Re: So if I understand this correctly?
"Sounds well dodgy to me if authentication isn't done at the server end."
Authentication is certainly done at the server end, just with per-agent cryptographic keys rather than a shared password. It's then up to the agent (i.e. your device) to ensure those keys are securely stored. Most phones and enterprise devices already do some form of this, this is a generalisation for the general web.