Having authentication mechanism away from user details is the best way. Reason is, we don't carry unwanted data when user just requested to view his profile.
But based on your question, if the authentication model is going to have only email & username, then I suggest to have it in User model itself. But if it contains authentication data like token, login_status etc, it will be clean and better to have Auth & User model separately.