I use a reverse proxy and client certificate authentication for anything I expose. That requires me to pre install the client certificate on all of my devices first, but afterwards they can connect freely via a web browser with no further prompting to authenticate. Anybody without the client certificate gets a 403 before they even get past the proxy.
There are limitations to this and overhead of managing a CA and the client certificates for your devices.
Correct. Get a 4th drive. You will be thankful one day down the road when you are rebuilding the array and you lose a drive during the rebuild.