Understanding Student Experiences with TLS Client Authentication
Abstract
Mutual TLS (mTLS) provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client certificates from scratch, used them for routine authentication over a semester-long course, and managed credentials across multiple devices. The results reveal that initial setup is a major bottleneck; while daily use was considered smooth, it did not improve long-term usability perceptions. Most concerningly, only 9% of participants fully understood the security implications of certificate-based authentication. We conclude that in a realistic, tooling-heavy deployment utilizing OpenSSL, a custom CA, and a 3072-bit minimum key requirement, even highly technical students struggled significantly. We argue this provides empirical evidence that today mTLS user experience is fundamentally misaligned with non-PKI specialists, and it is difficult to see a path toward mainstream adoption without substantial platform-level changes.
Cite
@article{arxiv.2604.14330,
title = {Understanding Student Experiences with TLS Client Authentication},
author = {Abubakar Sadiq Shittu and Clay Shubert and John Sadik and Scott Ruoti},
journal= {arXiv preprint arXiv:2604.14330},
year = {2026}
}
Comments
17 pages, 5 figures, 2 tables. Longitudinal usability study with 46 participants over one semester. Preprint