arxiv: 2604.14330 · v2 · submitted 2026-04-15 · 💻 cs.CR

Recognition: unknown

Understanding Student Experiences with TLS Client Authentication

Abubakar Sadiq Shittu , Clay Shubert , John Sadik , Scott Ruoti

Authors on Pith no claims yet

Pith reviewed 2026-05-10 12:42 UTC · model grok-4.3

classification 💻 cs.CR

keywords mTLS usabilityclient certificatesTLS authenticationPKI user experiencemutual TLScertificate managementsecurity comprehensionOpenSSL deployment

0 comments

The pith

Even highly technical computer science students struggled to set up and understand mutual TLS client authentication in a realistic deployment.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper reports on a longitudinal study where 46 senior and graduate CS students configured client certificates from scratch using OpenSSL, used them for authentication throughout a semester, and managed them across devices. The key finding is that initial setup posed a major hurdle, daily use felt manageable but did not enhance long-term views of usability, and only nine percent of participants grasped the security implications. A sympathetic reader would care because this suggests mutual TLS is fundamentally mismatched with users who are not PKI experts, making widespread adoption unlikely without significant changes to platforms and tools.

Core claim

In a deployment using OpenSSL with a custom certificate authority and a 3072-bit minimum key size, students encountered significant difficulties with client certificate setup and demonstrated limited understanding of the security model, with most failing to fully comprehend the implications of certificate-based authentication despite hands-on experience over an entire semester.

What carries the argument

A semester-long tracking of student experiences with configuring, using, and managing mTLS client certificates in an academic course environment.

If this is right

Initial certificate setup acts as the primary barrier to mTLS use.
Routine authentication works smoothly but fails to build better usability perceptions over time.
Low comprehension of security benefits limits effective use by non-specialists.
Substantial platform-level improvements are necessary for broader adoption.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar usability barriers likely affect other certificate-based authentication systems beyond this specific setup.
Providing automated or simplified tools for certificate generation and installation could address the setup bottleneck observed.
Extending the study to users without computer science backgrounds might reveal even greater challenges in understanding and adoption.

Load-bearing premise

The experiences of these computer science students in a structured course accurately represent the difficulties faced by typical non-PKI specialists or everyday users in real-world conditions.

What would settle it

A follow-up experiment where non-technical users successfully configure and comprehend mTLS client certificates using standard tools without course support would challenge the claim of fundamental misalignment.

Figures

Figures reproduced from arXiv: 2604.14330 by Abubakar Sadiq Shittu, Clay Shubert, John Sadik, Scott Ruoti.

**Figure 1.** Figure 1: Study Phase Before the project, the course dedicated three class periods to authentication fundamentals, covering passwords, password-authenticated key exchange (PAKE), and multi-factor authentication, emphasizing common threat models and tradeoffs between passwords and possession-based authenticators [68]. Students received roughly half a class period of lecture on certificate loss and revocation, coverin… view at source ↗

**Figure 2.** Figure 2: CSR rejection reasons (≥5 occurrences) point. Of 416 incoming CSRs, 131 (32%) were rejected for not meeting the server’s 3072-bit key requirement ( [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

**Figure 3.** Figure 3: Distribution of end-of-semester SUS scores. [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗

**Figure 4.** Figure 4: Shift in key lengths after error feedback [PITH_FULL_IMAGE:figures/full_fig_p016_4.png] view at source ↗

**Figure 5.** Figure 5: Initial key lengths. Keys under 3072 bits were [PITH_FULL_IMAGE:figures/full_fig_p016_5.png] view at source ↗

read the original abstract

Mutual TLS (mTLS) provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client certificates from scratch, used them for routine authentication over a semester-long course, and managed credentials across multiple devices. The results reveal that initial setup is a major bottleneck; while daily use was considered smooth, it did not improve long-term usability perceptions. Most concerningly, only 9% of participants fully understood the security implications of certificate-based authentication. We conclude that in a realistic, tooling-heavy deployment utilizing OpenSSL, a custom CA, and a 3072-bit minimum key requirement, even highly technical students struggled significantly. We argue this provides empirical evidence that today mTLS user experience is fundamentally misaligned with non-PKI specialists, and it is difficult to see a path toward mainstream adoption without substantial platform-level changes.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

Even CS students struggle with mTLS setup and security understanding in this semester-long study, but the jump to non-PKI users rests on thin evidence.

read the letter

The core finding is that 46 senior and graduate CS students had real trouble setting up client certificates with OpenSSL and a custom CA, only 9% fully understood the security implications, and daily use stayed smooth but did not shift their overall views. The longitudinal tracking across a full semester and multiple devices gives more detail than the usual short usability tests in this area. That part is useful: it shows concrete bottlenecks in a realistic deployment with 3072-bit keys and routine course authentication. The paper does a straightforward job of reporting those percentages and distinguishing setup friction from ongoing use. The main weakness is the participant group. These are technically trained students in a structured academic setting, not representative non-PKI specialists or typical end users. Course requirements and prior knowledge likely shape the results, so the claim that mTLS UX is fundamentally misaligned for mainstream adoption goes beyond what the data directly supports. Methods details like exact survey questions and recruitment are not in the abstract, which makes it harder to judge how solid the 9% figure is without the full text. This work fits for usable security researchers who track PKI barriers and want fresh numbers on student experiences. A reader already studying certificate management or browser changes could pull the specific pain points. It deserves peer review because the empirical observations are new and the topic is practical, though referees should push for clearer limits on generalization and more diverse testing.

Referee Report

2 major / 1 minor

Summary. The manuscript presents a longitudinal empirical study tracking 46 senior and graduate computer science students who configured mTLS client certificates from scratch using OpenSSL and a custom CA, used them for routine authentication over a semester-long course, and managed credentials across devices. It reports that initial setup constitutes a major bottleneck, daily use is perceived as smooth yet does not improve long-term usability perceptions, and only 9% of participants fully understood the security implications of certificate-based authentication. The authors conclude that mTLS user experience is fundamentally misaligned with non-PKI specialists and that mainstream adoption requires substantial platform-level changes.

Significance. If the findings hold after addressing methodological details, the work supplies longitudinal, real-deployment evidence of setup and comprehension difficulties even among technically proficient users in a tooling-heavy environment (OpenSSL, custom CA, 3072-bit keys). This strengthens the empirical basis for discussions of mTLS usability barriers and could inform platform and tooling improvements, while the semester-long design with cross-device management is a notable strength compared to one-shot studies.

major comments (2)

[§3 (Methods)] §3 (Methods) and associated results: the paper reports concrete outcomes such as the 9% understanding rate and distinctions between setup and daily-use friction but provides no information on the survey instruments, exact questions or rubrics used to measure understanding, statistical methods, participant recruitment process, response rates, or controls for prior PKI knowledge. These omissions are load-bearing for assessing the validity of the reported percentages and perceptions.
[Conclusion] Conclusion: the claim that the results provide evidence that mTLS UX is 'fundamentally misaligned with non-PKI specialists' and that platform-level changes are required rests on extrapolation from CS students in a structured academic course to broader non-specialist populations, without direct data from less technical cohorts or voluntary real-world settings. This generalization is central to the paper's strongest claim.

minor comments (1)

[Abstract] Abstract: the 9% understanding figure is stated without reference to how 'fully understood' was operationalized or any accompanying statistical detail such as confidence intervals or sample breakdown.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback. We address each major comment below, indicating revisions where appropriate.

read point-by-point responses

Referee: [§3 (Methods)] §3 (Methods) and associated results: the paper reports concrete outcomes such as the 9% understanding rate and distinctions between setup and daily-use friction but provides no information on the survey instruments, exact questions or rubrics used to measure understanding, statistical methods, participant recruitment process, response rates, or controls for prior PKI knowledge. These omissions are load-bearing for assessing the validity of the reported percentages and perceptions.

Authors: We agree that the methods section requires substantially more detail to support evaluation of the reported findings. In the revised manuscript we will expand §3 to include the complete survey instruments and exact questions used to measure understanding of security implications, the coding rubric applied to classify the 9% full-understanding rate, the participant recruitment process and course context, response rates, the statistical methods employed (primarily descriptive statistics with no inferential tests), and any pre-study measures or controls for prior PKI knowledge. These additions will directly address the validity concerns raised. revision: yes
Referee: [Conclusion] Conclusion: the claim that the results provide evidence that mTLS UX is 'fundamentally misaligned with non-PKI specialists' and that platform-level changes are required rests on extrapolation from CS students in a structured academic course to broader non-specialist populations, without direct data from less technical cohorts or voluntary real-world settings. This generalization is central to the paper's strongest claim.

Authors: We acknowledge that our participant pool is limited to senior and graduate CS students in a required course setting and that we lack direct data from less technical or voluntary real-world users. The study was intentionally scoped to a technically proficient cohort to establish a best-case baseline for usability barriers under realistic tooling constraints. We will revise the conclusion to qualify the generalization, stating that the observed difficulties even among motivated technical users provide evidence of misalignment that would likely be more severe for non-specialists, while explicitly noting the absence of data from broader populations. The call for platform-level changes will be framed as supported by these findings rather than as a direct extrapolation. revision: partial

Circularity Check

0 steps flagged

No circularity: empirical user study with direct observational basis

full rationale

The paper reports a longitudinal usability study of mTLS client certificate configuration and use by 46 CS students. All claims rest on direct measurements (setup times, error rates, survey responses, and self-reported understanding levels) collected during the course. No equations, models, fitted parameters, or derivations appear in the provided text or abstract. No self-citations are invoked to justify uniqueness theorems or ansatzes; the central conclusion is an extrapolation from the observed cohort rather than a reduction to prior self-referential results. Generalization concerns (CS students vs. typical end users) affect external validity but do not constitute circularity in the derivation chain, which is absent.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim depends on the assumption that the chosen student cohort and tooling represent the target population and realistic conditions; no free parameters or new entities are introduced.

axioms (2)

domain assumption Senior and graduate computer science students are a suitable proxy for technically inclined non-PKI specialists.
The paper draws broad conclusions about misalignment with non-PKI specialists from this group.
domain assumption The specific OpenSSL, custom CA, and 3072-bit key deployment mirrors typical real-world mTLS configurations.
Conclusions about fundamental misalignment rest on results obtained under these constraints.

pith-pipeline@v0.9.0 · 5469 in / 1529 out tokens · 50226 ms · 2026-05-10T12:42:30.831286+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

81 extracted references · 24 canonical work pages

[1]

Amazon Web Services. [n. d.].X.509 client certificates. https://docs.aws.amazon. com/iot/latest/developerguide/x509-client-certs.html
[2]

Grinter, and D

Dirk Balfanz, Glenn Durfee, Rebecca E. Grinter, and D. K. Smetters. 2004. In Search of Usable Security: Five Lessons from the Field.IEEE Security and Privacy 2, 5 (Sept. 2004), 19–24. doi:10.1109/MSP.2004.71

work page doi:10.1109/msp.2004.71 2004
[3]

Aaron Bangor, Philip Kortum, and James Miller. 2008. An empirical evaluation of the System Usability Scale.International Journal of Human–Computer Interaction 24, 6 (2008), 574–594

2008
[4]

Elaine Barker. 2020. NIST SP 800-57 Part 1 Rev. 5: Recommendation for Key Management: Part 1–General.NIST Standard(2020). https://csrc.nist.gov/public ations/detail/sp/800-57-part-1/rev-5/final

2020
[5]

2018.Recommendation for key management, part 2: best practices for key management organization

Elaine Barker and William Barker. 2018.Recommendation for key management, part 2: best practices for key management organization. Technical Report. National Institute of Standards and Technology

2018
[6]

2018.Transitioning the use of cryptographic algorithms and key lengths

Elaine Barker and Allen Roginsky. 2018.Transitioning the use of cryptographic algorithms and key lengths. Technical Report. National Institute of Standards and Technology

2018
[7]

Anat Bremler Barr, Ofek Lavi, Yaniv Naor, Sanjeev Rampal, and Jhonatan Tavori
[8]

InNOMS 2025-2025 IEEE Network Operations and Management Symposium

Performance Comparison of Service Mesh Frameworks: the mTLS Test Case. InNOMS 2025-2025 IEEE Network Operations and Management Symposium. IEEE, 1–6

2025
[9]

Wallach, and J

Matthew Bernhard, Jonathan Sharman, Claudia Ziegler Acemyan, Philip Kortum, Dan S. Wallach, and J. Alex Halderman. 2019. On the Usability of HTTPS Deployment. InProceedings of the 2019 CHI Conference on Human Factors in Computing Systems(Glasgow, Scotland Uk)(CHI ’19). Association for Computing Machinery, New York, NY, USA, 1–10. doi:10.1145/3290605.3300540

work page doi:10.1145/3290605.3300540 2019
[10]

Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. 2012. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In2012 IEEE Symposium on Security and Privacy. IEEE, 553–567

2012
[11]

Bowen and Elizabeth A

Holly J. Bowen and Elizabeth A. Kensinger. 2017. Cash or Credit? Compensation in Psychology Studies: Motivation Matters.Collabra: Psychology3, 1 (05 2017),

2017
[12]

arXiv:https://online.ucpress.edu/collabra/article-pdf/3/1/12/467166/77-944-2- pb.pdf doi:10.1525/collabra.77

work page doi:10.1525/collabra.77
[13]

Norman M Bradburn, Lance J Rips, and Steven K Shevell. 1987. Answering autobiographical questions: The impact of memory and inference on surveys. Science236, 4798 (1987), 157–161

1987
[14]

Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in qualitative research.Qualitative research in psychology3, 2 (2006), 77–101

2006
[15]

quick and dirty

John Brooke. 1996. SUS: A “quick and dirty” usability scale. InUsability evaluation in industry, Patrick W Jordan, Bruce Thomas, Bernard McClelland, and Ian Weerdmeester (Eds.). Taylor & Francis, 189–194. https://digital.ahrq.gov/sites/d efault/files/docs/survey/systemusabilityscale%2528sus%2529_comp%255B1%25 5D.pdf

1996
[16]

John Brooke. 2013. SUS: a retrospective.J. Usability Studies8, 2 (Feb. 2013), 29–40

2013
[17]

Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. 2014. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. In2014 IEEE Symposium on Security and Privacy

2014
[18]

Creswell and Vicki L

John W. Creswell and Vicki L. Plano Clark. 2017.Designing and Conducting Mixed Methods Research(3rd ed.). SAGE Publications, Thousand Oaks, CA

2017
[19]

Jean Camp

Sanchari Das, Andrew Dingman, and L. Jean Camp. 2018. Why Johnny Doesn’t Use Two Factor: A Two-Phase Usability Study of the FIDO U2F Security Key. InFinancial Cryptography and Data Security (Lecture Notes in Computer Science, Vol. 10957). Springer, 160–179. doi:10.1007/978-3-662-58387-6_9

work page doi:10.1007/978-3-662-58387-6_9 2018
[20]

DataSunrise

Inc. DataSunrise. 2024. PEM Files: Importance of Cryptographic Data. https: //www.datasunrise.com/knowledge-center/pem-files/

2024
[21]

The cryptography developers. 2025. cryptography. https://cryptography.io/

2025
[22]

Hongying Dong, Yizhe Zhang, Hyeonmin Lee, Kevin Du, Guancheng Tu, and Yixin Sun. 2024. Mutual TLS in Practice: A Deep Dive into Certificate Configurations and Privacy Issues. InProceedings of the 2024 ACM on Internet Measurement Conference(Madrid, Spain)(IMC ’24). Association for Computing Machinery, New York, NY, USA, 214–229. doi:10.1145/3646547.3688415

work page doi:10.1145/3646547.3688415 2024
[23]

Carl Ellison and Bruce Schneier. 2000. Ten risks of PKI: What you’re not being told about public key infrastructure.Comput Secur J16, 1 (2000), 1–7

2000
[24]

2023.Let’s Encrypt Stats

Let’s Encrypt. 2023.Let’s Encrypt Stats. Technical Report. Internet Security Research Group. https://letsencrypt.org/stats/ Accessed: Jul. 7, 2025

2023
[25]

Reeder, Sunny Consolvo, So- mas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes

Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL Warnings: Comprehension and Adherence. InProceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems(Seoul, Republic of Korea)(CHI ’15). Association for Computing Machinery, New Yor...

work page doi:10.1145/2702123.2702442 2015
[26]

2024.Discovering statistics using IBM SPSS statistics

Andy Field. 2024.Discovering statistics using IBM SPSS statistics. Sage publications limited

2024
[27]

Konstantin Fischer, Ivana Trummová, Phillip Gajland, Yasemin Acar, Sascha Fahl, and Angela Sasse. 2024. The Challenges of Bringing Cryptography from Research Papers to Products: Results from an Interview Study with Experts. In33rd USENIX Security Symposium (USENIX Security ’24). USENIX Association, Philadelphia, PA, 7213–7230. https://www.usenix.org/syste...

2024
[28]

Rye, and Lamont Brown

Lucas Foppe, Jeremy Martin, Travis Mayberry, Erik C. Rye, and Lamont Brown
[29]

Proceedings on Privacy Enhancing Technologies2018, 4 (2018), 190–206

Exploiting TLS Client Authentication for Widespread User Tracking. Proceedings on Privacy Enhancing Technologies2018, 4 (2018), 190–206

2018
[30]

Schmidt, and Matthias Wählisch

Pouyan Fotouhi Tehrani, Eric Osterweil, Thomas C. Schmidt, and Matthias Wählisch. 2024. How to Measure TLS, X.509 Certificates, and Web PKI: A Tutorial and Brief Survey.arXiv preprint arXiv:2401.18053(2024). arXiv:2401.18053 [cs.CR] https://arxiv.org/pdf/2401.18053

work page arXiv 2024
[31]

2025.GitGuardian: Secrets Security Platform

GitGuardian. 2025.GitGuardian: Secrets Security Platform. https://www.gitgua rdian.com Accessed: 2025-10-30

2025
[32]

2025.HTTPS Transparency Report Overview

Google. 2025.HTTPS Transparency Report Overview. Technical Report. Google. https://transparencyreport.google.com/https/overview Accessed: Jul. 7, 2025

2025
[33]

Hilda Hadan, Nicolas Serrano, and L Jean Camp. 2021. A holistic analysis of web-based public key infrastructure failures: comparing experts’ perceptions and real-world incidents.Journal of Cybersecurity7, 1 (12 2021), tyab025. arXiv:https://academic.oup.com/cybersecurity/article- pdf/7/1/tyab025/50476414/tyab025.pdf doi:10.1093/cybsec/tyab025

work page doi:10.1093/cybsec/tyab025 2021
[34]

Julie M Haney, Mary Theofanos, Yasemin Acar, and Sandra Spickard Prettyman
[35]

We make it a big deal in the company

" We make it a big deal in the company": Security Mindsets in Organizations that Develop Cryptographic Products. InFourteenth Symposium on Usable Privacy and Security (SOUPS 2018). 357–373

2018
[36]

Eman Hassan. 2006. Recall Bias can be a Threat to Retrospective and Prospective Research Designs.Internet Journal of Epidemiology3 (09 2006), 4. doi:10.5580/2732

work page doi:10.5580/2732 2006
[37]

Hassan Khan, Urs Hengartner, and Daniel Vogel. 2015. Usability and security perceptions of implicit authentication: convenient, secure, sometimes annoying. InProceedings of the Eleventh USENIX Conference on Usable Privacy and Security (Ottawa, Canada)(SOUPS ’15). USENIX Association, USA, 225–239

2015
[38]

Lydia Kraus, Matěj Grabovský, Martin Ukrop, Katarína Galanská, and Vashek Matyáš. 2022. Usability Insights from Establishing TLS Connections. In ICT Systems Security and Privacy Protection (IFIP SEC 2022) (IFIP Advances in Information and Communication Technology, Vol. 648). Springer, 289–305. doi:10.1007/978-3-031-06975-8_17

work page doi:10.1007/978-3-031-06975-8_17 2022
[39]

If HTTPS Were Secure, I Wouldn’t Need 2FA

Katharina Krombholz, Karoline Busse, Katharina Pfeffer, Matthew Smith, and Emanuel Von Zezschwitz. 2019. " If HTTPS Were Secure, I Wouldn’t Need 2FA"- End User and Administrator Mental Models of HTTPS. In2019 IEEE Symposium on security and privacy (SP). IEEE, 246–263. Conference acronym ’XX, June 03–05, 2018, Woodstock, NY Shittu et al

2019
[40]

Katharina Krombholz, Wilfried Mayer, Martin Schmiedecker, and Edgar Weippl
[41]

I have no idea what i’m doing

"I have no idea what i’m doing": on the usability of deploying HTTPS. In Proceedings of the 26th USENIX Conference on Security Symposium(Vancouver, BC, Canada)(SEC’17). USENIX Association, USA, 1339–1356
[42]

Leona Lassak, Elleen Pan, Blase Ur, and Maximilian Golla. 2024. Why Aren’t We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. In33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, 7231–7248. https://www.usenix.org/system/files/u senixsecurity24-lassak.pdf

2024
[43]

James R. Lewis. 1991. Psychometric evaluation of an after-scenario questionnaire for computer usability studies.ACM SIGCHI Bulletin23, 1 (1991), 78–81

1991
[44]

Sanam Ghorbani Lyastani, Michael Schilling, Michaela Neumayr, Michael Backes, and Sven Bugiel. 2020. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. In Proceedings of the 41st IEEE Symposium on Security and Privacy (SP ’20). IEEE, 268–285. doi:10.1109/SP40000.2020.00047

work page doi:10.1109/sp40000.2020.00047 2020
[45]

John Marchesini, Sean W Smith, and Meiyuan Zhao. 2005. Keyjacking: the surprising insecurity of client-side SSL.Computers & Security24, 2 (2005), 109– 123

2005
[46]

Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and Inter-Rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice.Proceedings of the ACM on Human-Computer Interaction3, CSCW, Article 72 (November 2019), 23 pages. doi:10.1145/3359174

work page doi:10.1145/3359174 2019
[47]

2024.Client Certificate Mapping in IIS

Microsoft Corporation. 2024.Client Certificate Mapping in IIS. https://learn.micr osoft.com/en-us/iis/configuration/system.webserver/security/authentication/i isclientcertificatemappingauthentication/

2024
[48]

2024.NGINX HTTP Server — SSL Module

NGINX, Inc. 2024.NGINX HTTP Server — SSL Module. https://nginx.org/en/doc s/http/ngx_http_ssl_module.html

2024
[49]

OpenSSL Software Foundation

OpenSSL Software Foundation 2024.OpenSSL genrsa Manual Page. OpenSSL Software Foundation. https://www.openssl.org/docs/man1.1.1/man1/genrsa.ht ml Version 1.1.1

2024
[50]

Kentrell Owens, Olabode Anise, Amanda Krauss, and Blase Ur. 2021. User Perceptions of the Usability and Security of Smartphones as FIDO2 Roaming Authenticators. InSeventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 57–76. https://www.usenix.org/conference/soups2 021/presentation/owens

2021
[51]

Arnis Parsovs. 2013. Practical Issues with TLS Client Certificate Authentication. Cryptology ePrint Archive2013 (2013), 538. https://eprint.iacr.org/2013/538

2013
[52]

Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman

Robert W. Reeder, Adrienne Porter Felt, Sunny Consolvo, Nathan Malkin, Christopher Thompson, and Serge Egelman. 2018. An Experience Sampling Study of User Reactions to Browser Warnings in the Field. InProceedings of the 2018 CHI Conference on Human Factors in Computing Systems(Montreal QC, Canada)(CHI ’18). Association for Computing Machinery, New York, N...

work page doi:10.1145/3173574.3174086 2018
[53]

Ken Reese, Trevor Smith, Jonathan Dutson, Jonathan Armknecht, Jacob Cameron, and Kent Seamons. 2019. A Usability Study of Five Two-Factor Authentication Methods. InFifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, 357–370. https://www.usenix.org/conference/soups2019/ presentation/reese

2019
[54]

Angela Sasse, and Alena Naiakshina

Felix Reichmann, Annalina Buckmann, Konstantin Fischer, M. Angela Sasse, and Alena Naiakshina. 2025. Bridging the Gap Between Usable Security Research and Open-Source Practice - Lessons From a Long-Term Engagement With VeraCrypt. InProceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI ’25). ACM, 911:1–911:21. doi:10.1145/370659...

work page doi:10.1145/3706598.3713983 2025
[55]

Joshua Reynolds, Nikita Samarin, Joseph Barnes, Taylor Judd, Joshua Mason, Michael Bailey, and Serge Egelman. 2020. Empirical Measurement of Systemic 2FA Usability. In29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 127–143. doi:10.5555/3489212.3489220

work page doi:10.5555/3489212.3489220 2020
[56]

Joshua Reynolds, Trevor Smith, Ken Reese, Luke Dickinson, Scott Ruoti, and Kent Seamons. 2018. A Tale of Two Studies: The Best and Worst of YubiKey Usability. In2018 IEEE Symposium on Security and Privacy (SP). IEEE, 872–888. doi:10.1109/SP.2018.00067

work page doi:10.1109/sp.2018.00067 2018
[57]

Scott Ruoti, Jeff Andersen, Tyler Monson, Daniel Zappala, and Kent Seamons
[58]

In Fourteenth symposium on usable privacy and security (SOUPS 2018)

A comparative usability study of key management in secure email. In Fourteenth symposium on usable privacy and security (SOUPS 2018). USENIX Association, 375–394

2018
[59]

Scott Ruoti and Kenton Seamons. 2019. Johnny’s Journey Toward Usable Secure Email.IEEE Security & Privacy17, 6 (2019), 72–76

2019
[60]

John Sadik and Scott Ruoti. 2025. A large-scale survey of password entry practices on non-desktop devices.Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies9, 3 (2025), 1–30

2025
[61]

Jeff Sauro and James R. Lewis. 2016.Quantifying the User Experience: Practical Statistics for User Research(2nd ed.). Morgan Kaufmann, Boston, MA

2016
[62]

Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer

Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer. 2007. The Emperor’s New Security Indicators. InProceedings of the 2007 IEEE Symposium on Security and Privacy (SP ’07). IEEE Computer Society, USA, 51–65. doi:10.110 9/SP.2007.35

2007
[63]

Nair, Henry Wang, Yang Wang, and Dawn Song

Tanusree Sharma, Vivek C. Nair, Henry Wang, Yang Wang, and Dawn Song
[64]

Weisz, Jessica He, Michael Muller, Gabriela Hoefer, Rachel Miles, and Werner Geyer

I Can’t Believe It’s Not Custodial!: Usable Trustless Decentralized Key Management. InProceedings of the 2024 CHI Conference on Human Factors in Computing Systems (CHI ’24). ACM, 581:1–581:16. doi:10.1145/3613904.3642464

work page doi:10.1145/3613904.3642464 2024
[65]

Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, and Sascha Fahl
[66]

Mazurek, Manya Sleeper, and Kurt Thomas

27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In2022 IEEE Symposium on Security and Privacy (SP). IEEE, IEEE, 860–875. doi:10.1109/SP46214.2022.9833755

work page doi:10.1109/sp46214.2022.9833755 2022
[67]

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: an empirical study of SSL warning effectiveness. In Proceedings of the 18th Conference on USENIX Security Symposium(Montreal, Canada)(SSYM’09). USENIX Association, USA, 399–416

2009
[68]

David Temoshok, Christine Abruzzi, Yee-Yin Choong, James Fenton, Ryan Galluzzo, Connie LaSalle, Naomi Lefkovitz, and Andrew Regenscheid. 2024. Digital identity guidelines: Identity proofing and enrollment. Technical Report. National Institute of Standards and Technology

2024
[69]

2024.Digital Identity Guidelines: Authentication and Authenticator Management

David Temoshok, James Fenton, Yee-Yin Choong, Naomi Lefkovitz, Andrew Regenscheid, and Justin Richer. 2024.Digital Identity Guidelines: Authentication and Authenticator Management. Technical Report. National Institute of Standards and Technology

2024
[70]

Gareth Terry, Nikki Hayfield, Victoria Clarke, Virginia Braun, et al . 2017. Thematic analysis.The SAGE handbook of qualitative research in psychology 2, 17-37 (2017), 25

2017
[71]

2024.mod_ssl — SSL/TLS support for Apache HTTP Server

The Apache Software Foundation. 2024.mod_ssl — SSL/TLS support for Apache HTTP Server. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html Version 2.4

2024
[72]

Satoshi Uda and Mikifumi Shikida. 2016. Challenges of Deploying PKI based Client Digital Certification. InProceedings of the 2016 ACM SIGUCCS Annual Conference(Denver, Colorado, USA)(SIGUCCS ’16). Association for Computing Machinery, New York, NY, USA, 55–60. doi:10.1145/2974927.2974938

work page doi:10.1145/2974927.2974938 2016
[73]

Martin Ukrop, Lydia Kraus, and Vashek Matyas. 2020. Will You Trust This TLS Certificate? Perceptions of People Working in IT (Extended Version).Digital Threats1, 4, Article 25 (Dec. 2020), 29 pages. doi:10.1145/3419472

work page doi:10.1145/3419472 2020
[74]

Martin Ukrop and Vashek Matyas. 2018. Why Johnny the developer can’t work with public key certificates: An experimental study of OpenSSL usability. In Cryptographers’ Track at the RSA Conference. Springer, 45–64

2018
[75]

Roberto Verdecchia, Emelie Engström, Patricia Lago, Per Runeson, and Qunying Song. 2023. Threats to validity in software engineering research: A critical reflection.Information and Software Technology164 (2023), 107329. doi:10.1016/j. infsof.2023.107329

work page doi:10.1016/j 2023
[76]

Peter Voege and Abdelkader Ouda. 2022. An Innovative Multi-Factor Authentication Approach. In2022 International Symposium on Networks, Computers and Communications (ISNCC). 1–6. doi:10.1109/ISNCC55209.2022.98 51710

work page doi:10.1109/isncc55209.2022.98 2022
[77]

Matthias Wachs, Quirin Scheitle, and Georg Carle. 2017. Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication. In2017 Network Traffic Measurement and Analysis Conference (TMA). IEEE, 1–9. doi:10.2 3919/TMA.2017.8002897

work page arXiv 2017
[78]

Alma Whitten, J Doug Tygar, et al. 1999. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0.. InUSENIX security symposium, Vol. 348. 169–184

1999
[79]

Ohlsson, Björn Regnell, and Anders Wesslén

Claes Wohlin, Per Runeson, Martin Höst, Magnus C. Ohlsson, Björn Regnell, and Anders Wesslén. 2012.Experimentation in Software Engineering. Vol. 236. Springer

2012
[80]

Justin Wu and Daniel Zappala. 2018. When is a tree really a truck? exploring mental models of encryption. InProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security(Baltimore, MD, USA)(SOUPS ’18). USENIX Association, USA, 395–409

2018

Showing first 80 references.