I have some staging and development web servers on cloud hosting. I do not want them to be accessible to the general public. It's easy enough to restrict access by network or authentication.
The problem is that there are many times where I want third parties to have access, so they can preview changes before they go into production. It would be too much to ask these third parties to configure VPN clients or to create user accounts for all of them. It's ok if it's a little bit less convenient than just sending them a link in an e-mail, but too much would be a problem.
Is there a best practice for this scenario? If so, what is it? I feel like I'm asking how I can have my cake and eat it to, so I completely understand if you tell me it's not possible.
In these situations, I've usually gone with a HTTP Basic auth over the site with a shared username/password (one set of credentials per site, if you're doing lots at once). Since you're not really worried about who exactly is logging in, you don't need a login per user, and instead just need something to "keep the riffraff out", which, if you can trust whoever's coming to the site not to tweet the credentials you give them, should be satisfied by a simple shared username/password.