Actually, the answer is probably a combination of 1 and 3.
You can take advantage of a lot of the tools and features that the framework provides for you by writing a membership, role or profile provider if the default options don’t quite go as far as you’d like.
We’ve done just that on a number of client sites – for example one of our clients has most of their users stored as Commerce Server users, and use the Commerce Server profile system, so we wrote a membership and profile provider to talk to those datastores – a fairly simple excercise.
Most people are probably going for 3 because of the need to authenticate over raw TCP – this introduces a layer beyond that of the standard ASP.NET membership providers.
Most of what MS produce is “ok” or “good enough”, but there will always be edge cases where you want to do something “not quite standard” that mean you end up rolling your own. I guess to have something beyond “Basic Auth” or “Windows Auth” that was simple for your average developer to understand, they took the sensible option of “lets just build this for the web”.
If you take a look at the numerous ways you can authenticate against a WCF service, you’ll see what I mean – these are designed to handle different transport mechanisms, and are therefore much more complex.
That said, the default roles and profile providers are fairly limited (roles: no hierarchy, so you need to check for each possible role, or explicitly assign each role to the user; profiles: all stored in one field as comma seperated values – not easy to find all users who’ve got a value set).