diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 80073a7..c13c6ff 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -237,10 +237,7 @@ jobs:
         with:
           image-name: betterframe-client-${{ inputs.version }}
           stage-list: stage0 stage1 stage2 ./deploy/pi-gen/stage-betterframe-client
-          # pi-gen default release is trixie (Debian 13).
           enable-ssh: 0
-          username: bfadmin
-          password: betterframe
           locale: en_US.UTF-8
           timezone: Etc/UTC
           hostname: betterframe-kiosk
diff --git a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
index a07e4cb..baef042 100755
--- a/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
+++ b/deploy/pi-gen/stage-betterframe-client/01-install-kiosk/01-run-chroot.sh
@@ -3,6 +3,15 @@
 # systemd unit + cage PAM + plymouth theme. Mirrors setup-pi-kiosk.sh but
 # baked into the image so first boot is fully provisioned.
 
+# --- bfadmin user (replaces pi-gen's username/password config) ---
+# Pi-gen's built-in user setup reinstalls the firstboot wizard AFTER
+# custom stages run. We create the admin user ourselves to avoid that.
+if ! id -u bfadmin >/dev/null 2>&1; then
+  useradd -m -s /bin/bash -G sudo bfadmin
+fi
+echo "bfadmin:betterframe" | chpasswd
+passwd -e bfadmin
+
 # --- bfkiosk user ---
 if ! id -u bfkiosk >/dev/null 2>&1; then
   useradd -m -s /usr/sbin/nologin bfkiosk