What have you tried so far? I use backbone myself and I find that user authentication has no established best practice. I myself deviate from true REST and use session cookies to track authentication. I then set a 401 Unauthorized header and return a JSON string that tells my backbone client that it needs to route to the login page.
The login page asks for a username and password that is then transmitted as an update "put" and my rest controller for account tells the application if it was successful or not with a 200 or 406 header, then I route back to where the user first needed authentication to proceed.
There’s always a better way, I’m a bit of a backbone novice so I’m always looking for better ways.