I have noticed that using TOTP applications such as Google Authenticator or Authy for 2FA is supported for enhanced security, but how about the use of SSL client certificates one can get through places like CAcert.org? With the use of 2048-bit keys to verify the user's email address and grant access, it seems to me that unless you had a passphrase of 256+ characters, it would be superior to using a passphrase, and actually would also be at least of comparable, if not superior security to TOTP, even if the latter using HMAC-SHA-512 and the typical 160-bit secret. And at the same time, it would make it far more convenient an option for logging in for normal use, saving the other for a backup means. Thoughts??