doc: narrow TEA authentication guidance

[MChorfa]

Summary

This PR is a focused split from #235 and contains only doc/authentication.md.

What changed

• removes hard-coded universal claims such as a mandatory TLS 1.3 minimum and specific client certificate algorithms
• describes bearer tokens and mTLS as common deployment patterns
• states that stricter TLS baselines belong in a TEA profile or deployment baseline
• references OWASP TLS guidance and NIST SP 800-52 Rev. 2

Intent

Address review feedback that the prior TLS language was too broad and not grounded enough for the base TEA specification.

[MChorfa]

Following the feedback on #235: the earlier TLS wording was carried forward from the broader draft rather than intended as a final universal base-spec requirement, and the concern about it being too prescriptive was fair.

This follow-up narrows the document to deployment patterns, keeps only the base expectation that protected TEA endpoints use TLS, and leaves stricter transport baselines to TEA profiles or deployment policy.

[oej]

Is a new document needed? What is missing in the current documentation?