How Should BrowsersDo Authentication?
Users logs in once to authentication server; server sends out “cookie”.
Or user has “client-side certificate”.
Both mechanisms can be compatible with tokens.
But both can be implemented with passwords, with most of their problems.