Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster : Dos and Don'ts of Client Authentication on the Web
"Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one."