First, if the application is for devs and I need something very quick, I would just use GitHub OAuth. Done in 10 minutes.

Now to the main part - how would I implement password-based auth? The minimum for me would be password with 2FA using authenticator apps. Passkeys aren’t widespread enough and I just find magic-links annoying.

Always implement rate-limiting, even if it’s something very basic!

Session management

Database sessions 100%. I really, really don’t like JWTs and they shouldn’t be used as sessions majority of times.

Assuming I only have to deal with authenticated sessions, my preferred approach is 30 days expiration but the expiration gets extended every time the session is used. This ensures active users stay authenticated while inactive users are signed out.

Registration

Hot take - I think it’s fine for apps to share whether an email exists in their system or not. If the email is already taken, just tell the user that they already have an account. Significantly better UX for minimal security loss. Don’t use emails for auth if you don’t like that.

Anyway, something more important than preventing user enumeration is checking passwords against previous leaks. The haveibeenpwned.com API is probably the best option for this. This will reduce the effectiveness of credential stuffing attacks, where an attacker targets accounts using leaked passwords from other websites.

Passwords are hashed with either Argon2id or Scrypt - they’re both good enough. Bcrypt is ok but it unfortunately has a 50-70 character limit.

Rate limiting will be set to around 1 attempt per second per IP address. Captchas if I start to get spams.

Email verification

I would also check if the email starts or ends with a space just to make sure the user didn’t mistype it.

I personally prefer OTPs for email verification over links, but both work fine. For OTPs, a basic throttling like 5-10 attempts per hour per account should be good enough. The code will be valid for 10, maybe 15 minutes. For verification links, I’d set the expiration to 2 hours.

Here’s some ways I would generate those OTPs: bytes := make([]byte, 5) rand.Read(bytes) // 8 characters, 40 bits of entropy // I might use a custom character set to remove 1, I, 0, and O. otp := base32.StdEncoding.EncodeToString(bytes) // 8 characters, entropy equivalent to ~26 bits // This introduces a tiny bias. // See RFC 4226 for why this is fine. bytes := make([]byte, 4) rand.Read(bytes) num := int(binary.BigEndian.Uint32(bytes) % 100000000) otp := fmt.Sprintf("%08d", num)

First of all, I wouldn’t bother with those 100 character long regex. Here’s the only email regex you’ll ever need: ^.+@.+\..+$