Is any B2C mainstream bank using client certificates? I've not seen it in the wild. I think easier solution is just BYOD to work with 3g/4g SIM, you can pick up a reasonable 8" tablet for $100 that supplements your phone for when you need a bigger screen size.
One of the nice things in TLS 1.3 that we might never end up using in anger but is there if we want it is the request from a server for a client certificate now gets to express arbitrary constraints.
In TLS 1.2 you could only express a list of CAs whose signatures you trust (this is one of the most widely misconfigured settings in OpenSSL-based software, telling OpenSSL you _trust_ some CA to identify clients when actually you meant to say your server certificate is _signed_ by that CA)
In TLS 1.3 you can write out arbitrary constraints, although somebody will need to define any new ones in a separate ID or RFC. So this might simplify the end user experience down the road because the browser can do enough matching to just hand over the correct certificate automatically.
Or it might never get used on the public Internet, oh well.
The point I was really making was one about transparency. Many people don't know their connection is insecure. They see the green link status on chrome and everything is good.
If the server detects an insecure connection, then at least the minimum is that the user is informed.
