There’s supposed to be authentication in there; section 5 (I think–don’t have it in front of me now) of the index.php settings file has a bunch of related settings.
You can let people edit anything, logged in or not, or you can make them log in with any username (other than admin, of course), but with no password necessary, to edit non-locked pages. That much works.
In theory, you can also use external authentication; it has sections for LDAP, and external database access, as well as table definitions to add users to its own database. So far I haven’t gotten any of those to work, though.