Re: unlimited login attempts/client certificates
Limiting login attempts on a cloud service becomes a denial-of-service path - don't like someone? Attempt to log onto to their cloud account with a guessed password. If it works, you get access, if not repeat X times and lock out the account.
On top of that, how do you unlock the account? You probably can't verify the account holder is who they say they are with any great certainty (i.e. e-mail may have been breached, phone may have been stolen, a lot of the default questions in password recovery Q+A's can be be answered from Internet searches if filled in literally (i.e. mothers maiden name, schools, addresses).
As for using client certificates, I would have thought that an app that ties in your cloud sign up (for mobile devices) or licensing for Windows would be fairly straight-forward and maybe this already happens. The problem that I see is that providing an easy way to add more devices to an account or swapping between an old and new device probably voids any benefit from this approach as it would allow either a way of moving certificates or adding new certificates with minimal fuss.