End-to-end encryption (E2EE) is one of the most significant improvements to end-user privacy in the last decade. The core principle of E2EE is that encrypted data can be decrypted only by the client devices at each end of the communication. In particular, data protected using E2EE cannot be decrypted by third-party service providers even under threat of legal mandate.

While instant messaging applications such as WhatsApp are the most widespread use of E2EE, deployment is gradually spreading to cloud storage, authentication credentials, email, and other services. Prior work has studied the underlying E2EE protocols in great depth, but building an E2EE system that is both secure and usable by the general public requires far more than a robust protocol and implementation.

As an in-depth case study of the challenges involved in building an E2EE system, we begin by considering the prospect of messaging interoperability between E2EE services. We present specific open questions and challenges around enabling interoperable E2EE messaging, discuss where current solutions fall short, and explore possible mitigations. E2EE messaging interoperability was recently mandated in the European Union and raises two fundamental questions: how to enable the actual message exchange, and how to handle the numerous residual challenges arising from encrypted messages passing from one service provider to another—including but certainly not limited to content moderation, user authentication, key management, and metadata sharing between providers. While championed not just as an antitrust measure but as a means of providing a better experience for the end user, interoperability runs the risk of making both the level of security and the overall user experience worse if poorly executed.

Even the most robust E2EE protocol is only as strong as the security of the keys used. Most contemporary mobile devices offer hardware-backed storage for cryptographic keys and other credentials, protecting keys from extraction by an adversary who has compromised the main operating system, such as a malicious third-party app. We survey trusted hardware usage in Android apps and find that despite industry-wide initiatives to encourage adoption, just 5% of apps collecting some form of sensitive data use the strongest form of trusted hardware, a secure element distinct from the main processor. In order to better understand performance of key storage options, we run experiments on all widely used Android devices and find notably slower runtimes in more advanced hardware storage mechanisms, a reality which app developers must take into account when weighing security and usability.

Finally, E2EE has brought both benefits and challenges for usable authentication and recovery. We systematize cross-device credential syncing protocols made possible by E2EE, with a particular focus on “passwordless” authentication. At the same time, given that the nature of E2EE requires that the provider cannot recover data for users who have forgotten passwords or lost devices, inadvertent loss of data protected by E2EE is a major concern. We survey authentication and recovery schemes across all widely-used E2EE web services and find that the risk of account loss has prompted providers to deploy authentication and recovery schemes that are both more diverse and more easily compromised than conventional password-based schemes.