Authentication Ceremony

Improving the usability of the authentication ceremony in secure messaging applications

Recent disclosures of government surveillance and fears over cybersecurity attacks have increased public interest in secure and private communication. As a result, numerous secure messaging applications have been developed, including Signal, WhatsApp, and Viber, which provide end-to-end encryption of personal messages.

Most popular secure messaging applications are usable because they hide many of the details of how encryption is provided. However, the strength of the security properties of these applications rests on the authentication ceremony, in which users validate the encryption keys being used. Unfortunately, recent studies show that most users do not know how to successfully complete this ceremony and are thus vulnerable to potential attacks. Any user who does not execute the authentication ceremony for a particular conversation is essentially trusting the application's servers to correctly distribute the encryption keys. This leaves users vulnerable to threats that can intercept communications.

We are studying methods to improve the usability of the authentication ceremony, so that it is easy for users to locate and complete the ceremony.

Authentication ceremony in WhatsApp


  • Elham Vaziripour, Reza Farahbakhsh, Mark O'Neill, Justin Wu, Kent Seamons, and Daniel Zappala, Private But Not Secure: A Survey Of the Privacy Preferences and Practices of Iranian Users of Telegram, Workshop on Usable Security (USEC), February 2018. Paper
  • Elham Vaziripour, Justin Wu, Mark O’Neill, Ray Clinton, Jordan Whitehead, Scott Heidbrink, Kent Seamons, Daniel Zappala, Is that you, Alice? A Usability Study of the Authentication Ceremony of Secure Messaging Applications, USENIX Symposium on Usable Privacy and Security (SOUPS), July 2017. Paper


This project is supported by the National Science Foundation under Grant No. 1528022

Any opinions, findings, and conclusions or recommendations expressed in this work are those of the author(s) and do not necessarily reflect the views of the sponsors.