Given that it's possible to memorize a certificate, it definitively cannot be a 'something you have' factor. Something you have is more than just data. A client cert is nothing more than a fancy long password.
The base64-encoded SSL certificate for *.ycombinator.com is 1,755 characters. Maybe there are a few savants in the world who are capable of memorizing that, but for the overwhelming majority of human beings, it's never going to happen.