Password authentication to something running on local network (and therefore can't get a useful TLS cert) is about it, in my experience. Use the PAKE in place of TOFU to trust a self-signed TLS cert in the browser and get rid of cert warnings, since in my understanding PAKE also helps authenticate the server, not just the user.
