Understanding Student Experiences with TLS Client Authentication
For security researchers and UX designers, this provides empirical evidence that mTLS usability is a critical barrier to adoption, even among technical users.
A longitudinal study of 46 CS students using mTLS found that initial setup is a major bottleneck, daily use is smooth but does not improve perceptions, and only 9% understood security implications, indicating mTLS UX is fundamentally misaligned with non-PKI specialists.
Mutual TLS (mTLS) provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client certificates from scratch, used them for routine authentication over a semester-long course, and managed credentials across multiple devices. The results reveal that initial setup is a major bottleneck; while daily use was considered smooth, it did not improve long-term usability perceptions. Most concerningly, only 9% of participants fully understood the security implications of certificate-based authentication. We conclude that in a realistic, tooling-heavy deployment utilizing OpenSSL, a custom CA, and a 3072-bit minimum key requirement, even highly technical students struggled significantly. We argue this provides empirical evidence that today mTLS user experience is fundamentally misaligned with non-PKI specialists, and it is difficult to see a path toward mainstream adoption without substantial platform-level changes.