For your use case, you mentioned a 'client' auth.. do you mean auth per person or auth for an entire client application somehow?  Just was wondering.  I agree that keeping it very simple would be best.  Even the stuff that 'makes DMs more private', I don't think is necessary.