Hi Dimitirs,
when the certificate is the second factor, then please what is the first one? If you are using software certificates or kerberos tokens on a windows front-end, they are protected by the user password. If you are now using a user password as first secret, you have two passwords, which even may be the same. Usually for two factor you will hav to have something in Hardware or at least some smartphone with an authenticator app. You can also just use Kerberos or X.509 based auth (user logs in and then can access the SAP system using the X.509 or Kerberos tokens), but this then is only SSO.
Sorry, I still do not get it.
Regards,
Patrick