SSL Client Auth is great and all but what happens when the client loses the private key? Or just wants to sign in from a different device?