Welcome! I am a software engineer and researcher based in Germany.
I'm interested in secure authentication systems and improve them with a focus on usability. I'm also experienced working on software and IoT projects.
I currently work at the Technical University of Darmstadt, where I conduct research at the Secure Mobile Networking Lab and teach students.
Recent blog posts
Selected Projects
The following is a list of all major projects I have worked on, followed by smaller projects.
Authentication is the foundation for trustworthy communication over the Internet. I have worked on several projects evaluating and improving the deployability and usability of device pairing protocols as well as web authentication systems.
Usability is an often overlooked aspect of user-facing technology, especially in the security domain. But what good is such technology if users cannot successfully interact with it? Practical problems aren't just technological; they also demand solutions that are user-friendly and genuinely beneficial.
Teaching students was one of my tasks while working at TU Darmstadt. Besides the projects listed below, this website also contains an overview of my teaching activities.
I have been developing software for more than 15 years. This includes programming small tools, contributing to open-source software projects, but also building larger new software projects.
PairSonic is an open-source smartphone app that enables secure contact verification through an acoustic out-of-band channel. It simplifies end-to-end-encrypted communication setup, especially for larger groups of users. Our user study with 45 participants showed significant preference over current approaches.
We explored FIDO2/Passkeys as a passwordless alternative to traditional passswords (which are notoriously hard to remember and vulnerable to phishing/reuse attacks). Through a controlled lab study with 87 participants using smartphones, we evaluated the FIDO2 experience with external security keys as well as on-device biometrics, to identify remaining usability barriers.
Documentation and open-source implementation of custom FIDO2 extensions targeting the full authentication stack, from the Chromium browser to hardware tokens. We also give an overview of all currently existing extensions through manual source code analysis of browsers and authenticators.
How can ordinary smartphones be used to securely exchange data with nearby devices? I designed a wireless physical layer that achieves message authentication using the acoustic interface, which is commonly available on smartphones and IoT devices. My open-source prototype implementation demonstrates device pairing with off-the-shelf smartphones.
For my Bachelor’s thesis, I demonstrated a severe privacy vulnerability affecting most modern smartphones at the time, enabling passive tracking and location history inference via WiFi probe requests. I modified the firmware of the smartphone’s Broadcom WiFi chip using the Nexmon reverse engineering framework to capture the probe requests directly within my proof-of-concept Android app.
Minor Projects
When disasters like the 2021 Ahr Valley floods knock out Internet access for days, local “connectivity islands” become critical. We asked 857 residents in major German cities: What apps matter most in such disconnected scenarios? This future scenario, where apps work without outside Internet, could become reality with technologies like 6G, potentially transforming crisis communication.
The Advent of Code is an annual programming competition with fun problems for each day in December leading up to Christmas. Usually, I team up with some colleagues from work to participate, seeing each day who has the fastest or most creative solutions. I like to use this event as an opportunity to try out new programming languages.
My colleagues and I at SEEMOO designed a modular smart speaker that can be 3D printed (open-source electronic + mechanical components). We demonstrate practical device bootstrapping using an authentication protocol combining radio and acoustic signals.
The website you are visiting right now. I’m particularly proud of the responsive layout and responsive images. I did the web design from scratch, using the static site generator Jekyll with some custom plugins that I wrote in Ruby.
TU Darmstadt’s course on physical layer security traditionally involves hands-on lab exercises with SDRs for radio signal experimentation. During the COVID-19 pandemic, we had to shift the course online but wanted to still offer practical excercises. I created a lab exercise which allowed students to experiment with the physical layer using their personal hardware, transmitting acoustic signals instead of radio signals.
I created teaching material and a video tutorial to explain the Hilbert transform and how it relates to single-sideband modulation. In the past, our PhySec students particularly struggled with this topic. I’ve received great feedback: students claim that this tutorial helped them actually understand how it works and why it is useful in a visual way.
I have developed a bot that queries new mails from an IMAP server and mirrors them to a Zulip server. We used it back in the days at TU Darmstadt’s Computer Engineering student council to discuss incoming mails and coordinate actions/responses.