[evgeny0]

But the random username / random password / client-side SSL certificate is excellent security.

The SSL certificate is, but not the random username. That's just a maintenance hassle. A username is not a secret - that's what the password is for. The random password isn't so great, either, because it pretty much forces you to write it down and then it just becomes a (poor) version of the SSL certificate. It should instead be a strong password that you can actually remember.

[rmc]

It should instead be a strong password that you can actually remember.

I agree that in theory a strong password one can remember is more secure than a randomly generated password that you have to write down.

However in practice, people just choose easy to guess passwords, or reuse the same password everywhere. That's a larger security problem, so the random passwords are more secure in practice.

[ams6110]

Most really secure VPNs I've used have use a SecurID[1] token and PIN, instead of a static password.

[1] http://www.rsa.com/node.aspx?id=1156

[cromulent]

I've been using an extranet site recently that calls you, using Twilio or something I guess. They have my mobile phone number.

You enter your username and password on the web form and your phone rings a couple of seconds later. You are asked by a recording to type in your PIN. When you do, the HTTP request is completed and you are logged in.

It's very easy as a user, and seems quite secure. The username/password/PIN are all quite weak and easy to remember, but in conjunction with the phone call, it's fairly strong.