Step one: Research the options
- Pocket-ID (in UNRAID app store Limited, passkey only)
- Authelia (in UNRAID app store [installed]. Supports passkeys only as 2nd factor)
- authentik (in UNRAID app store [installed]. Requires 2 containers )
- keycloak (in UNRAID app store Some say it’s complicated)
- Hanko (not in UNRAID app store Reportedly good, but not widely used, very much DIY)
After some ‘DeepSeek’ research, it seems that authentik is best for my use case.
Full Disclosure
I’ve already implemented authentik but it was problematic, so…. Now I guess I’ll have to revisit authentik and see what’s improved over the last 6 months or so. 😉
Considerations – what to protect
Because I am using tailscale widely I have been able to put most of my services ‘on the LAN’ which in theory should alleviate the need for the biggest part of this integration. However, there are several ‘public’ services that may benefit from the use of passkeys. WordPress admin comes to mind here, but ‘there’s a plugin for that’ and I am using it on my WP sites.
TODO
I need to research where this needs to be applied and roll it out.