This isn't "better" than Single Sign On; if anything, I would call it a complementary, not competitive, technology.
A client certificate is a statement of trust for a particular machine, not a user. They can be very useful when you want to do the equivalent of IP-address restrictions for access to a service, but want to support mobile systems and/or need stronger guarantees than simple IP checking provides.
The biggest problem with client certs, in addition to the "multiple users sharing a machine account" gotcha mentioned in the article's comments, is that there is no "logout" mechanism. I can't let someone else use my machine without logging out of the local account and in to another guest account, because the cert is always going to be presented.
If someone would just do the signing-dongle thing in a user friendly way, maybe plugging/unplugging that is closer to authenticating the user ('something they have': the dongle, 'something they know': a passphrase to activate the dongle on plugin). Then the browser could use that as the signer/verifier.
I do something similar with a standard usb drive and pageant + portable putty/winscp.
A client certificate is a statement of trust for a particular machine, not a user. They can be very useful when you want to do the equivalent of IP-address restrictions for access to a service, but want to support mobile systems and/or need stronger guarantees than simple IP checking provides.
The biggest problem with client certs, in addition to the "multiple users sharing a machine account" gotcha mentioned in the article's comments, is that there is no "logout" mechanism. I can't let someone else use my machine without logging out of the local account and in to another guest account, because the cert is always going to be presented.