Mutual TLS (mTLS) provides strong, certificate-based authentication for both clients and servers, yet its adoption for user-facing websites remains rare. This paper presents a longitudinal study of mTLS usability, tracking 46 senior and graduate computer science students who configured client certificates from scratch, used them for routine authentication over a semester-long course, and managed credentials across multiple devices. The results reveal that initial setup is a major bottleneck; while daily use was considered smooth, it did not improve long-term usability perceptions. Most concerningly, only 9% of participants fully understood the security implications of certificate-based authentication. We conclude that in a realistic, tooling-heavy deployment utilizing OpenSSL, a custom CA, and a 3072-bit minimum key requirement, even highly technical students struggled significantly. We argue this provides empirical evidence that today mTLS user experience is fundamentally misaligned with non-PKI specialists, and it is difficult to see a path toward mainstream adoption without substantial platform-level changes.

翻译：相互TLS（mTLS）为客户端和服务器提供了基于证书的强身份验证机制，但其在面向用户的网站中仍鲜有应用。本文对mTLS可用性开展了纵向研究，追踪了46名高年级本科生及研究生计算机科学专业学生：他们需从零配置客户端证书、在为期一学期的课程中将其用于常规身份验证，并在多设备间管理凭证。研究结果表明，初始配置是主要瓶颈环节；尽管日常使用体验尚算流畅，但并未改善用户对长期可用性的认知。最令人担忧的是，仅9%的参与者完全理解基于证书身份验证的安全含义。我们得出结论：在采用OpenSSL、自定义CA及3072位最小密钥要求的真实复杂工具链部署场景下，即使具备高阶技术能力的学生也面临显著困难。本文认为，这提供了经验证据表明当前mTLS用户体验与非PKI专业人员的需求根本性错位，若无重大平台级变革，主流应用前景难以预见。