I would want X.509 client authentication. You can use a passworded private key if wanted (and the server will not need to know your password), and there are other benefits with security and other stuff, compared with the more common 2FA and cookies and that stuff. It also ensures better that the client and server are communicating with each other that they want to rather than someone else that they don't want, then merely using X.509 server authentication only.