There should be an auth backend that enforces an initial 401 reply. This would be useful to off-load generation of those initial replies from other backends such as the URL auth backend.

This works by:

If (!user || !password) {
    return failed;
} else {
    return no match;
}