We’ve done this. We use native functionality to verify username/password combos, then everything else is homebrew. We have a client dataset tag with all the logged in users. Custom login page, custom login script, custom permission check script, custom logout menu. It’s not trivial, but it’s not especially difficult.
One drawback to this is that it breaks all the native security features. Because of the way we verify users, the system officially thinks the last user who logged in is the only user logged in, even if they have logged out of our homebrew system. So things like getRole() have unexpected behavior, as does any security set from the security panel in the designer.