Logo
Florentin Putz
Research Associate
TU Darmstadt, Germany

Welcome! I am a software engineer and researcher based in Germany.

I'm interested in secure authentication systems and improve them with a focus on usability. I'm also experienced working on software and IoT projects.

I currently work at the Technical University of Darmstadt, where I conduct research at the Secure Mobile Networking Lab and teach students.

Selected Projects
AllAuthUsabilitySW Teaching

Authentication is the foundation for trustworthy communication over the Internet. I have worked on several projects evaluating and improving the deployability and usability of device pairing protocols as well as web authentication systems.

Usability is an often overlooked aspect of user-facing technology, especially in the security domain. But what good is such technology if users cannot successfully interact with it? Practical problems aren't just technological; they also demand solutions that are user-friendly and genuinely beneficial.

Teaching students was one of my tasks while working at TU Darmstadt. Besides the projects listed below, this website also contains an overview of my teaching activities.

I have been developing software for more than 15 years. This includes programming small tools, contributing to open-source software projects, but also building larger new software projects.

Major Projects

2023
Auth
Usability
Mobile
iOS
Web
FIDO2
R
HTML
CSS
JS
Auth
Usability

Passwords are the de-facto standard for user authentication, but they are hard to memorize and vulnerable to phishing/reuse attacks. Wouldn鈥檛 it be great if there was a standard way to use phishing-resistant public-key crypto for user authentication? Previous attempts suffered from poor usability, but FIDO2 and WebAuthn are promising.

We analyzed the usability of FIDO2 passwordless authentication by conducting a lab study with 87 participants. We compared platform authentication (biometric) with roaming authentication (security key) to determine the practical tradeoffs as perceived by users in a mobile scenario.

馃弳 This study won a best paper award at CHI鈥23, the top international conference for human-computer interaction.

2021
Auth
SW
Web
FIDO2
HTML
Python
C
WebAuthn
CTAP
Auth
SW

The FIDO2 standards for strong authentication on the Internet are now well-established in all major web browsers, allowing users to securely log in to websites without memorizing a password. But how can developers customize FIDO2 for their own use cases? Currently, there exists almost no information on custom FIDO2 deployments.

We documented the process of designing and implementing custom extensions for the FIDO2 web authentication protocol. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. We propose methods to make it easier for developers to deploy custom FIDO2 extensions.

Short-Range Acoustic Communication #
2020
2020
Auth
IoT
Mobile
Android
Java
Kotlin
DSP
MATLAB
Auth
IoT

How can ordinary smartphones be used to securely exchange data with nearby devices? I designed a wireless physical layer that achieves message authentication using the acoustic interface, which is commonly available on smartphones and IoT devices. My open-source prototype implementation demonstrates device pairing with off-the-shelf smartphones and runs from user space without requiring firmware or hardware modifications.

馃弳 This project started with my Master鈥檚 thesis, which has received two awards: The KuVS award 2020 (nationwide award for the best Master鈥檚 thesis on communication systems in Germany) and the Datenlotsen award 2020 (one of the best three STEM Master鈥檚 theses at TU Darmstadt).

Modifying WiFi Firmware to Track Wireless Devices #
2016
2016
IoT
SW
Kotlin
C
ARM
Assembler
Java
Android
Mobile
MATLAB
IoT
SW

For my Bachelor鈥檚 thesis, I demonstrated a severe privacy vulnerability that affected most modern smartphones at the time, allowing for tracking and inferring location history of a user. I developed an Android app that can passively track wireless devices based on the WiFi probe requests they broadcast, showing tracking results in real-time.

The tracking data comes directly from the Broadcom WiFi chip, because I modified its firmware using the Nexmon reverse engineering framework (created by my thesis supervisor). Probe requests are special WiFi frames that are usually not accessible from user space. The tracking code therefore runs on a separate ARM chip instead of the host CPU, allowing continous tracking in the background without affecting normal smartphone usage and with minimal impact on battery usage.

Using this tracking system, I ran a measurement campaign to study the impact of this vulnerability by analyzing the probing behaviour of different smartphone models. Most devices were vulnerable and regularly sent probe requests, some even containing SSIDs of recently connected networks. As a response to such tracking approaches, Android and iOS nowadays randomize the MAC address to protect user privacy, but this was uncommon back when I evaluated this.

Minor Projects

FreeSpeaker: Open Smart Speaker Platform #
2023
2023
IoT
Auth
Python
Kotlin
Java
Android
Mobile
DSP
IoT
Auth

My colleagues and I at SEEMOO designed a modular smart speaker that can be 3D printed (open-source electronic + mechanical components). We demonstrate practical device bootstrapping using an authentication protocol combining radio and acoustic signals.

2021 鈥 2022
2021 鈥 2022
SW
Clojure
GraalVM
JVM
J (jlang)
SW

The Advent of Code is an annual programming competition with fun problems for each day in December leading up to Christmas. Usually, I team up with some colleagues from work to participate, seeing each day who has the fastest or most creative solutions. I like to use this event as an opportunity to try out new programming languages.

2022
SW
Jekyll
Ruby
HTML
Sass
CSS
JS
SW

The website you are visiting right now. I鈥檓 particularly proud of the responsive layout and responsive images. I did the web design from scratch, using the static site generator Jekyll with some custom plugins that I wrote in Ruby.

Teaching Signal Processing Using Audio #
2022
2022
Teaching
DSP
MATLAB
Teaching

TU Darmstadt鈥檚 course on physical layer security includes many practical exercises where students come to our lab and experiment with radio signals using SDRs. During the COVID19 pandemic, this was no longer possible and we suddenly had to shift our course to an online offering.

It was still important for us to find a way to let students get hands-on experience (this is one of the main reasons students like the course), so I created a lab exercise which allowed students to experiment with the physical layer from home, entireley with their own hardware. Instead of radio signals, they generated acoustic signals which can be used to transmit and receive data using just their smartphones or laptops.

2021
Teaching
DSP
Teaching

I created teaching material and a video tutorial to explain the Hilbert transform and how it relates to single-sideband modulation. In the past, our PhySec students particularly struggled with this topic.聽 I鈥檝e received great feedback: students claim that this tutorial helped them actually understand how it works and why it is useful in a visual way.

2018
SW
Python
Docker
SW

I have developed a bot that queries new mails from an IMAP server and mirrors them to a Zulip server. We used it back in the days at TU Darmstadt鈥檚 Computer Engineering student council to discuss incoming mails and coordinate actions/responses.