Security & TrustSubscribers only Jul 11, 2026 at 17:195Add to bookmarks

A popular HN thread reignites the question: how should we authenticate an app in 2026? The answer is no longer "JWT + refresh token". A clear overview.
In 2026, the "right" way to authenticate a web application depends on two questions: (1) are you a B2C consumer app, or a B2B SaaS? (2) are you ready to operate your own IdP, or do you rely on a provider? The patterns of the mid-2020s (JWT stateless + refresh in localStorage) are outdated - for good reasons.
The HN thread picks up the classic discussion and arrives at an interesting convergence: for most apps, the pragmatic 2026 stack is:
What has changed, structurally, is three things. One: the end of localStorage for sensitive tokens (XSS = total compromise, there's no more debate). Two: the maturity of passkeys - public adoption now exceeds the critical threshold in major ecosystems (Google, Apple, Microsoft have all deployed), even if none has published a recent detailed figure. Three: hosted IdPs (Clerk, WorkOS, Auth0) now offer turnkey SSO/SCIM/passkeys coverage that no team of fewer than 5 people has any interest in reimplementing.
Secure; HttpOnly; SameSite=Lax; __Host- prefix. Rotation on each privilege escalation.Three takeaways. One: if you're starting in 2026, take a provider (Clerk, WorkOS, Stack Auth) unless you have a specific regulatory reason. The engineering time saved goes to the product. Two: if you have a legacy JWT-in-localStorage stack, plan the migration to session cookie - it's a priority security task, not cosmetic. Three: passkeys are ready; to be activated as an option now, and to be enforced by 2027 in enterprise. To watch: the standardization of cross-platform passkeys (the real B2B hurdle).
Create a free account to access all our content and the weekly review.
Article produced by artificial intelligence, reviewed under human editorial control.
Sign in to join the discussion.
Les passkeys ont l'air bien, mais comment ils se défendent contre le phishing ? Un pirate pourrait-il intercepter la connexion ?
Les passkeys, c'est bien, mais comment ça gère plusieurs appareils ? Faut-il toujours avoir son téléphone sur soi ?
Est-ce que les passkeys fonctionneront hors ligne ? Une solution de secours sera-t-elle nécessaire ?
Les passkeys ont l'air bien, mais je me demande comment ils vont s'intégrer avec les anciens systèmes d'authentification ?
Est-ce que les passkeys peuvent vraiment tenir la route pour les très grosses applications ?
Les passkeys sont-ils vraiment fiables pour les très grosses applications ?