Authentication is one of those problems that looks solved from a distance and turns out, on inspection, to be a forest. This guide is the path through the forest we'd take ourselves.
Default: email + magic link
For most consumer products, the right default is email plus magic link. No passwords to forget, no password manager friction, no breach surface for credentials you didn't need to store. The cost is one round trip through email — usually under ten seconds.
Add OAuth where the audience already lives
If your audience lives on GitHub, add GitHub. If they live on Google Workspace, add Google. Don't add five providers because the dialog has space for them. Each one is a support burden and a small piece of trust spent.
Sessions: short, refreshable, httpOnly
Issue an access token with a short lifetime — fifteen minutes is plenty — and a refresh token in an httpOnly, SameSite=Lax cookie. Rotate the refresh token on every use. Revoke on logout. This is the unsexy infrastructure that decides whether a stolen laptop becomes a five-minute incident or a five-week one.
Two-factor when it matters
TOTP is fine. WebAuthn is better. SMS is, in 2026, no longer acceptable as a second factor for anything that matters. If your users are technical, default to passkeys; the experience is better than passwords ever were and the security is genuinely better than TOTP.
None of this is novel. All of it is what separates products that feel safe from products that feel safe enough until they don't.
Ada Okonkwo
Design engineerDesigns interfaces that move the way real things move. Previously at Linear and Framer. Believes most apps would be better with one fewer animation and one more well-set heading.