[prepend]

I’ve used client certs for maybe 25 years. They are hard to configure. Most devs can’t get them working.

They also used to be expensive but I expect that’s dropped.

I’ve seen many “client certificate” solutions over the year that end up trying to do client management and crap out in many situations that are hard to fix (eg, user changes their environment and the cert is gone, now they can’t log in).

To make it easy enough to use, it ends up having all the flaws of our current sso environment. My friend had a company he was trying to start where he would automatically create and revoke client certificates for every device and session. But they were so ephemeral, they may as well have been cookies and it ended up being really cumbersome to try to keep track of certs on client devices.