Numerous Times

Inside Stories · Outside Proof

Field Notes

Field Notes

The Security Obsession is Killing the User Experience

Developers are sacrificing product intuition at the altar of perfect token storage, creating friction that drives customers away from the apps they build.

Numerous Times Field Notes

Dispatches from inside the room

July 11, 2026 · 3 min read
The Security Obsession is Killing the User Experience
Photo: Unsplash

I have spent the last decade sitting in architectural review meetings where the air is sucked out of the room by a single question: where do we put the token? We treat authentication storage like a theological debate rather than a functional requirement. On one side, the local storage purists prioritize simplicity and speed; on the other, the cookie-only hardliners treat every browser-side variable like a ticking bomb. While we bicker over the merits of HttpOnly flags and the theoretical risks of cross-site scripting, we are losing sight of the actual human being trying to log into the dashboard.

From the floor of these product builds, I see the same pattern. We build fortresses that no one can live in. By chasing a zero-risk environment that doesn't exist, we introduce layers of complexity that break session persistence, confuse the mobile handoff, and lead to the kind of frequent, jarring re-authentications that send users straight to a competitor’s simpler interface. Security is not a binary state; it is a spectrum of trade-offs. The current industry obsession with 'perfect' token security has shifted from being a defensive measure to a form of technical gatekeeping that actively degrades the product.

Let’s be honest about the threat model. Most applications are not storing state secrets. If a malicious actor has the level of access required to scrape a well-managed local storage instance, the user has already lost their entire browser profile and likely their operating system integrity. We are building massive moats to prevent a specific type of theft while the front door is wide open because the lock is too complicated for the owner to use. The 'best' way to handle authentication is the one that actually gets out of the way. If your security architecture requires three different middleware checks and a refresh logic that fails every time a user switches from Wi-Fi to cellular data, you haven't built a secure app; you've built a fragile one.

We need to stop treating every developer blog post about the dangers of XSS as a mandate to rewrite our entire session strategy. The industry needs to move back toward a pragmatic middle ground where we prioritize the session’s durability as much as its defense. A token remains a tool for access, not a trophy to be hidden in an inaccessible vault. It is time to stop engineering for the one-percent edge case and start building for the ninety-nine percent of users who just want their tools to remember who they are without a fight.

The Friday Brief

One essay. Every Friday. From operators who actually run things.

Join thousands of founders, partners, and operating leaders. No filler. Unsubscribe anytime.

Reader notes

0 Notes

Sign in to comment. Comments are signed and public.

Sign in →