Cloning security of private repos

I set up a private repo recently and when I went to clone it to a new machine using the HTTPS option I noticed that I wasn’t prompted for a username or password like I am when I push or pull to my other repos. Then I realized that I can’t recall supplying a username or password to clone either of my active projects since I started using Gitlab a couple of months ago.

I do have to supply credentials to push and pull from the repo.

Is this normal behavior and am I missing a security option? I assume that if I don’t have to supply account credentials that anyone that came across my repo’s URL could clone the repo without issue even though it’s private.