Understanding Student Experiences with TLS Client Authentication

TL;DR

This study investigates the usability challenges of mutual TLS for user-facing websites, revealing significant difficulties even among technical students and highlighting the need for platform-level improvements.

Contribution

The paper provides empirical evidence on the usability barriers of mTLS for non-PKI experts, emphasizing the gap between technical feasibility and user experience.

Findings

Initial setup is a major usability bottleneck.

Daily use was smooth but did not improve perceptions.

Few participants understood security implications.

Abstract

Mutual TLS (mTLS) provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client certificates from scratch, used them for routine authentication over a semester-long course, and managed credentials across multiple devices. The results reveal that initial setup is a major bottleneck; while daily use was considered smooth, it did not improve long-term usability perceptions. Most concerningly, only 9% of participants fully understood the security implications of certificate-based authentication. We conclude that in a realistic, tooling-heavy deployment utilizing OpenSSL, a custom CA, and a 3072-bit minimum key requirement, even highly technical students struggled significantly. We argue this provides empirical evidence that today mTLS user experience is fundamentally misaligned with non-PKI specialists, and it is difficult to see a path toward mainstream adoption without substantial platform-level changes.