I've used client certs several times, but not necessarily to authenticate a user. We have a few mobile apps with a public facing HTTPS API endpoint. Currently, we have it set up to use a client cert that we ship with the app itself to 'secure' the connection between the app and the server. In reality, it's no more secure than embedding a username/password in the app itself and using basic auth.
It was slightly tricky to get the iOS/Android programmatic HTTP layers to properly format and present the cert to an auth challenge, but since we figured that out, it's been seamless.
It was slightly tricky to get the iOS/Android programmatic HTTP layers to properly format and present the cert to an auth challenge, but since we figured that out, it's been seamless.