Website Identity Notification: Testing the Simplest Thing That Could Possibly Work

Users are used to authenticating themselves to websites, but not for websites to authenticate to them. One readily available mechanism that may help users make safer online decisions lies in website certificates that contain website identity information. Fraudulent websites are now short-lived and present valid certificates without any identity information. Our goal was to create and test the effectiveness of simpler certificate interfaces, made to help users differentiate between identity-verified websites and those without such verification, and thus, potentially fraudulent. We conducted a study with a certificate interface prototype with simple identity notification types. Our findings suggest that presenting identity information to users can help them differentiate between real and potentially fraudulent websites. Some users were suspicious of the notifications and incorrectly felt that they could make decisions based on website appearance, so building user background knowledge is essential.