Authentication Improvements
Authentication Improvements (2026-04-25): Auth hardening: OAuth provider refresh, session rotation, MFA enrollment option, and clearer error states on login.
Feature area: Authentication
On this page
This release covers Authentication Improvements Version 2.0.1, shipped 2026-04-25. Status: shipped. No breaking changes.
Summary
Auth hardening: OAuth provider refresh, session rotation, MFA enrollment option, and clearer error states on login.
Session edge cases caused unexpected logouts; users lacked MFA for profiles containing sensitive career data. Refresh token rotation, optional TOTP MFA, and improved OAuth error messaging.
What Changed
Session rotation
NewRefresh tokens rotate on use; reuse detection invalidates family.
TOTP MFA
NewOptional authenticator app enrollment.
OAuth UX
ImprovedProvider-specific error messages and retry flows.
Auth support tickets
Before
~34/week
After
~18/week
4-week average post-release
- Session rotation — Refresh tokens rotate on use; reuse detection invalidates family.
- TOTP MFA — Optional authenticator app enrollment.
- OAuth UX — Provider-specific error messages and retry flows.
Why We Built It
Session edge cases caused unexpected logouts; users lacked MFA for profiles containing sensitive career data.
We prioritized this work because AI quality feedback correlated with missing context in this surface. The fix needed to be durable—not a patch—so we addressed root causes in Authentication rather than symptoms alone.
Engineers, recruiters, and hiring managers all benefit when Honestify behaves predictably in production. This release reflects that bar.
User Impact
Auth-related support tickets down 47%; MFA enrollment at 12% of active users in first month.
| Audience | How you benefit |
|---|---|
| Engineers | Faster profile setup, clearer AI answers, less manual rework |
| Recruiters | More complete profiles and reliable share links when candidates use Honestify |
| Founders / hiring managers | Better signal on candidate preparation and skills alignment |
| Platform engineers | Improved observability and clearer error surfaces |
Relevant skills: devsecops, typescript, system design. Target roles: backend engineer, devops engineer, full stack engineer.
Technical Highlights
- httpOnly secure cookies for session tokens
- WebAuthn planned for Q3
- Rate limit on login and MFA attempts
- Audit events for session and MFA changes
Changes covered by integration tests and Playwright smoke paths on critical user journeys.
Before
Authentication Improvements: before vs after
Before
Long-lived sessions without rotation; opaque OAuth failure redirects.
After
Rotating refresh tokens, MFA setup in security settings, actionable login error copy.
Users moving from the previous experience should notice rotating refresh tokens, MFA setup in security settings, actionable login error copy.
Screenshots
Future Improvements
What we are building next
- Passkeys (WebAuthn)
- SSO for team plans
- Suspicious login email alerts
Known limitations
- · SMS MFA not offered—TOTP and OAuth only
Feedback welcome: Reply via in-app feedback or support—especially if you hit edge cases we did not cover in this release.
Related Features
This update connects to other Honestify work:
- Related updates: profile sharing, invitation system, public ai profiles
- Guides: production readiness checklist, incident response playbook, devsecops
- Research: startup vs enterprise hiring trends, platform engineering trends, most asked questions on honestify
- Practice questions: explain authentication, production incident, explain security
Create your own AI profile
Upload your resume, add expertise, and share a profile link beside LinkedIn so recruiters can ask follow-up questions before the interview.