The rest of the connected world has determined that username and password, supplemented by OTP methods or some other multifactor authentication, is enough.

Having a login cert is fine if the "user" is an organisation. It is a broken model for individuals or small businesses.