Publications

Towards Quantum Large-Scale Password Guessing on Real-World Distributions

2021 - Markus Dürmuth, Maximilian Golla, Philipp Markert, Alexander May, Lars Schlieper

International Conference on Cryptology and Network Security (CANS '21). Vienna, Austria, December 13-15, 2021. [Paper]

Verify It's You: How Users Perceive Risk-based Authentication

2021 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono

IEEE Security & Privacy, Volume 19, Issue 6, November-December 2021 [DOI] [Paper]

Privacy Considerations for Risk-Based Authentication Systems

2021 - Stephan Wiefling, Jan Tolsdorf, Luigi Lo Iacono

International Workshop on Privacy Engineering (IWPE '21). Vienna, Austria, September 7, 2021 [Website] [Paper]

"I have no idea what they’re trying to accomplish" Enthusiastic and Casual Signal Users’ Understanding of Signal PINs

2021 - Daniel V. Bailey, Philipp Markert, Adam J. Aviv

Symposium on Usable Privacy and Security (SOUPS '21). Virtual Conference, August 8-10, 2021. [Website] [Paper]

Using a Blocklist to Improve the Security of User Selection of Android Patterns

2021 - Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, Adam J. Aviv

Symposium on Usable Privacy and Security (SOUPS '21). Virtual Conference, August 8-10, 2021. [Website] [Paper]

My Account Is Compromised - What Do I Do? Towards an Intercultural Analysis of Account Remediation for Websites

2021 - Kathryn Walsh, Faiza Tazi, Philipp Markert, Sanchari Das

Workshop on Inclusive Privacy and Security (WIPS '21). Virtual Conference, August 7-8, 2021. [Video] [Paper] [Slides]

Unifying Privacy Policy Detection

2021 - Henry Hosseini, Martin Degeling, Christine Utz, Thomas Hupperich

The 21st Privacy Enhancing Technologies Symposium (PETS 2021), July 12–16, 2021, Virtual Conference

Are Privacy Dashboards Good for End Users? Evaluating User Perceptions and Reactions to Google’s My Activity

2021 - Florian Farke, David Balash, Maximilian Golla, Markus Dürmuth, Adam Aviv

USENIX Security Symposium (SSYM '21). Virtual Conference, August 11-13, 2021 [Conference Page] [arXiv Preprint] [Paper]

"It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn

2021 - Leona Lassak, Annika Hildebrandt, Maximilian Golla, Blase Ur

USENIX Security Symposium (SSYM '21). Virtual Conference, August 11-13, 2021 [Conference Page]

Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication

2021 - Johannes Kunke, Stephan Wiefling, Markus Ullmann, Luigi Lo Iacono

Open Identity Summit 2021 (OID '21). Lyngby, Denmark, June 1-2, 2021 [Link] [Paper]

We Built This Circuit: Exploring Threat Vectors in Circuit Establishment in Tor

2021 - Theodor Schnitzler, Christina Pöpper, Markus Dürmuth, Katharina Kohls

IEEE European Symposium on Security and Privacy (EuroS&P '21). Virtual Conference, September 6-10, 2021 [Paper]

What's in Score for Website Users: A Data-driven Long-term Study on Risk-based Authentication Characteristics

2021 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono

Financial Cryptography and Data Security (FC '21). Grenada, March 1-5, 2021 [Website] [Paper]

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication

2020 - Stephan Wiefling, Markus Dürmuth, Luigi Lo Iacono

Annual Computer Security Applications Conference (ACSAC '20). Austin, USA, December 7-11, 2020 [Website] [Paper]

Data Sharing in Mobile Apps — User Privacy Expectations in Europe

2020 - Nils Quermann, Martin Degeling

5th European Workshop on Usable Security (EuroUSEC 2020) [pdf]

Knock, Knock. Who’s There? On the Security of LG’s Knock Codes

2020 - Raina Samuel, Philipp Markert, Adam J. Aviv, Iulian Neamtiu

Symposium on Usable Privacy and Security (SOUPS '20). Virtual Conference, August 7-11, 2020. [Video] [Paper] [Slides]

Evaluation of Risk-based Re-Authentication Methods

2020 - Stephan Wiefling, Tanvil Patil, Markus Dürmuth, Luigi Lo Iacono

IFIP In­ter­na­tio­nal Con­fe­rence on ICT Sys­tems Se­cu­ri­ty and Pri­va­cy Pro­tec­tion (IFIP SEC '20). Maribor, Slovenia, September 21-23, 2020 [Website] [Paper]

Usability, Sicherheit und Privatsphäre von risikobasierter Authentifizierung

2020 - Stephan Wiefling

Sicherheit 2020. Göttingen, Germany, March 17-20, 2020 [PDF]

“You still use the password after all” – Exploring FIDO2 Security Keys in a Small Company

2020 - Florian Farke, Lennart Lorenz, Theodor Schnitzler, Philipp Markert, Markus Dürmuth

Symposium on Usable Privacy and Security (SOUPS '20). Virtual Conference, August 7-11, 2020. [Video] [Paper] [Slides]

This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

2020 - Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, Adam J. Aviv

IEEE Sym­po­si­um on Se­cu­ri­ty and Pri­va­cy (SP '20). San Fran­cis­co, Ca­li­for­nia, USA, May 18-20, 2020. [Website] [Video] [Paper] [Slides]

Work in Progress: The European “Right To be Forgotten” – Legal and Technical Challenges of Search Engines Complying With The Right to Erasure

2019 - Jan Rensinghoff, Florian Farke, Markus Dürmuth, Tobias Gostomzyk

AoIR 2019: Trust in the System (AoIR '19). Brisbane, Australia, October 2, 2019

POSTER: "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

2019 - Miranda Wei, Maximilian Golla, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, Blase Ur

USENIX Symposium on Usable Privacy and Security 2019 (SOUPS '19). Santa Clara, CA, USA, August 11-13, 2019 [Full Version]

View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication

2019 - Philipp Markert, Florian Farke, Markus Dürmuth

Who Are You?! Adventures in Authentication (WAY '19). Santa Clara, California, USA, August 11, 2019. [Paper] [Slides]

Towards Contractual Agreements for Revocation of Online Data

2019 - Theodor Schnitzler, Markus Dürmuth, Christina Pöpper

IFIP International Conference on ICT Systems Security and Privacy Protection (IFIP SEC '19), Lisbon, Portugal, June 25-27, 2019 [PDF]

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild

2019 - Stephan Wiefling, Luigi Lo Iacono , Markus Dürmuth

IFIP In­ter­na­tio­nal Con­fe­rence on ICT Sys­tems Se­cu­ri­ty and Pri­va­cy Pro­tec­tion (IFIP SEC '19), Lis­bon, Por­tu­gal, June 25-27, 2019 [Website] [PDF]

Reasoning Analytically About Password-Cracking Software

2019 - Enze Liu, Amanda Nakanishi, Maximilian Golla, David Cash, Blase Ur

IEEE Symposium on Security and Privacy (SP '19). San Francisco, California, May 20, 2019 [GitHub] [Video] [PDF] [Slides]

We Value Your Privacy - Now Take Some Cookies: Measuring the GDPR's Impact on Web Privacy

2019 - Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, Thorsten Holz

Network and Distributed System Security Symposium (NDSS 2019), San Diego, California, USA, February 2019 [GitHub] [PDF]

Work in Progress: A Comparative Long-Term Study of Fallback Authentication

2019 - Philipp Markert, Maximilian Golla, Elizabeth Stobert, Markus Dürmuth

Workshop on Usable Security and Privacy (USEC '19). San Diego, California, USA, February 24, 2019. [Paper] [Slides]

Work in Progress: On the In-Accuracy and Influence of Android Pattern Strength Meters

2019 - Maximilian Golla, Jan Rimkus, Adam J. Aviv, Markus Dürmuth

Workshop on Usable Security and Privacy (USEC '19). San Diego, California, February 24, 2019 [News] [GitHub] [PDF] [Slides]

"What was that site doing with my Facebook password?" Designing Password-Reuse Notifications

2018 - Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, Blase Ur

ACM Conference on Computer and Communications Security 2018 (CCS '18). Toronto, Canada, October 15-19, 2018 [Video] [News] [PDF] [Slides]

On the Accuracy of Password Strength Meters

2018 - Maximilian Golla, Markus Dürmuth

ACM Conference on Computer and Communications Security 2018 (CCS '18). Toronto, Canada, October 15-19, 2018 [Website] [GitHub] [Video] [PDF] [Slides]

Rethinking Access Control and Authentication for the Home Internet of Things (IoT)

2018 - Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth, Earlence Fernandes, Blase Ur

USENIX Security Symposium 2018 (SSYM '18). Baltimore, MD, USA, August 15-17, 2018 [Video] [News] [PDF] [Slides]

POSTER: User Perception and Expectations on Deleting Instant Messages -or- "What Happens If I Press This Button?"

2018 - Theodor Schnitzler, Christine Utz, Florian Farke, Christina Pöpper, Markus Dürmuth

USENIX Symposium on Usable Privacy and Security 2018 (SOUPS '18). Baltimore, MD, USA, August 12-14, 2018

"Will Any Password Do?" Exploring Rate-Limiting on the Web

2018 - Maximilian Golla, Theodor Schnitzler, Markus Dürmuth

Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]

Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations

2018 - Maximilian Golla, Björn Hahn, Karsten Meyer zu Selhausen, Henry Hosseini, Markus Dürmuth

Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]

The Password Doesn't Fall Far: How Service Influences Password Choice

2018 - Miranda Wei, Maximilian Golla, Blase Ur

Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF] [Slides]

The State of User Authentication in the Wild

2018 - Nils Quermann, Marian Harbach, Markus Dürmuth

Who Are You?! Adventures in Authentication 2018 (WAY '18). Baltimore, MD, USA, August 12, 2018 [PDF]

User Perception and Expectations on Deleting Instant Messages -or- "What Happens If I Press This Button?"

2018 - Theodor Schnitzler, Christine Utz, Florian Farke, Christina Pöpper, Markus Dürmuth

European Workshop on Usable Security (EuroUSEC) 2018, London, England, 23 April 2018 [PDF] [Slides]

On The (In-)Security Of JavaScript Object Signing And Encryption

2017 - Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov, Jörg Schwenk

ROOTS, November 16–17, 2017, Vienna, Austria [PDF]

"I want my money back!" Limiting Online Password-Guessing Financially

2017 - Maximilian Golla, Daniel V. Bailey, Markus Dürmuth

Who Are You?! Adventures in Authentication 2017 (WAY '17). Santa Clara, CA, USA, July 12, 2017 [PDF] [Slides]

POSTER: Towards Implicit Visual Memory-Based Authentication

2017 - Claude Castelluccia, Markus Dürmuth, Maximilian Golla, Fatma Deniz

USENIX Symposium on Usable Privacy and Security 2017 (SOUPS '17). Santa Clara, CA, USA, July 12-14, 2017 [Full Version]

Towards Implicit Visual Memory-Based Authentication

2017 - Claude Castelluccia, Markus Dürmuth, Maximilian Golla, Fatma Deniz

ISOC Network and Distributed System Security Symposium 2017 (NDSS '17). San Diego, CA, USA, February 26 - March 1, 2017 [Video] [PDF] [Slides]

EmojiAuth: Quantifying the Security of Emoji-based Authentication

2017 - Maximilian Golla, Dennis Detering, Markus Dürmuth

Workshop on Usable Security 2017 (USEC '17). San Diego, CA, USA, February 25, 2017 [PDF] [Slides]

On the Security of Cracking-Resistant Password Vaults

2016 - Maximilian Golla, Benedict Beuscher, Markus Dürmuth

ACM Conference on Computer and Communications Security 2016 (CCS '16). Vienna, Austria, October 24-28, 2016 [Video] [PDF] [Slides]

Side-Channel Attacks on Fingerprint Matching Algorithms

2016 - Markus Dürmuth, David Oswald, Niklas Pastewka

To appear at the 6th International Workshop on Trustworthy Embedded Devices (TrustED 2016) [PDF]

On User Choice for Android Unlock Patterns

2016 - Marte Loge, Markus Dürmuth, Lillian Rostad

Accepted at the 1st European Workshop on Usable Security, 2016. [PDF]

Position Paper: Measuring the Impact of Alphabet and Culture on Graphical Passwords

2016 - Adam J. Aviv, Markus Dürmuth, Payas Gupta

Adventures in Authentication: WAY Workshop, 2016. [PDF]

Neuralyzer: Flexible Expiration Times for the Revocation of Online Data

2016 - Apostolis Zarras, Katharina Kohls, Markus Dürmuth, Christina Pöpper

In Proceedings of the ACM Conference on Data and Application Security and Privacy (ACM CODASPY) 2016 *** OUTSTANDING PAPER AWARD *** [PDF]

Who Are You? A Statistical Approach to Measuring User Authenticity

2016 - David Mandell Freeman, Sakshi Jain, Markus Dürmuth, Battista Biggio, Giorgio Giacinto

The Network and Distributed System Security Symposium 2016 (NDSS '16), San Diego, CA, USA, February 21-24, 2016 [PDF] [Slides]

Analyzing 4 Million Real-World Personal Knowledge Questions (Short Paper)

2015 - Maximilian Golla, Markus Dürmuth

International Conference on Passwords 2015 (PASSWORDS '15). Cambridge, United Kingdom, December 7-9, 2015 [Video] [PDF] [Slides]

OMEN: Faster Password Guessing Using an Ordered Markov Enumerator

2015 - Markus Dürmuth, Fabian Angelstorf, Claude Castelluccia, Daniele Perito, Abdelberi Chaabane

International Symposium on Engineering Secure Software and Systems (ESSoS), 2015. [GitHub] [PDF]
Page: