[jodoherty]

Also, the prompt is uniform and immediate anywhere you need authenticated. With a single client certificate that meets the server's criteria, most browsers can be configured to automatically apply your certificate so you never even see the prompt.

Furthermore, browsers support different kinds of storage for client certificates. You could, in theory, make a cloud hosted client certificate store that you unlock once per session to use with your browser.

Ultimately, it addresses the whole "finding the login button" concern by eliminating login flows from the application completely. If you have no certificate, then you can't access the service at a protocol level, period.