Most systems still only offer username/password authentication, and most people are still happy to use it, even though everyone knows (for example, through daily media headlines) that there are pervasive user access security problems with it.
Why don't people use certificate-based access authentication?
This question is important for email security and also in other areas, such as web site and blog access.
We suggest that a proper answer requires thinking that has to be much more nuanced and sophisticated than just a discussion of usability versus security.
Such thinking should come also from analyzing online and offline feedback, as we need to approach the question as it is seen -- from many sides.
We have taken this approach in our paper, now updated, at http://email-security.net/papers/takefive.htm
Please provide your comment. You can also Read the Compact Version
Thank you!
Ed Gerck