MyLastNight FR
03 · case study

In-house identity — moving to Authentik (WebAuthn / YubiKey / TOTP)

Year: 2026 Domains: identity · security · ux Target: Raspberry Pi 5
3strong factors
0plain-text passwords
SSOmulti-user

Context

Cluster authentication used to run on Authelia. Fine for solo use, but a second user landing on some apps (close circle, limited access) called for a real identity plan: groups, per-application rights, factor policy, polished sign-in screen.

Constraint

Three non-negotiables:

  1. WebAuthn / YubiKey as the primary factor for my own account; TOTP as fallback for the rest.
  2. A sign-in screen that doesn't look like Authentik's generic page. The login is the first impression of the domain — it deserves the same care as the rest of the site.
  3. The right WebAuthn relying party: mylastnight.eu (eTLD+1) rather than a subdomain, so passkeys cover every app.

Decision

Migration to Authentik. Four containers: authentik-server, authentik-worker, authentik-db (Postgres), authentik-redis. NPM delegates auth via the forward-auth pattern for apps that don't speak OIDC natively.

For the custom login: CSS override injected through the tenant's branding_custom_css field. A few gotchas along the way — Patternfly's shadow DOM, the min-height on .pf-c-login.stacked, the max-width: 592px imposed by PF. Once those were unblocked, the login page picks up the ochre palette, MapleMono typography, and the site's visual tone.

Factor policy: "WebAuthn required if enrolled, otherwise TOTP, otherwise password". A user cannot downgrade their own security level once a strong factor is enrolled.

Measurement

Authelia stopped cleanly, redirects verified across 14 apps proxied by NPM. First passkey YubiKey login: 1.4 s from click to landing on the target app. Cross-app sessions working: one login covers every app on the cluster.

There's an image cost: Authentik takes more RAM than Authelia. That's the price of flexibility.

What remains

On the learning side: an end-to-end WebAuthn flow (registration, fallback, recovery), a fine grasp of the OIDC session cycle, the ability to extend Authentik via custom flows (enrollment screen, per-tenant branding).

On the ops side: a single stack to patch for the whole cluster's auth. On the UX side: the sign-in is now a signal of care, not a technical formality.

← All case studies