Why aren't vendors going to client certs?
I don't understand why folks like Google just don't start requiring the client side to have a cert, and forcing the link to be authenticated on both sides - similar to the way SSH works.
Yes, you have to provide a drool-resistant mechanism to set everything up - but you could pretty easily have the app set up the client side cert at account creation time, and instruct the user to save their private key to a flash drive (or SD card for a phone).