← Back
Securityv2.0.1

Authentication Improvements

Authentication Improvements (2026-04-25): Auth hardening: OAuth provider refresh, session rotation, MFA enrollment option, and clearer error states on login.

·3 min read·Honestify Engineering

Feature area: Authentication

This release covers Authentication Improvements Version 2.0.1, shipped 2026-04-25. Status: shipped. No breaking changes.

Summary

Auth hardening: OAuth provider refresh, session rotation, MFA enrollment option, and clearer error states on login.

Session edge cases caused unexpected logouts; users lacked MFA for profiles containing sensitive career data. Refresh token rotation, optional TOTP MFA, and improved OAuth error messaging.

What Changed

Session rotation

New

Refresh tokens rotate on use; reuse detection invalidates family.

TOTP MFA

New

Optional authenticator app enrollment.

OAuth UX

Improved

Provider-specific error messages and retry flows.

Auth support tickets

Before

~34/week

After

~18/week

4-week average post-release

  • Session rotation — Refresh tokens rotate on use; reuse detection invalidates family.
  • TOTP MFA — Optional authenticator app enrollment.
  • OAuth UX — Provider-specific error messages and retry flows.

Why We Built It

Session edge cases caused unexpected logouts; users lacked MFA for profiles containing sensitive career data.

We prioritized this work because AI quality feedback correlated with missing context in this surface. The fix needed to be durable—not a patch—so we addressed root causes in Authentication rather than symptoms alone.

Engineers, recruiters, and hiring managers all benefit when Honestify behaves predictably in production. This release reflects that bar.

User Impact

Auth-related support tickets down 47%; MFA enrollment at 12% of active users in first month.

AudienceHow you benefit
EngineersFaster profile setup, clearer AI answers, less manual rework
RecruitersMore complete profiles and reliable share links when candidates use Honestify
Founders / hiring managersBetter signal on candidate preparation and skills alignment
Platform engineersImproved observability and clearer error surfaces

Relevant skills: devsecops, typescript, system design. Target roles: backend engineer, devops engineer, full stack engineer.

Technical Highlights

  • httpOnly secure cookies for session tokens
  • WebAuthn planned for Q3
  • Rate limit on login and MFA attempts
  • Audit events for session and MFA changes

Changes covered by integration tests and Playwright smoke paths on critical user journeys.

Before

Authentication Improvements: before vs after

Before

Long-lived sessions without rotation; opaque OAuth failure redirects.

After

Rotating refresh tokens, MFA setup in security settings, actionable login error copy.

Users moving from the previous experience should notice rotating refresh tokens, MFA setup in security settings, actionable login error copy.

Screenshots

Future Improvements

What we are building next

  • Passkeys (WebAuthn)
  • SSO for team plans
  • Suspicious login email alerts

Known limitations

  • · SMS MFA not offered—TOTP and OAuth only

Feedback welcome: Reply via in-app feedback or support—especially if you hit edge cases we did not cover in this release.

This update connects to other Honestify work:

Create your own AI profile

Upload your resume, add expertise, and share a profile link beside LinkedIn so recruiters can ask follow-up questions before the interview.