There is a key article which points out what is supported for authenticating with EWS. I have put in a request to have some things addressed in this article.
Authentication and EWS in Exchange
This article does not point out that Kerberos is supported with Exchange on-premise servers. Kerberos is supported for all on-premise servers for EWS access and developer support involving it will be provided – this includes all supported on-premise servers up to what the latest version of Exchange is as of this article (Exchange 2016). Kerberos will not work with Exchange Online because its servers are cloud based (out of network). This is something I don't see as being changed in the future, however the call on what is supported in the future is up to the Exchange product developers. My role at Microsoft is providing developer support for Exchange and Outlook APIs and I'm not an Exchange product developer, so I cannot say what will and will not be in the future.
In the past we have not been providing developer support for CBA, however due to recent discussions with our Exchange product team we will now be providing developer support. CBA is supported for on-premise servers but not Exchange Online servers. For CBA, certificates need to be installed on all the Exchange servers involved - so, it's not a viable option for Exchange Online which is composed of many, many tens of thousands of servers (I found an article saying there were over 67,000 servers even back in 2014).
Side note: Please note that ADFS is not supported with EWS. Look to oAuth (Exchange Online) or CBA (Exchange on premise) for enhanced auth. ADFS does work with OWA, however OWA is pre-configure server product and EWS is an API. So, don't have expectations on things being supported with any API (EWS as an example) just because it works with a Microsoft product (OWA as an example).