Welcome! I am a software engineer and researcher based in Germany.
I'm interested in secure authentication systems and improve them with a focus on usability. I'm also experienced working on software and IoT projects.
I currently work at the Technical University of Darmstadt, where I conduct research at the Secure Mobile Networking Lab and teach students.
Authentication is the foundation for trustworthy communication over the Internet. I have worked on several projects evaluating and improving the deployability and usability of device pairing protocols as well as web authentication systems.
Usability is an often overlooked aspect of user-facing technology, especially in the security domain. But what good is such technology if users cannot successfully interact with it? Practical problems aren't just technological; they also demand solutions that are user-friendly and genuinely beneficial.
Teaching students was one of my tasks while working at TU Darmstadt. Besides the projects listed below, this website also contains an overview of my teaching activities.
I have been developing software for more than 15 years. This includes programming small tools, contributing to open-source software projects, but also building larger new software projects.
Major Projects
Setting up secure chats in messenger apps such as Signal is often a pain, as users have to manually verify the public keys of their contacts to ensure end-to-end encryption. Especially in larger groups, this process is cumbersome and can take a lot of time.
We have developed PairSonic, which is an open-source smartphone app that enables two or more users meeting in person to spontaneously exchange or verify their contact information. PairSonic simplifies the pairing process by automating the tedious verification tasks of previous methods through an acoustic out-of-band channel using smartphones’ built-in hardware. It does not rely on external key management infrastructure, prior associations, or shared secrets.
But is PairSonic really more user-friendly than current approaches? To answer this question, we conducted a user study where 45 participants compared PairSonic to the current state of the art. The questionnaires and subsequent interviews showed that participants significantly preferred our system PairSonic.
🏆 This study won a best paper award at CSCW’24 (top 1% of papers).
Passwords are the de-facto standard for user authentication, but they are hard to memorize and vulnerable to phishing/reuse attacks. Wouldn’t it be great if there was a standard way to use phishing-resistant public-key crypto for user authentication? Previous attempts suffered from poor usability, but FIDO2 and WebAuthn are promising.
We analyzed the usability of FIDO2 passwordless authentication by conducting a lab study with 87 participants. We compared platform authentication (biometric) with roaming authentication (security key) to determine the practical tradeoffs as perceived by users in a mobile scenario.
🏆 This study won a best paper award at CHI’23, the top international conference for human-computer interaction.
The FIDO2 standards for strong authentication on the Internet are now well-established in all major web browsers, allowing users to securely log in to websites without memorizing a password. But how can developers customize FIDO2 for their own use cases? Currently, there exists almost no information on custom FIDO2 deployments.
We documented the process of designing and implementing custom extensions for the FIDO2 web authentication protocol. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. We propose methods to make it easier for developers to deploy custom FIDO2 extensions.
How can ordinary smartphones be used to securely exchange data with nearby devices? I designed a wireless physical layer that achieves message authentication using the acoustic interface, which is commonly available on smartphones and IoT devices. My open-source prototype implementation demonstrates device pairing with off-the-shelf smartphones and runs from user space without requiring firmware or hardware modifications.
🏆 This project started with my Master’s thesis, which has received two awards: The KuVS award 2020 (nationwide award for the best Master’s thesis on communication systems in Germany) and the Datenlotsen award 2020 (one of the best three STEM Master’s theses at TU Darmstadt).
For my Bachelor’s thesis, I demonstrated a severe privacy vulnerability that affected most modern smartphones at the time, allowing for tracking and inferring location history of a user. I developed an Android app that can passively track wireless devices based on the WiFi probe requests they broadcast, showing tracking results in real-time.
The tracking data comes directly from the Broadcom WiFi chip, because I modified its firmware using the Nexmon reverse engineering framework (created by my thesis supervisor). Probe requests are special WiFi frames that are usually not accessible from user space. The tracking code therefore runs on a separate ARM chip instead of the host CPU, allowing continous tracking in the background without affecting normal smartphone usage and with minimal impact on battery usage.
Using this tracking system, I ran a measurement campaign to study the impact of this vulnerability by analyzing the probing behaviour of different smartphone models. Most devices were vulnerable and regularly sent probe requests, some even containing SSIDs of recently connected networks. As a response to such tracking approaches, Android and iOS nowadays randomize the MAC address to protect user privacy, but this was uncommon back when I evaluated this.
Minor Projects
The Advent of Code is an annual programming competition with fun problems for each day in December leading up to Christmas. Usually, I team up with some colleagues from work to participate, seeing each day who has the fastest or most creative solutions. I like to use this event as an opportunity to try out new programming languages.
My colleagues and I at SEEMOO designed a modular smart speaker that can be 3D printed (open-source electronic + mechanical components). We demonstrate practical device bootstrapping using an authentication protocol combining radio and acoustic signals.
The website you are visiting right now. I’m particularly proud of the responsive layout and responsive images. I did the web design from scratch, using the static site generator Jekyll with some custom plugins that I wrote in Ruby.
TU Darmstadt’s course on physical layer security includes many practical exercises where students come to our lab and experiment with radio signals using SDRs. During the COVID19 pandemic, this was no longer possible and we suddenly had to shift our course to an online offering.
It was still important for us to find a way to let students get hands-on experience (this is one of the main reasons students like the course), so I created a lab exercise which allowed students to experiment with the physical layer from home, entireley with their own hardware. Instead of radio signals, they generated acoustic signals which can be used to transmit and receive data using just their smartphones or laptops.
I created teaching material and a video tutorial to explain the Hilbert transform and how it relates to single-sideband modulation. In the past, our PhySec students particularly struggled with this topic. I’ve received great feedback: students claim that this tutorial helped them actually understand how it works and why it is useful in a visual way.
I have developed a bot that queries new mails from an IMAP server and mirrors them to a Zulip server. We used it back in the days at TU Darmstadt’s Computer Engineering student council to discuss incoming mails and coordinate actions/responses.