Check out the new USENIX Web site.

RUST: A Retargetable Usability Testbed for
Website Authentication Technologies

Maritza L. Johnson
Columbia University
Chaitanya Atreya
Columbia University
Adam Aviv
Columbia University
Mariana Raykova
Columbia University
Steven M. Bellovin
Columbia University
Gail Kaiser
Columbia University

*C. Atreya graduated from Columbia University in Fall 2007
A. Aviv is currently a student at the University of Pennsylvania
1 Introduction
2 Background
 2.1 User Study Design
 2.2 Test Harness Implementation
3 Evaluating RUST
 3.1 Windows CardSpace
 3.2 Verisign Secure Letterhead
4 Conclusions
5 Acknowledgments
A Windows Cardspace
B Verisign Secure Letterhead
C Verisign Secure Letterhead Spoof
D User Study Material
 D.1 Post-task Questionnaire
 D.2 Post-study Questionnaire


Website authentication technologies attempt to make the identity of a website clear to the user, by supplying information about the identity of the website. In practice however, usability issues can prevent users from correctly identifying the websites they are interacting with. To help identify usability issues we present RUST, a Retargetable USability Testbed for website authentication technologies. RUST is a testbed that consists of a test harness, which provides the ability to easily configure the environment for running usability study sessions, and a usability study design that evaluates usability based on spoofability, learnability, and acceptability. We present data collected by RUST and discuss preliminary results for two authentication technologies, Microsoft CardSpace and Verisign Secure Letterhead. Based on the data collected, we conclude that the testbed is useful for gathering data on a variety of technologies.