Client certs are great, but the UI for them is bad and browser vendors are making it worse, for example they killed <keygen> so you have to tell people to run OpenSSL commands in a terminal during signup.