Is It Too Late for PAKE?

The most common web authentication technique in use today is password authentication via an HTML form, where a user types her password directly into a web page from the site to which she wishes to authenticate herself. The problem with this approach is that it relies on the user to determine when it is safe to enter her password. To resist phishing and other social engineering attacks, a user must rely on the browser's security indicators and warning messages, e.g., the URL bar and the site's SSL certificate, to authenticate the website and determine when it is safe to enter her password. Unfortunately, studies suggest that many users habitually click through SSL certificate warnings and misunderstand or ignore browser security indicators.