa7f 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -33,6 +33,9 @@ fn derive_secret(
     timeout: u64,
     pin: Option<&str>,
 ) -> Fido2LuksResult<([u8; 32], FidoCredential)> {
+    if credentials.len() == 0 {
+        return Err(Fido2LuksError::InsufficientCredentials);
+    }
     let timeout = Duration::from_secs(timeout);
     let start = SystemTime::now();
 
diff --git a/src/error.rs b/src/error.rs
index f0f1f76..dc29d3d 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -31,6 +31,8 @@ pub enum Fido2LuksError {
     StringEncodingError { cause: FromUtf8Error },
     #[fail(display = "not an hex string: {}", string)]
     HexEncodingError { string: String },
+    #[fail(display = "couldn't obtain at least one credential")]
+    InsufficientCredentials,
 }
 
 impl Fido2LuksError {
diff --git a/src/luks.rs b/src/luks.rs
index 4a91e73..7b024ca 100644
--- a/src/luks.rs
+++ b/src/luks.rs
@@ -103,10 +103,6 @@ impl LuksDevice {
         Ok(())
     }
 
-    pub fn add_credential(&mut self, slot: u32, credential: Vec<u8>) -> Fido2LuksResult<()> {
-        self.add_token(&Fido2LuksToken::with_credentials(&[credential], slot))
-    }
-
     pub fn remove_token(&mut self, token: u32) -> Fido2LuksResult<()> {
         self.require_luks2()?;
         self.device