Publications
Verify It's You: How Users Perceive Risk-based Authentication
2021 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono
IEEE Security & Privacy, Volume 19, Issue 6, November-December 2021 [DOI] [Paper]Privacy Considerations for Risk-Based Authentication Systems
2021 - Stephan Wiefling, Jan Tolsdorf, Luigi Lo Iacono
International Workshop on Privacy Engineering (IWPE '21). Vienna, Austria, September 7, 2021On the Security of Smartphone Unlock PINs
2021 - Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv
ACM Transactions on Privacy and Security (TOPS '21). [Website]"I have no idea what they’re trying to accomplish" Enthusiastic and Casual Signal Users’ Understanding of Signal PINs
2021 - Daniel V. Bailey, Philipp Markert, Adam J. Aviv
Symposium on Usable Privacy and Security (SOUPS '21). Virtual Conference, August 8-10, 2021 [Website] [Paper]Using a Blocklist to Improve the Security of User Selection of Android Patterns
2021 - Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, Adam J. Aviv
Symposium on Usable Privacy and Security (SOUPS '21). Virtual Conference, August 8-10, 2021 [Website] [Paper]My Account Is Compromised - What Do I Do? Towards an Intercultural Analysis of Account Remediation for Websites
2021 - Kathryn Walsh, Faiza Tazi, Philipp Markert, Sanchari Das
Workshop on Inclusive Privacy and Security (WIPS '21). Virtual Conference, August 7-8, 2021 [Paper]Unifying Privacy Policy Detection
2021 - Henry Hosseini, Martin Degeling, Christine Utz, Thomas Hupperich
The 21st Privacy Enhancing Technologies Symposium (PETS 2021), July 12–16, 2021, Virtual Conference"I just looked for the solution!" On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices
2021 - Peter Leo Gorski, Sebastian Möller, Stephan Wiefling, Luigi Lo Iacono
IEEE Transactions on Software Engineering, Volume 47, Issue x, x 2021 [DOI] [Paper]Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google’s My Activity
2021 - Florian Farke, David Balash, Maximilian Golla, Markus Dürmuth, Adam Aviv
USENIX Security Symposium (SSYM '21). Virtual Conference, August 11-13, 2021 [Conference Page] [arXiv Preprint] [Paper]"It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn
2021 - Leona Lassak, Annika Hildebrandt, Maximilian Golla, Blase Ur
USENIX Security Symposium (SSYM '21). Virtual Conference, August 11-13, 2021 [Conference Page]Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication
2021 - Johannes Kunke, Stephan Wiefling, Markus Ullmann, Luigi Lo Iacono
Open Identity Summit 2021 (OID '21). Lyngby, Denmark, June 1-2, 2021 [Link] [Paper]Apps Against the Spread: Privacy Implications and User Acceptance of COVID-19-Related Smartphone Apps on Three Continents
2021 - Christine Utz, Steffen Becker, Theodor Schnitzler, Florian Farke, Franziska Herbert, Leonie Schaewitz, Martin Degeling, Markus Dürmuth
ACM CHI Conference on Human Factors in Computing Systems 2021 [arXiv Preprint] [ACM Digital Library] [HTML Version]We Built This Circuit: Exploring Threat Vectors in Circuit Establishment in Tor
2021 - Theodor Schnitzler, Christina Pöpper, Markus Dürmuth, Katharina Kohls
IEEE European Symposium on Security and Privacy (EuroS&P '21). Virtual Conference, September 6-10, 2021 [Paper]What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics
2021 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono
Financial Cryptography and Data Security (FC '21). Grenada, March 1-5, 2021 [Website] [Paper]SoK: Managing Longitudinal Privacy of Publicly Shared Personal Online Data
2021 - Theodor Schnitzler, Shujaat Mirza, Markus Dürmuth, Christina Pöpper
Proceedings of Privacy Enhancing Technologies 2021, Volume 1, pp. 229-249, November 9, 2020 [Paper (DOI)] [Video] [Paper] [Slides]More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication
2020 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono
Annual Computer Security Applications Conference (ACSAC '20). Austin, USA, December 7-11, 2020 [Website] [Paper]Data Sharing in Mobile Apps — User Privacy Expectations in Europe
2020 - Nils Quermann, Martin Degeling
5th European Workshop on Usable Security (EuroUSEC 2020) [pdf]Knock, Knock. Who’s There? On the Security of LG’s Knock Codes
2020 - Raina Samuel, Philipp Markert, Adam J. Aviv, Iulian Neamtiu
Symposium on Usable Privacy and Security (SOUPS '20). Virtual Conference, August 7-11, 2020 [Video] [Paper] [Slides]Akzeptanz von Corona-Apps in Deutschland vor der Einführung der Corona-Warn-App
2020 - Steffen Becker, Martin Degeling, Markus Dürmuth, Florian Farke, Leonie Schaewitz, Theodor Schnitzler, Christine Utz
Vorabveröffentlichung (Preprint), Juni 2020 [PDF (Deutsch)]Evaluation of Risk-based Re-Authentication Methods
2020 - Stephan Wiefling, Tanvil Patil, Markus Dürmuth, Luigi Lo Iacono
IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '20). Maribor, Slovenia, September 21-23, 2020 [Website] [Paper]Usability, Sicherheit und Privatsphäre von risikobasierter Authentifizierung
2020 - Stephan Wiefling
Sicherheit 2020. Göttingen, Germany, March 17-20, 2020 [PDF]“You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company
2020 - Florian Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, Markus Dürmuth
Symposium on Usable Privacy and Security (SOUPS '20). Virtual Conference, August 7-11, 2020 [Video] [PDF] [Slides]This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs
2020 - Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv
IEEE Symposium on Security and Privacy (SP '20). San Francisco, California, USA, May 18-20, 2020 [Website] [Video] [PDF] [Slides]Exploring User Perceptions of Deletion in Mobile Instant Messaging Applications
2020 - Theodor Schnitzler, Christine Utz, Florian Farke, Christina Pöpper, Markus Dürmuth
Journal of Cybersecurity, Volume 6, Issue 1, January 30, 2020 [DOI]Work in Progress: The European “Right To be Forgotten” – Legal and Technical Challenges of Search Engines Complying With The Right to Erasure
2019 - Jan Rensinghoff, Florian Farke, Markus Dürmuth, Tobias Gostomzyk
AoIR 2019: Trust in the System (AoIR '19). Brisbane, Australia, October 2, 2019Recht auf Vergessen
2019 - Florian Farke, Jan Rensinghoff, Markus Dürmuth, Tobias Gostomzyk
Datenschutz und Datensicherheit (2019) 43: 681 [Springer]POSTER: "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications
2019 - Miranda Wei, Maximilian Golla, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, Blase Ur
USENIX Symposium on Usable Privacy and Security 2019 (SOUPS '19). Santa Clara, CA, USA, August 11-13, 2019 [Full Version]View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication
2019 - Philipp Markert, Florian Farke, Markus Dürmuth
Who Are You?! Adventures in Authentication (WAY '19). Santa Clara, California, USA, August 11, 2019 [PDF] [Slides]Towards Contractual Agreements for Revocation of Online Data
2019 - Theodor Schnitzler, Markus Dürmuth, Christina Pöpper
IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '19), Lisbon, Portugal, June 25-27, 2019 [PDF]Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild
2019 - Stephan Wiefling, Luigi Lo Iacono , Markus Dürmuth
IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '19), Lisbon, Portugal, June 25-27, 2019 [Website] [PDF]Reasoning Analytically About Password-Cracking Software
2019 - Enze Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur
IEEE Symposium on Security and Privacy (SP '19). San Francisco, California, May 20, 2019 [GitHub] [Video] [PDF] [Slides]We Value Your Privacy - Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy
2019 - Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, Thorsten Holz
Network and Distributed System Security Symposium (NDSS 2019), San Diego, California, USA, February 2019 [GitHub] [PDF]Work in Progress: A Comparative Long-Term Study of Fallback Authentication
2019 - Philipp Markert, Maximilian Golla, Elizabeth Stobert, Markus Dürmuth
Workshop on Usable Security and Privacy (USEC '19). San Diego, California, USA, February 24, 2019 [PDF] [Slides]Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters
2019 - Maximilian Golla, Jan Rimkus, Adam J. Aviv, Markus Dürmuth
Workshop on Usable Security and Privacy (USEC '19). San Diego, California, February 24, 2019 [News] [GitHub] [PDF] [Slides]"What was that site doing with my Facebook password?" Designing Password-Reuse Notifications
2018 - Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, Blase Ur
ACM Conference on Computer and Communications Security 2018 (CCS '18). Toronto, Canada, October 15-19, 2018 [Video] [News] [PDF] [Slides]On the Accuracy of Password Strength Meters
2018 - Maximilian Golla, Markus Dürmuth
ACM Conference on Computer and Communications Security 2018 (CCS '18). Toronto, Canada, October 15-19, 2018 [Website] [GitHub] [Video] [PDF] [Slides]Rethinking Access Control and Authentication for the Home Internet of Things (IoT)
2018 - Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, Blase Ur
USENIX Security Symposium 2018 (SSYM '18). Baltimore, MD, USA, August 15-17, 2018 [Video] [News] [PDF] [Slides]POSTER: User Perception and Expectations on Deleting Instant Messages -or- "What Happens If I Press This Button?"
2018 - Theodor Schnitzler, Christine Utz, Florian Farke, Christina Pöpper, Markus Dürmuth
USENIX Symposium on Usable Privacy and Security 2018 (SOUPS '18). Baltimore, MD, USA, August 12-14, 2018"Will Any Password Do?" Exploring Rate-Limiting on the Web
2018 - Maximilian Golla, Theodor Schnitzler, Markus Dürmuth
Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations
2018 - Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, Markus Dürmuth
Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]The Password Doesn't Fall Far: How Service Influences Password Choice
2018 - Miranda Wei, Maximilian Golla, Blase Ur
Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]The State of User Authentication in the Wild
2018 - Nils Quermann, Marian Harbach, Markus Dürmuth
Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF]User Perception and Expectations on Deleting Instant Messages -or- "What Happens If I Press This Button?"
2018 - Theodor Schnitzler, Christine Utz, Florian Farke, Christina Pöpper, Markus Dürmuth
European Workshop on Usable Security (EuroUSEC) 2018, London, England, 23 April 2018 [PDF] [Slides]HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion
2018 - Marc Fyrbiak, Sebastian Wallat, Pawel Swierczynski, Max Hoffmann, Sebastian Hoppach, Mathias Wilhelm, Tobias Weidlich, Russell Tessier, Christof Paar
IEEE Transactions on Dependable and Secure Computing (to appear)On The (In-)Security Of JavaScript Object Signing And Encryption
2017 - Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov, Jörg Schwenk
ROOTS, November 16–17, 2017, Vienna, Austria [PDF]"I want my money back!" Limiting Online Password-Guessing Financially
2017 - Maximilian Golla, Daniel V. Bailey, Markus Dürmuth
Who Are You?! Adventures in Authentication 2017 (WAY '17). Santa Clara, CA, USA, July 12, 2017 [PDF] [Slides]POSTER: Towards Implicit Visual Memory-Based Authentication
2017 - Claude Castelluccia, Markus Dürmuth, Maximilian Golla, Fatma Deniz
USENIX Symposium on Usable Privacy and Security 2017 (SOUPS '17). Santa Clara, CA, USA, July 12-14, 2017 [Full Version]Towards Implicit Visual Memory-Based Authentication
2017 - Claude Castelluccia, Markus Dürmuth, Maximilian Golla, Fatma Deniz
ISOC Network and Distributed System Security Symposium 2017 (NDSS '17). San Diego, CA, USA, February 26 - March 1, 2017 [Video] [PDF] [Slides]EmojiAuth: Quantifying the Security of Emoji-based Authentication
2017 - Maximilian Golla, Dennis Detering, Markus Dürmuth
Workshop on Usable Security 2017 (USEC '17). San Diego, CA, USA, February 25, 2017 [PDF] [Slides]On the Security of Cracking-Resistant Password Vaults
2016 - Maximilian Golla, Benedict Beuscher, Markus Dürmuth
ACM Conference on Computer and Communications Security 2016 (CCS '16). Vienna, Austria, October 24-28, 2016 [Video] [PDF] [Slides]Side-Channel Attacks on Fingerprint Matching Algorithms
2016 - Markus Dürmuth, David Oswald, Niklas Pastewka
To appear at the 6th International Workshop on Trustworthy Embedded Devices (TrustED 2016) [PDF]On User Choice for Android Unlock Patterns
2016 - Marte Loge, Markus Dürmuth, Lillian Rostad
Accepted at the 1st European Workshop on Usable Security, 2016. [PDF]Position Paper: Measuring the Impact of Alphabet and Culture on Graphical Passwords
2016 - Adam J. Aviv, Markus Dürmuth, Payas Gupta
Adventures in Authentication: WAY Workshop, 2016. [PDF]Neuralyzer: Flexible Expiration Times for the Revocation of Online Data
2016 - Apostolis Zarras, Katharina Kohls, Markus Dürmuth, Christina Pöpper
In Proceedings of the ACM Conference on Data and Application Security and Privacy (ACM CODASPY) 2016 *** OUTSTANDING PAPER AWARD *** [PDF]Who Are You? A Statistical Approach to Measuring User Authenticity
2016 - David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, Giorgio Giacinto
The Network and Distributed System Security Symposium 2016 (NDSS '16), San Diego, CA, USA, February 21-24, 2016 [PDF] [Slides]Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)
2015 - Maximilian Golla, Markus Dürmuth
International Conference on Passwords 2015 (PASSWORDS '15). Cambridge, United Kingdom, December 7-9, 2015 [Video] [PDF] [Slides]OMEN: Faster Password Guessing Using an Ordered Markov Enumerator
2015 - Markus Dürmuth, Fabian Angelstorf, Claude Castelluccia, Daniele Perito, Abdelberi Chaabane
International Symposium on Engineering Secure Software and Systems (ESSoS), 2015. [GitHub] [PDF]Learning from Neuroscience to Improve Internet Security
2014 - Claude Castelluccia, Markus Dürmuth, Fatma Imamoglu
ERCIM News 2014(99), 2014.On Password Guessing with GPUs and FPGAs
2014 - Markus Dürmuth, Thorsten Kranz
PASSWORDS 2014 Conference, 2014. [pdf]Secure Fallback Authentication and the Trusted Friend Attack
2014 - Ashar Javed, David Bletgen, Florian Kohlar, Markus Dürmuth, Jörg Schwenk
Proceedings International Conference on Distributed Computing Systems Workshops (ICDCS Workshops), 2014.Statistics on Password Re-use and Adaptive Strength for Financial Accounts
2014 - Daniel V. Bailey, Markus Dürmuth, Christof Paar
Proceedings 9th International Conference on Security and Cryptography (SCN), 2014. [PDF]Typing passwords with voice recognition --or-- How to authenticate to Google Glass
2014 - Daniel Bailey, Markus Dürmuth, Christof Paar
Adventures in Authentication: WAY Workshop. 2014. [PDF]Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns
2013 - Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, Thorsten Holz
ACM Conference on Computer and Communications Security (CCS), Berlin, November 2013 [PDF]Useful Password Hashing: How to Waste Computing Cycles with Style
2013 - Markus Dürmuth
Proceedings of the 2013 New security paradigms workshop (NSPW) Pages 31-40 ACM, 2013 [PDF]Evaluation of Standardized Password-Based Key Derivation against Parallel Processing Platforms
2013 - Markus Dürmuth, Tim Güneysu, Markus Kasper, Christof Paar, Tolga Yalcin, Ralf Zimmermann
Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012 [DOI] [BibTeX] [pdf] [bib]Achieving anonymity against major face recognition algorithms
2013 - Benedikt Driessen, Markus Dürmuth
Proceedings Communications and Multimedia Security (CMS 2013), LNCS 8099, Springer, 2013. [PDF]Anonymität und Gesichtserkennung
2013 - Benedikt Driessen, Markus Dürmuth
digma, Zeitschrift für Datenrecht und Informationssicherheit, 2013.Adaptive password-strength meters from Markov models
2012 - Claude Castelluccia, Markus Dürmuth, Daniele Perito
Proceedings 19th Network & Distributed System Security Symposium (NDSS 12). Internet Society, 2012. [PDF]Timed revocation of user data: Long expiration times from existing infrastructure
2012 - Sirke Reimann , Markus Dürmuth
Proceedings Workshop on Privacy in the Electronic Society (WPES), 2012.Deniable encryption with negligible detection probability: An interactive construction
2011 - Markus Dürmuth, David Mandell Freeman
Proceedings Advances in Cryptology (EUROCRYPT 11), Springer, 2011Acoustic Side-Channel Attacks on Printers
2010 - Michael Backes, Markus Dürmuth, Sebastian Gerling, Manfred Pinkal, Caroline Sporleder
Proceedings USENIX Security Symposium, 2010.Speaker Recognition in Encrypted Voice Streams
2010 - Michael Backes, Goran Doychev, Markus Dürmuth, Boris Köpf
Proceedings European Symposium on Research in Computer Security (ESORICS), 2010. (Preliminary version appeared in the Grande Region Security and Reliability Day, Saarbrücken, 2010.)A Provably Secure and Efficient Countermeasure against Timing Attacks
2009 - Boris Köpf, Markus Dürmuth
Proceedings of the 22nd IEEE Computer Security Foundations Symposium (CSF), 2009.Tempest in a Teapot: Compromising Reflections Revisited
2009 - Michael Backes, Tongbo Chen, Markus Dürmuth, Hendrik P. A. Lensch, Martin Welk
Proceedings of the IEEE Symposium on Security and Privacy (SSP '09), Mai 2009.Compromising Reflections - or - How to Read LCD Monitors Around the Corner
2008 - Michael Backes, Markus Dürmuth, Dominique Unruh
Proceedings of the IEEE Symposium on Security and Privacy (SSP '08), Mai 2008.Datenspionage / Wie Brillengläser Geheimnisse verraten
2008 - Michael Backes, Markus Dürmuth, Dominique Unruh
In iX Magazin für Professionelle Informationstechnik, Heise Verlag, Hannover, May 2008.OAEP is Secure Under Key-dependent Messages
2008 - Michael Backes, Markus Dürmuth, Dominique Unruh
Proceedings of ASIACRYPT, December 2008.Böse Textdokumente – Postscript gone wild
2007 - Michael Backes, Markus Dürmuth, Dominique Unruh
iX Magazin für Professionelle Informationstechnik, Heise Verlag, Hannover, August 2007.Conditional Reactive Simulatability
2007 - Michael Backes, Markus Dürmuth, Dennis Hofheinz, Ralf Küsters
International Journal of Information Security (IJIS), Springer, 2007.Enterprise Privacy Policies and Languages
2007 - Michael Backes, Markus Dürmuth
In Digital Privacy: Theory, Technologies and Practices, Elsevier, 2007.Information Flow in the Peer-Reviewing Process (Extended Abstract)
2007 - Michael Backes, Markus Dürmuth, Dominique Unruh
Proceedings of 28th IEEE Symposium on Security and Privacy (SSP '07), May 2007.On Simulatability Soundness and Mapping Soundness of Symbolic Cryptography
2007 - Michael Backes, Markus Dürmuth, Ralf Küsters
Proceedings of 27th International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS), December 2007.Conditional Reactive Simulatability
2006 - Michael Backes, Markus Dürmuth, Dennis Hofheinz, Ralf Küsters
Proceedings of 11th European Symposium on Research in Computer Security (ESORICS '06), September 2006.A Cryptographically Sound Dolev-Yao Style Security Proof of an Electronic Payment System
2005 - Michael Backes, Markus Dürmuth
In Proceedings of 18th IEEE Computer Security Foundations Workshop (CSFW '05), June 2005.An Algebra for Composing Enterprise Privacy Policies
2004 - Michael Backes, Markus Dürmuth, Rainer Steinwandt
Proceedings of 9th European Symposium on Research in Computer Security (ESORICS '04), September 2004.Unification in Privacy Policy Evaluation - Translating EPAL to Prolog
2004 - Michael Backes, Markus Dürmuth, Günter Karjoth
Proceedings of 5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), June 2004.