> Client certs appears to be a good solution. > > What's the process for managing them with more than a hundred client accounts?
If you've got the budget ... MDM. If you don't, you can probably hack together some sort of self-service system. > > I believe the problem they are trying to solve is hacked accounts from > > compromised passwords. Does client certs solve that problem? > Well yes. If you make client certs mandatory, unless the client can present a valid cert, the server will kill the connection before the client has a chance to try out a compromised password.