My thinking was that the server would simply support both -- Digest Auth for WF2 UAs and standard insecure POST/cookie auth for old UAs. This would take a little extra coding but hardly seems insurmountable.