Basic Auth and application passwords are actually two different methods, neither being the default. The default is cookie authentication. Application passwords can be passed using Basic Auth protocol, but the hashing algorithm is different. Basic Auth is not intended for production environments. My understanding is it’s not very secure. Application passwords use the same portable hasher that is used for WP logins. The algorithm is still MD5 at its root, but it’s additionally processed to make cracking more difficult. MD5 is used for broad compatibility reasons. You can get the hasher to use Blowfish instead by defining CRYPT_BLOWFISH as 1 or true in wp-config.php.
JWT and oAuth are the other options. I’m not knowledgeable about how they actually manage security, but I’m confident they are adequately secure. I’m unfamiliar with “API Key authentication”, not sure what you mean by that. Basic Auth is the only one you’d want to avoid. Any of the others are fine, use whichever you’re most comfortable using. Personally, I like Application Passwords.
