I am a software engineer and researcher from the Frankfurt Rhine-Main area in Germany, working at the Technical University of Darmstadt. Iâm interested in all sorts of technology; my current focus is on building authentication systems that are not only user-friendly but also seamlessly fit into existing hardware and software requirements.
Education
Awards
Early Life
My fascination with technology began during primary school when I started programming with Pascal and Delphi, as an autodidact using books from the local library.
In high school, I co-founded a computer science club with friends and a supportive teacher, where we worked on fun projects and shared our knowledge. A standout project was building a Lego Mindstorms robot for the 2008 First Lego League, for which we even got some training from researchers at the local university. Although we didnât get far in the competition, it was a fun experience.
As I explored web development (HTML, CSS, JS, SQL, PHP), I began creating websites for friends, which later turned into a part-time job. I also expanded my programming skills to include Java and C#, which were great for developing Windows GUIs, reminding me of my earlier experiences with Delphi. My preference shifted to Linux over time, and Python quickly became my favorite programming language.
Computer Engineering
After high school, I chose to study Computer Engineering (âInformationssystemtechnikâ) at TU Darmstadt, driven by my curiosity about the hardware side of technology â understanding the inner workings of a computer. While I was already comfortable with software development, diving into the electrical engineering components was a challenging yet rewarding leap.
I studied a wide range of topics: from functional programming in Racket and Lisp, building computer architectures out of NAND gates, diving deep into mathematics (particularly statistics was important later on), signals & systems, communication technology, electronics & embedded systems, software engineering & design patterns, statistical machine learning, some robotics, IT security, and more.
I was actively involved in the Computer Engineering student council, organizing events like the orientation week for freshmen and our annual summer barbecue. Additionally, I contributed to our student magazine and managed our IT infrastructure.
IT Security & HCI
During my university years, particularly when I specialized in IT security, I recognized that practical problems arenât just technological; they also demand solutions that are user-friendly and genuinely beneficial. It became clear to me that even software with impressive features could suffer from poor usability â GPG being a notorious example. This made me interested in human-computer interaction, motivating me to study and improve how people interact with technology.
During my PhD at SEEMOO, my research has focused on bridging the gap between IT security and human-computer interaction. This collaborative effort culminated in a paper presented at CHI â23, the leading international conference on human-computer interaction. Our study on usable security was well-received, earning a Best Paper Award, which has been encouraging and motivates further research in this important area.
Authentication is the foundation for trustworthy communication over the Internet. I have worked on several projects evaluating and improving the deployability and usability of device pairing protocols as well as web authentication systems.
Usability is an often overlooked aspect of user-facing technology, especially in the security domain. But what good is such technology if users cannot successfully interact with it? Practical problems aren't just technological; they also demand solutions that are user-friendly and genuinely beneficial.
Teaching students was one of my tasks while working at TU Darmstadt. Besides the projects listed below, this website also contains an overview of my teaching activities.
I have been developing software for more than 15 years. This includes programming small tools, contributing to open-source software projects, but also building larger new software projects.
Major Projects
Setting up secure chats in messenger apps such as Signal is often a pain, as users have to manually verify the public keys of their contacts to ensure end-to-end encryption. Especially in larger groups, this process is cumbersome and can take a lot of time.
We have developed PairSonic, which is an open-source smartphone app that enables two or more users meeting in person to spontaneously exchange or verify their contact information. PairSonic simplifies the pairing process by automating the tedious verification tasks of previous methods through an acoustic out-of-band channel using smartphonesâ built-in hardware. It does not rely on external key management infrastructure, prior associations, or shared secrets.
But is PairSonic really more user-friendly than current approaches? To answer this question, we conducted a user study where 45 participants compared PairSonic to the current state of the art. The questionnaires and subsequent interviews showed that participants significantly preferred our system PairSonic.
đ This study won a best paper award at CSCWâ24 (top 1% of papers).
Passwords are the de-facto standard for user authentication, but they are hard to memorize and vulnerable to phishing/reuse attacks. Wouldnât it be great if there was a standard way to use phishing-resistant public-key crypto for user authentication? Previous attempts suffered from poor usability, but FIDO2 and WebAuthn are promising.
We analyzed the usability of FIDO2 passwordless authentication by conducting a lab study with 87 participants. We compared platform authentication (biometric) with roaming authentication (security key) to determine the practical tradeoffs as perceived by users in a mobile scenario.
đ This study won a best paper award at CHIâ23, the top international conference for human-computer interaction.
The FIDO2 standards for strong authentication on the Internet are now well-established in all major web browsers, allowing users to securely log in to websites without memorizing a password. But how can developers customize FIDO2 for their own use cases? Currently, there exists almost no information on custom FIDO2 deployments.
We documented the process of designing and implementing custom extensions for the FIDO2 web authentication protocol. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. We propose methods to make it easier for developers to deploy custom FIDO2 extensions.
How can ordinary smartphones be used to securely exchange data with nearby devices? I designed a wireless physical layer that achieves message authentication using the acoustic interface, which is commonly available on smartphones and IoT devices. My open-source prototype implementation demonstrates device pairing with off-the-shelf smartphones and runs from user space without requiring firmware or hardware modifications.
đ This project started with my Masterâs thesis, which has received two awards: The KuVS award 2020 (nationwide award for the best Masterâs thesis on communication systems in Germany) and the Datenlotsen award 2020 (one of the best three STEM Masterâs theses at TU Darmstadt).
For my Bachelorâs thesis, I demonstrated a severe privacy vulnerability that affected most modern smartphones at the time, allowing for tracking and inferring location history of a user. I developed an Android app that can passively track wireless devices based on the WiFi probe requests they broadcast, showing tracking results in real-time.
The tracking data comes directly from the Broadcom WiFi chip, because I modified its firmware using the Nexmon reverse engineering framework (created by my thesis supervisor). Probe requests are special WiFi frames that are usually not accessible from user space. The tracking code therefore runs on a separate ARM chip instead of the host CPU, allowing continous tracking in the background without affecting normal smartphone usage and with minimal impact on battery usage.
Using this tracking system, I ran a measurement campaign to study the impact of this vulnerability by analyzing the probing behaviour of different smartphone models. Most devices were vulnerable and regularly sent probe requests, some even containing SSIDs of recently connected networks. As a response to such tracking approaches, Android and iOS nowadays randomize the MAC address to protect user privacy, but this was uncommon back when I evaluated this.
Minor Projects
My colleagues and I at SEEMOO designed a modular smart speaker that can be 3D printed (open-source electronic + mechanical components). We demonstrate practical device bootstrapping using an authentication protocol combining radio and acoustic signals.
The Advent of Code is an annual programming competition with fun problems for each day in December leading up to Christmas. Usually, I team up with some colleagues from work to participate, seeing each day who has the fastest or most creative solutions. I like to use this event as an opportunity to try out new programming languages.
The website you are visiting right now. Iâm particularly proud of the responsive layout and responsive images. I did the web design from scratch, using the static site generator Jekyll with some custom plugins that I wrote in Ruby.
TU Darmstadtâs course on physical layer security includes many practical exercises where students come to our lab and experiment with radio signals using SDRs. During the COVID19 pandemic, this was no longer possible and we suddenly had to shift our course to an online offering.
It was still important for us to find a way to let students get hands-on experience (this is one of the main reasons students like the course), so I created a lab exercise which allowed students to experiment with the physical layer from home, entireley with their own hardware. Instead of radio signals, they generated acoustic signals which can be used to transmit and receive data using just their smartphones or laptops.
I created teaching material and a video tutorial to explain the Hilbert transform and how it relates to single-sideband modulation. In the past, our PhySec students particularly struggled with this topic. Iâve received great feedback: students claim that this tutorial helped them actually understand how it works and why it is useful in a visual way.
I have developed a bot that queries new mails from an IMAP server and mirrors them to a Zulip server. We used it back in the days at TU Darmstadtâs Computer Engineering student council to discuss incoming mails and coordinate actions/responses.