Not just HTTP-only cookies (no JS), but also the control for 'Secure' (HTTPS only) and 'SameSite' for CSRF blocking. Not using cookies and storing your auth tokens in other places is a rookie mistake.

That said, 3rd-party cookies should be blocked by default. IDPs and other exceptional cases can request permission or use one-time query param hashes to exist without them.

Outside of fraud and security mitigation I have yet to see a legitimate use case for fingerprinting.

I very much do want the bank to fingerprint the hell out of my devices, front page of my local newspaper? Nope.

How about using browser-supported auth mechanisms instead of manually reimplementing auth using cookies? There is HTTP basic auth, or TLS client certs and probably more.

Basic Auth with digests has some issues, but both that and client certs mostly fail because of poor browser implementation.

Client certs would really be ideal if browsers handled them better and sync'd the certs between devices (like bookmarks), but I guess that still wouldn't solve the signing in from a new/different (non-synced) device.

You could offer one-time rescue codes (like the ones used when people have TOTP auth) to let people add new certs on new devices.

Because both of them work terribly.

I've used basic auth in production. It has terrible user experience, and unfixable issues and limitations.

I wish browser-integrated logins had taken off, with Persona, but that was unfortunately abandoned.

Why are browser vendors so terrible at auth stuff :(