i've always thought password authentication is not the best way to be doing auth for websites. certificates seem to be the right solution, but difficult for the user to manage. (i love certs for ssh.)
I guess I could expand upon that in the 2nd bonus point. Certificates would make an excellent extension to HTTP Auth, as long as end-users can self-sign, like SSH, and not have to pay a $100/yr extortion fee to a company like Verisign.
Commercial x509 certificates are as cheap as $9.95 and there's several free services. But they are a pain to try to explain to a typical end user on how to configure and install in their browser.