diff --git a/README.md b/README.md
index 47d98bb..a8571ae 100644
--- a/README.md
+++ b/README.md
@@ -190,12 +190,17 @@ Don’t forget to point AUTH_USER_MODEL to it. Do this before creating any migra
   - password is used for admin login (?)
   - seed
   - custom auth method
-- [ ] try to fake username for django based on name+realm (?)
-- [ ] maybe overwrite get_username() (?)
-- [ ] Use Custom authentication (?) - needs to have a user
-- [ ] Implement creating new "User"
+- [n] try to fake username for django based on name+realm (?)
+- [n] maybe overwrite get_username() (?)
+- [x] Use Custom authentication  - needs to have a user!
+- [x] Implement creating new "User"
   - by POST / Model based
+- [ ] Add tests for verify
+- [ ] Add tests for authentication
+- [ ] Add proper documentation
 - [ ] move totp constants into settings
 - [ ] move field lengths into settings
 - [ ] make settings adjustable by environment (?)
 - [ ] Remove hard coded JSON (?)
+
+## Changelog
diff --git a/ungleichotp/ungleichotp/settings.py b/ungleichotp/ungleichotp/settings.py
index 21646ab..491d324 100644
--- a/ungleichotp/ungleichotp/settings.py
+++ b/ungleichotp/ungleichotp/settings.py
@@ -102,14 +102,23 @@ AUTH_PASSWORD_VALIDATORS = [
 ]
 
 
+# Customer user model so that we can use our tokens for authentication!
+AUTH_USER_MODEL = 'otpauth.OTPSeed'
+
+# Custom authentication so we can use tokens ourselves
 REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': (
         'rest_framework.authentication.SessionAuthentication',
         'otpauth.models.OTPAuthentication'
+    ),
+    'DEFAULT_PERMISSION_CLASSES': (
+        'rest_framework.permissions.IsAuthenticated',
     )
 }
 
 
+
+
 # Internationalization
 # https://docs.djangoproject.com/en/2.1/topics/i18n/
 
@@ -128,5 +137,3 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/2.1/howto/static-files/
 
 STATIC_URL = '/static/'
-
-AUTH_USER_MODEL = 'otpauth.OTPSeed'