Yes, I think your conclusions are pretty much correct..

Some comments: firstly, (and lots of ppl might not agree), I'm not so sure that the username/password combination is the only one available for most authentication jobs.
To cite an example, assume that you and the authenticator decide on a mathematical formula (ie: take number x, subtract 10, multiply by 3 etc etc). When you attempt to login, you are prompted with a number, and it is upto you (as the person attempting to login) to remember the formula, apply it to the number and return to the server. The server authentication 'remembers' the number it sent you, and it knows the formula that you agreed upon...so, its another means of authentication (but not even close to foolproof, of course)..but the point is that part of the authentication is dynamic, so chances of a replay attack are reduced...
To take this one step further, this is an interesting link I found that does something similar..

One of the references mentioned in this node is probably the most widely used means of authentication so far.. session based authentication.. Essentially, the webserver needs to cooperate and send a session key for use by the client side encryption. In this way, anybody seeing the client side encryption code still won't know the session key used in the encryption, and thus, this provides better security..
HTH