Guides·Security

Auth patterns we actually recommend

Email, magic links, OAuth — and the boring parts that decide whether your product feels safe.

AO
Ada Okonkwo
Design engineer · Apr 20, 2026 · 11 min read

Authentication is one of those problems that looks solved from a distance and turns out, on inspection, to be a forest. This guide is the path through the forest we'd take ourselves.

Default: email + magic link

For most consumer products, the right default is email plus magic link. No passwords to forget, no password manager friction, no breach surface for credentials you didn't need to store. The cost is one round trip through email — usually under ten seconds.

Add OAuth where the audience already lives

If your audience lives on GitHub, add GitHub. If they live on Google Workspace, add Google. Don't add five providers because the dialog has space for them. Each one is a support burden and a small piece of trust spent.

Sessions: short, refreshable, httpOnly

Issue an access token with a short lifetime — fifteen minutes is plenty — and a refresh token in an httpOnly, SameSite=Lax cookie. Rotate the refresh token on every use. Revoke on logout. This is the unsexy infrastructure that decides whether a stolen laptop becomes a five-minute incident or a five-week one.

Two-factor when it matters

TOTP is fine. WebAuthn is better. SMS is, in 2026, no longer acceptable as a second factor for anything that matters. If your users are technical, default to passkeys; the experience is better than passwords ever were and the security is genuinely better than TOTP.

None of this is novel. All of it is what separates products that feel safe from products that feel safe enough until they don't.

fin.
AO
Written by

Ada Okonkwo

Design engineer

Designs interfaces that move the way real things move. Previously at Linear and Framer. Believes most apps would be better with one fewer animation and one more well-set heading.

Lagos · Lisbon