Can a client with x509 certificate and server side validation of ip-address and deviceId considered a trusted system for less secure login method?

we are working on an web application in which users needs to be able to switch easily between user accounts while working on the same computer. The idea is to have: * a strong login (email,password) with two factor authentication * for administrative work and changing settings * in case the system is untrusted (no client x509 certificate and unknown deviceId and ipaddress) * a strongly authenticated session can mark a device as trusted if it uses a valid client certificate (issued by us) * a simple login for users with only a short username and pin code. * for trusted devices * All users are logged out automatically after some time of inactivity. * Every group of users (max. 20) is bound to a specific subdomain. * A hardware token would be possible, but only per group of users. (Login can then be username, pin+token) * Changes in factors like ip-address or device id causes trust degradation. In my opinion the second option is secure as long as the computer or the second factor (client certificate and trust relationship) is not compromised in any way. Therefore the systems needs to be protected and any suspicious activity should lead to degradation of trust. Opinions and alternatives are very welcome :-)
http://dlvr.it/RzPNbt