Authentication Ceremonies in Instant Messengers
Hosted by Sebastian Klöckner, CISPA communications. With Matthias Fassl, Usable Security Research Group.
English translation of the pilot episode of the CISPA TL;DR podcast. TL;DR stands for "Too Long; Didn't Read" — the show distills CISPA research papers for a general audience. Translation lightly edited for readability.
Sebastian Klöckner opens by introducing the show's concept: academic papers are long and often hard to read, but the research inside them is frequently fascinating. The pilot episode focuses on end-to-end encryption in messaging apps like WhatsApp, and why communication over these apps isn't necessarily as secure as we all hope.
The guest is Matthias Fassl, then 31 years old and originally from Vienna, working in the Usable Security Research Group of Katharina Krombholz at CISPA. Klöckner asks how Fassl ended up in Saarbrücken.
"The short version is: I wrote my master's thesis with Katharina. She was happy with the work and offered me the chance to come here to Saarbrücken. I already knew the name, but I still needed a little time to think it over — I don't regret it." — Matthias Fassl
Klöckner asks Fassl to explain what usable security research actually is.
"Usable security is largely about how people interact with security mechanisms — where they fail in everyday situations, where errors happen, what can be improved, and how to make the tools people use daily actually better. In my specific work, I focus a lot on instant messengers — WhatsApp, Signal, Telegram. Other big research topics in the field are browser security warnings (those alerts you get when a certificate doesn't match) and passwords, which I think everyone uses every day." — Matthias Fassl
How did Fassl find his way into this research area?
"It's actually kind of funny — I originally wanted to go into computer architecture. But when I started reading papers for my master's thesis, I realized it just didn't spark anything for me. So I asked myself what had been following me around for years, and the answer was security and privacy — and specifically the idea of reducing the barriers that prevent people from exercising their data protection rights. That leads you pretty quickly into usable privacy and security. I looked around at TU Wien for who was working on that, and I ended up with Katharina fairly quickly." — Matthias Fassl
Klöckner mentions that Fassl's first paper at a top-tier venue has just been accepted at CHI — and asks him to walk through what that process looks like.
"It's usually quite a process. Papers are very rarely accepted on the first try — typically they get rejected two or three times before being accepted. In this case it was a tricky topic and I also had to learn how to write papers, so this one was rejected four or five times in total. I collected rejects." — Matthias Fassl
Klöckner asks how demotivating those rejections are.
"It depends on the content of the review. Sometimes a rejection can actually work really well — if it's well-reasoned and also motivating because it gives you a clear direction. And some rejections are just very demotivating, when you can't understand why it was rejected and you feel poorly treated by the reviewers. At some point we weren't sure what was still holding it back — by then it was fairly complete and the arguments in the reviews were harder to parse. So we asked people in the community who work on similar topics to give us feedback, and their tips made the difference." — Matthias Fassl
Klöckner then reads out the paper title: "Exploring User-Centered Security Design for Usable Authentication Ceremonies." He asks Fassl to explain what it's about.
"It's about authentication ceremonies in instant messengers. Most of us use messengers like WhatsApp, Telegram, and Signal, which use end-to-end encryption — meaning only the sender and the actual recipient can read the message. The message is encrypted on the sender's phone, transmitted through various servers, and only decrypted at the recipient's device. Everyone in between can't read it. That's a great idea, but it has one important prerequisite: you have to use the right key. Otherwise you don't know who's receiving it. This is where the man-in-the-middle attack comes in — an attacker in the middle pretends to be the recipient, gets you to encrypt to them, and then forwards it on. To prevent this, there are authentication ceremonies: the real sender and recipient meet and compare their key material to make sure it matches." — Matthias Fassl
Klöckner walks through the WhatsApp example: you go to a contact's profile, scroll down to "Encryption," a QR code appears, your partner scans it, and only then is the end-to-end encryption actually verified. Fassl confirms and explains where the paper intervenes.
"The problem we've been observing for several years is that these authentication ceremonies — in Telegram, WhatsApp, and Signal — work very poorly. 'Poorly' means: people don't know they exist, they don't know what they're for, and when they do know, they make mistakes using them. Our approach was to redesign these ceremonies from the ground up — rather than fixing existing ceremonies, we asked: how can we build ceremonies that better match what users actually expect?" — Matthias Fassl
One of the concepts that emerged from user research was visual verification: encoding key information through gestures in photos. Fassl explains the idea.
"One category of ceremonies that users could actually get behind was visual verification — checking whether you're talking to the right person. We thought we could use this to verify the key information through a visual exchange. The idea: the keys in use are encoded through different gestures. The app might say: 'Hold your palm to your forehead' — you take a photo of yourself doing that, and send it. The other person then checks whether the photo matches what they'd expect, given their key. If it matches, the key is probably the right one." — Matthias Fassl
Klöckner asks whether this draws on the CAPTCHA idea — "click all images with a zebra crossing." Fassl says it's loosely comparable, but the real inspiration is a TV trope.
"The thought comes more from a classic TV trope — proof-of-life photos. In hostage situations, the person holds up a newspaper to prove the photo is recent and that it's really them. The idea here is similar: you make images, but to prove they haven't been faked, you always have to show something different. It's not the most secure approach — it could potentially be attacked using deepfakes — but it offers at least a basic level of protection. Better than nothing." — Matthias Fassl
Klöckner notes that for all its novelty, the paper doesn't offer a final solution. Fassl agrees.
"I think what's interesting about our paper is the new design approach — showing that security mechanisms can be designed from scratch to better match users' mental models. That doesn't mean those mental models are automatically good. We found that all three variants we developed still need more work and have various limitations. They're probably not perfect solutions. But I think the paper offers strong directions. The next step is collaborating with other groups working on similar topics — our approach contributes most at the early design stage, while others are better at refining and finding alternatives." — Matthias Fassl
Klöckner asks who E2E encryption is really for — is it just helping criminals avoid surveillance, or does it serve legitimate needs?
"Interestingly, it matters for quite a range of people. At the EU policy level, one important point is that commercial internet use is deeply built on these encryption paradigms — if messages can no longer be end-to-end encrypted, it becomes hard to build trust in payment processes and similar things. But there are also groups for whom it's much more urgent. Political activists, for example — for them it's extremely important that they can't be monitored by state institutions or opposing groups, and that they can protect themselves in a verifiable way." — Matthias Fassl
Beyond the authentication ceremonies paper, Fassl mentions two other directions he's interested in pursuing: the social negotiation of security (getting others to participate in security practices with you) and the problem of security theater — people using security tools without really knowing how much protection they actually provide.
"Sometimes it happens that people use security mechanisms believing they help a lot, when in reality they don't help much — or in the worst case, not at all. That can be dangerous. One concrete example I'm working on in parallel: why do people who use Tor — the Tor Browser — also add a VPN on top? That can make sense in some limited cases, but for the vast majority of people doing it, it probably provides no benefit." — Matthias Fassl
The episode was recorded during the COVID pandemic. CHI 2021 was held virtually, with the in-person conference in Yokohama cancelled. Klöckner asks whether Fassl minds.
"Of course I would have liked to go to Yokohama. But what hits harder is that the conference isn't happening in person at all. One of the most important parts of conferences is networking — meeting researchers you can talk to informally, exchange ideas with, maybe hatch new project ideas. That doesn't really work online. You can give talks fine online, but the informal side is difficult. And it's less about Japan specifically, even though Japan is great — it's just about that meeting." — Matthias Fassl
Klöckner closes with a few personal questions. What does Fassl miss most about Vienna?
"It took me a long time to figure it out — but it's really crispy Viennese Kaiser rolls. Resch — that's roughly 'crusty.' You can get rolls here too, they're just not the same. A Wurstsemmel with gherkin for lunch is very much an everyday Vienna thing, and it just doesn't exist here." — Matthias Fassl
As for Saarbrücken itself, Fassl says there's something uniquely freeing about working at a research center where everyone is focused on security — you can walk up to any random person, describe your research, and they'll at least have a frame of reference for the topic. For visitors, he recommends the Völklinger Hütte, the German-French garden, the Saarbrücken city forest, and the St. Johannermarkt on a summer evening — which, he says, you simply can't find in Vienna.