I don't know why we don't have paired key support built into browsers, and extensions built for major web languages.<p>For users, it may seem similar to OpenID (sign in with google/facebook/twitter, etc.) but the public key could be provided automatically by the browser.<p>Of course, there may be portability issues, but with the availability and prevalence of smart phones, tablets, etc. and with the increasingly common "browser sync", I'm sure that could be easily dealt with.<p>So if anyone is working on this, where are they, and if not, why not?
You can. You install a client certificate and configure your web application to demand that certificate during the TLS handshake. It works fine.<p>The reason it doesn't get used in practice is similar to the reason why HTTP Authentication doesn't get used in practice: login is something many apps want to keep control over, and delegating that feature to browser chrome (either in the form of the HTTP Authentication popup, or the [even worse] certificate selection UI) makes it difficult to control login, provide password reset, display user help, &c.<p>Over the medium term, expect to see 2FA products filling this gap. The phone-based 2FA products all allow web app developers to control their own login UX while mitigating the password vulnerability.<p>The incipient success of 2FA solutions is also a reason I wouldn't bet on browser-based public key authentication or federation happening; the latter solutions are competing with a more pragmatic, simpler alternative.