Yes, the double login is a bit of a pain.
The http/https authentication prompt is displayed when the cloud service is setup from model authentication or global authentication. (Or when the IIS proxy is setup with authentication) The information entered into the dialog here is never accessible to EA, so it can't be re-used for a later model security prompt. The only way to suppress this error is to not require http authentication. Fine for internal connections, but not for anything exposed to the net.
If the target model doesn't need security, but you want to authenticate the http connection, use the global authentication option and reference a dedicated model for the log-in details.
When connecting to a model with security enabled, EA then needs to determine the user to log-in as. As you know, this can be suppressed by allowing Windows authentication, but with the restriction that the full username of the user needs to match their computer login name.
I can't eliminate the double log-in in all circumstances, but I can limit it.
First, there's no issue with mixing usernames in the model including the domain and not. I recommend setting the username for each user to their primary/most used computer username. This way they will only get the security prompt when away from their normal environment.
Second, consider providing different methods for internal vs external access. It could be a separate cloud server, but more practical is providing an internal access port that is blocked by your firewall that doesn't require http authentication and an external access port that isn't blocked by your firewall that does.
Third, if users who are normally internal/domain users are complaining about the double prompt when accessing the model externally, you could provide a VPN so that they can access the internal port. They will still need to log-in twice, but one will be the VPN access.