When I was with the gummint, I used a smart card with an embedded certificate. However, at home I use a long password that would pass older standards regarding use of upper and lower case, digits, and special characters.
Note that for web implied sessions based on HTTP and HTTPS, you often don't have a choice.