I think there is no such thing as the most secure authentication method. Each method has pros and cons. To have a secure app not only good authentication is needed but also other best practices for security.
There is a myth over the internet that httpOnly cookie will save you in the case of XSS, which is untrue. In the case of XSS, values stored in localStorage can be directly read. Values in cookies (httpOnly or not) can be used for malicious requests in case of XSS (they won't be accessed directly as in localStorage, but can be used for "bad" requests, for example, to change the password). To be safe against XSS just do not store any auth data in cookie or localSotrage. Force users to login each time the website is refreshed - that's the most secure.
In my opinion, there is no silver bullet in auth, if you are planning to add a mobile app maybe a good solution might be to go with token authentication (can be JWT or DRF token or django-rest-knox).
What I'm using is DRF token + Djoser it has all needed URLs for managing auth (and is simple). The nice feature about Djoser is that it deletes the token on logout and creates a new token when login. When someone will steal your token, just logout and it will be invalid. I store token in localStorage. I'm using React which has some XSS defense mechanisms. Additionally, I'm using Content Security Policy and HTTPS (with Let's encrypt). I only use trusted packages. I hope this gives security for the app. Is it 100% secure? Probably not ... Is there anything 100% secure which is connected to the internet? Probably not. My advice is to do your best to be secure.
