I've heard an important point made in correcting people when they identify certificate authentication as two-factor. It isn't out of band so a single machine compromise amounts to account compromise. I am concerned however, when people draw the analogy of certificate auth being a strong password and I'll explain why.
Certificate authentication differs substantially from strong passwords:
Number 1 is important because it removes the ability of a attacker with access to impersonate the server side from impersonating the user on other services where they use a common password. This is important in the event of TLS MitM (Superfish), DNS poisoning or the compromise of any unrelated system where users might use the same password.
Even with a fully decrypting TLS MitM the attacker cannot obtain the client's private key because the authentication is done with D-H (Diffie-Hellman Key Exchange), just as the original TLS auth is (thus the attacker can't directly impersonate the server, but must rely on client-compromise like the Superfish root cert).
Number 2 is important because the difficulty of cracking a certificate's private key is the same as cracking the private key of google.com given its certificate. In other words, it's impractical to the point of not even being considered. This removes a major concern in breaches leading to password hash dumps, because there are no password hash dumps to obtain, just certficates which are effectively public record.
Certificate auth is non-trivial both on the server and on the client and is not sufficient for two-factor even in combination with a password. It is, however, a worthwhile option in reducing risk for highly privileged accounts where desired.
Certificate auth combined with managed two-factor is an ideal combination, but why do that directly at all. SAML integration is the best long-term solution since it gives your customers control of how strong they want their authentication to be (including client certs). I would go so far as to say it makes the most sense to implement even the integrated login service of an application as a SAML IdP. Why reinvent the wheel and introduce two code paths to maintain?
Returning to my original point, certificate auth is way more than a strong password.