Lab Notes

PARC: Wi-Fi PKI Usability Stinks

The title actually paraphrases Drs. Balfanz, Durfee, Smetters, and Grinter, but the gist is correct: managing your Wi-Fi PKI is nigh impossible. We've been seeing this here at the Labs from the beginning — from day one, the vast majority of our technical support questions have been certificate-related.

PARC conducted the study on Wi-Fi PKI usability, "In Search of Usable Security: Five Lessons from the Field." [PDF] two years ago. They asked expert computer users to try to configure their Windows XP machines to connect to the PARC Wi-Fi network:

Once the wireless network and the PKI were in place, our HCI researcher studied eight subjects’ enrollment experiences. All the subjects had advanced degrees, typically PhDs in computer science and related disciplines, but the average time it took for them to request and retrieve their certificates and then configure their systems was 140 minutes. More significantly, despite using a fairly automated Web-based enrollment system (similar to those used by commercial certificate vendors such as Verisign) and the GUI-based 802.1x wireless configuration software provided by Microsoft Windows XP, the process involved a total of 38 steps to complete enrollment.

Executive summary: "We took a bunch of computer science Phd's, gave them explicit step-by-step instructions, and it still took them over two hours to complete the configuration task, and in the end they didn't know what they had just done to their computers."

Microsoft is clearly aware of the problem, as they modified the Wi-Fi network enrollment process in Vista to suck slightly less. They've still got a long way to go, though. Personally, I'm a fan of the Mac OS X process: just connect to the network, the Mac asks "hey, I've never seen this certificate before, should I trust it?" and you're off. Clearly, Apple is on to something. Of those technical support questions I mentioned above, a lot of them start with "Help: my Macs connect to my Elektron-secured network just fine, but my Windows XP machines refuse to connect!" We've never once received the opposite.