Banks in the U.S. have been largely content with username and password security, perhaps because their sites don't let you do all that much -- at least so far. Now, with more p2p functionality coming (esp. cross-bank; see clearXchange), that might need to change in a hurry. Some banks (like Wells Fargo) do phone number authentication before executing some actions (like p2p payments). https://www.wellsfargo.com/privacy_security/online/advanceda...
At Clover (www.clover.com) we've built a payment app for iOS and Android which use client certs to great effect. Once your iOS/Android device is bound to your Clover account using the client cert, you just need a short PIN to protect against unauthorized physical access to the device.
Because we're a native app, we're able to hide all the nastiness of installing the client cert. When the app is freshly installed, we first verify control over a phone number (by sending a text or calling it with a verification code). If that checks out, we issue a new client cert to that device and associate the device with the account bound to the phone number. An account is locked to a (small) set of devices (e.g. iPad + iPhone).
At Clover (www.clover.com) we've built a payment app for iOS and Android which use client certs to great effect. Once your iOS/Android device is bound to your Clover account using the client cert, you just need a short PIN to protect against unauthorized physical access to the device.
Because we're a native app, we're able to hide all the nastiness of installing the client cert. When the app is freshly installed, we first verify control over a phone number (by sending a text or calling it with a verification code). If that checks out, we issue a new client cert to that device and associate the device with the account bound to the phone number. An account is locked to a (small) set of devices (e.g. iPad + iPhone).