Well best practice on configuring web-auth is to use a secondary IP address for the web-auth address. Place a second address on the specific IF with "web-authentication http" appended to it and append the primary address the "preferred" option.
As for the issue of http versus https for authentication - I am guessing your concern is about transmitting your traffic in cleartext. That is a valid concern of course and I don't have an answer for you.