Phishing despite FIDO, leveraging a novel technique based on the Device Code Flow
TL;DR; This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level....
Challenges with FIDO via NFC
Imagine if one could simply use FIDO Security Keys or Security Cards on any device through a unified interface that works seamlessly. When examining pluggable interfaces, we find various types such as USB-A, USB-C, and Thunderbolt, which often limit cross-device usability or require adapters. Maybe devices don’t have a pluggable interface at all due to design decisions, security restrictions or something similar. In theory there is one interface that appears to be a promising solution: NFC....
Talk at Rethink!IAM 2025: IAM as First Line of Defense
Conference Talk at Rethink!IAM 2025 IAM as First Line of Defense All-in on Passkeys - Allow Passkeys exclusively for all users – with no fallback to Password, SMS, Call or App Passkey Challenges – Recovery, Multi-IdPs, Apps on iOS/Android, NFC, etc. Control over Trust – Identities, Credentials & Authentications Identity Data Lake – All Data for automation
CVE-2025-25294: Log Injection Vulnerability in Envoy Gateway
Summary I discovered a vulnerability in Envoy Gateway, which allowed attackers to manipulate access logs via malicious User-Agent string. By injecting payloads into the User-Agent Header, attackers could overwrite log fields (e.g., spoof IP addresses) or crash observability tools by corrupting log formats. After discovering this CVE-2025-25294, I responsibly disclosed it to the maintainers and also fixed the code via that Commit. Impact In all Envoy Gateway versions prior to 1....
Talk at Inside IAM 2025: How to go all-in on Passkeys
Conference Talk at Inside IAM 2025 How to go all-in on Passkeys How do you allow Passkeys exclusively for all users – with no fallback to Password, SMS, Call or App? How do you ensure a secure registration and recovery? How do you enable legacy applications which are only capable of basic authentication? In short: How do you go passwordless everywhere without fallback? We will share insights of the next steps towards an identity-centric zero-trust environment....
Fragile Passkey Ecosystem for Enterprises
TL;DR Companies rely solely on Passkeys for authentication. Issues and breaking changes within the Passkey ecosystem can prevent users from signing in. We kindly request all contributors of the Passkey ecosystem to be mindful of your responsibilities and act carefully. More details Companies rely solely on Passkeys for authentication Some global companies have progressed beyond the adoption phase and now rely solely on Passkeys. In fact, they have chosen to discard other conventional authentication methods (i....
Talk at Authenticate 2023: How to Go Passwordless Without Fallback
Conference Talk at Authenticate Conference 2023: How to Go Passwordless Without Fallback. You can see the recording here
Talk at EIC 2023: Enforce a faster sign-in
Conference Talk at European Identity and Cloud Conference 2023: Enforce a faster sign-in with Biometrics and Pin – even for legacy apps of a DAX company. You can see the recording here
Detached FIDO Authentication
TL;DR We want to enforce FIDO-only to achieve phishing resistant authentication without the possibility of downgrade attacks. But many web-views in legacy applications do not support WebAuthn. Use case: How to enforce FIDO-only even if your users use mobile apps or desktop applications that contain legacy WebViews to render the authentication flow? We call it “Detached FIDO Authentication”: Provide the option to jump out of applications that use legacy WebViews (do not support WebAuthn) into the Operating System Standard Browser....
Talk at Authenticate 2022: Journey to Implement FIDO
Conference Talk at Authenticate Conference 2022: Our journey to implement FIDO in a global science & technology company. You can see the recording here