Today I want to share how I use Authentik as the central identity provider in my homelab.
I originally set up Authentik very early in my homelab journey (it was probably my second or third service), mainly for two reasons: improved security and comfort.
The Problem
Without a centralized identity system, every service has its own authentication. This often leads to weak or reused passwords, no consistent MFA enforcement, and no clear overview of who has access to what.
Even in a small setup, this would quickly becomes messy and hard to manage.
The Goal
My goal was simple: one identity to access everything while keeping it secure.
At the same time, I wanted to enforce strong authentication (MFA) and reduce the risk of compromised credentials.
Setup Overview
I deployed Authentik early on and started with basic hardening, such as restricting access with a firewall.
For external access, I currently expose Authentik via a Cloudflare Tunnel. This allows me to securely access it from anywhere and also enables OIDC integrations that require a publicly reachable endpoint (for example, Tailscale SSO).
In the future, I may switch to a split DNS setup with something like Traefik for my internal stack and keep Cloudflare Tunnel for external services.This would make my homelab more independent from Cloudflare.
User Model
I separated my accounts into two roles:
- Admin user: password + TOTP
- Regular user: password + WebAuthn (primary) with TOTP as fallback
The regular user is what I use 99% of the time. It only has the permissions needed for normal access.
The admin account is only used when necessary, typically in a separate browser session. After making changes, I log out again.
This reduces the risk that a compromised session can affect critical configuration.
How I Use Authentik
Almost all of my services are integrated with Authentik using OIDC since most services support OIDC nowday.
If not you could use reverse proxy in an homelab scenario (depending on the service)
This gives me:
- centralized authentication
- consistent MFA enforcement
- better visibility into login activity
It also allows me to easily disable access if needed, which would be much harder with individually managed accounts.
For SSH access, I use Vault with Authentik as the identity provider, which allows me to issue short-lived SSH certificates instead of relying on static keys. You can look at my blog about that here
Security Benefits
For my personal setup, the biggest benefit is convenience.
However, from a security perspective, the advantages are clear:
- centralized MFA enforcement
- phishing-resistant authentication with WebAuthn
- ability to disable users instantly
- reduced reliance on static credentials
Authentik also provides built-in protections, such as temporarily blocking accounts after too many failed login attempts.
In addition, I use Cloudflare to filter or challenge suspicious traffic, which helps mitigate basic brute-force and bot attacks.
If you plan to only use Authentik internaly you would not have those concerns if only exposed internaly.
Access Strategy
While most services are accessible through Authentik, I still maintain fallback access methods:
- Proxmox UI (Other User with 2FA while for daily use using authentik)
- iDRAC (out-of-band management with no authentik intergation)
This ensures I am not completely locked out if something breaks.
Trade-offs and Challenges
Single Point of Failure:
Since Authentik acts as the central identity provider, multiple services depend on it. If it becomes unavailable, access to those services may be disrupted.
Mitigation strategies for this risk include implementing high availability for Authentik and maintaining fallback access mechanisms that are independent of the identity provider.
Increased Complexity:
Setting up and maintaining a centralized identity system is more complex than managing individual logins but provides many benfits.
Exposure:
Running Authentik behind a public endpoint (e.g., Cloudflare Tunnel) introduces additional considerations around security and availability.
Conclusion
Using Authentik as a central identity provider has significantly improved both the security and usability of my homelab.
Even as a single user, having centralized authentication, enforced MFA, and a clear access model makes a big difference.
More importantly, it scales well. The same setup could easily be used in a small team or company, where centralized identity management becomes even more critical.
I hope this gives you some ideas on how to improve authentication in your own setup.