Security Indicators Are Largely Ignored


A paper to be presented at the IEEE Symposium on Security and Privacy in May called "The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies" (PDF) shows that users largely ignore security indicators like whether a site is using HTTPS, customer-selected images, and even warning pages.

I believe a large part of the problem is inconsistent user experiences. For example, if you go to a Web site and picture you selected to indicate that this site is real isn't there for some reason, most people would just assume that this is a different login page and that feature isn't part of that page. PayPal has multiple login pages for example--all different.

CardSpace, Microsoft's identity system has a consistent user interface for selecting cards and that's a real bonus.