Writing a provider that supports updating of set elements

I am currently writing a provider that tracks the state of all users on a device as a set like this:

Schema:
	map[string]*schema.Schema{
		"user": {
			Type: schema.TypeList,
			Elem: &schema.Resource{

				Schema: map[string]*schema.Schema{
					"token": {
						Type:     schema.TypeString,
						Computed: true,
					},
					"first_name": {
						Type:     schema.TypeString,
						Required: true,
					},
					"last_name": {
						Type:     schema.TypeString,
						Required: true,
					},
					"credential": {
						Type: schema.TypeList,
						Elem: &schema.Resource{
							Schema: map[string]*schema.Schema{
								"token": {
									Type:     schema.TypeString,
									Computed: true,
								},
								"profile_token": { // TODO this should support a set of profiles, not just a single one
									Type:     schema.TypeString,
									Required: true,
								},
								"pin": {
									Type:     schema.TypeString,
									Required: true,
								},
							},
						},
						Optional: true,
					},
				},
			},
			Set: func(i interface{}) int {
				m := i.(map[string]interface{})
				token := m["token"].(string)
				return schema.HashString(token)
			},
			Required: true,
		},
	}

The structure of this is a user list that contains a set of users and each user has a set of credentials. I want to support updating of credentials and fields of the user so I thought by setting the SetFunc to a hash of the token (globally unique ID on the device that doesn’t change), I could make changes to a users first/last name or pin and have it detect that there is a difference but still see they are the same user and/or credential and update accordingly. However, updating any field forces the entire user to be removed from the set and recreated. If I just change the type of user and credential to schema.TypeList, it immediately merges existing users properly and shows the correct output in plan. However, now it is an ordered list, not a set that is unique on token so modifications to the plan such as re-ordering users, adding a user before another user cause crazy output because the order now matters. How do I prevent this with a set?