What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?
It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.
If your auth'ing with a username / password on an infected server you're actually *sending* your credentials to the server. This is not he case wih a cert auth, especially when you use ssh-agent to hop to other servers.
C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]