more than one way to skin the cat, and the answer depends on what the goal is.
If you’re using a CMS (wordpress, concrete5, etc) the best way is likely to use your CMS’s authentication functions. For example, tou might have a wordpress page that shows content A to users not logged in, a member logs in, and suddenly they get content B. You can’t do that kind of thing real well with .htaccess
personally I only use .htaccess access control for test sites, dev sites, etc. It’s effective it keeps out the search bots and curious people away until you’re ready to go public.