Home

Posts

CVE-2025-25294: Log Injection Vulnerability in Envoy Gateway

Summary I discovered a vulnerability in Envoy Gateway, which allowed attackers to manipulate access logs via malicious User-Agent string. By injecting payloads into the User-Agent Header, attackers could overwrite log fields (e.g., spoof IP addresses) or crash observability tools by corrupting log formats. After discovering this CVE-2025-25294, I responsibly disclosed it to the maintainers and also fixed the code via that Commit. Impact In all Envoy Gateway versions prior to 1....

March 20, 2025 · 2 min · Dennis Kniep

Fragile Passkey Ecosystem for Enterprises

TL;DR Companies rely solely on Passkeys for authentication. Issues and breaking changes within the Passkey ecosystem can prevent users from signing in. We kindly request all contributors of the Passkey ecosystem to be mindful of your responsibilities and act carefully. More details Companies rely solely on Passkeys for authentication Some global companies have progressed beyond the adoption phase and now rely solely on Passkeys. In fact, they have chosen to discard other conventional authentication methods (i....

March 11, 2024 · 6 min · Dennis Kniep, Andreas Pellengahr

Talk at Authenticate 2023: How to Go Passwordless Without Fallback

Conference Talk at Authenticate Conference 2023: How to Go Passwordless Without Fallback. You can see the recording here

October 18, 2023 · 1 min · Dennis Kniep, Andreas Pellengahr

Talk at EIC 2023: Enforce a faster sign-in

Conference Talk at European Identity and Cloud Conference 2023: Enforce a faster sign-in with Biometrics and Pin – even for legacy apps of a DAX company. You can see the recording here

May 11, 2023 · 1 min · Dennis Kniep, Andreas Pellengahr

Detached FIDO Authentication

TL;DR We want to enforce FIDO-only to achieve phishing resistant authentication without the possibility of downgrade attacks. But many web-views in legacy applications do not support WebAuthn. Use case: How to enforce FIDO-only even if your users use mobile apps or desktop applications that contain legacy WebViews to render the authentication flow? We call it “Detached FIDO Authentication”: Provide the option to jump out of applications that use legacy WebViews (do not support WebAuthn) into the Operating System Standard Browser....

November 29, 2022 · 9 min · Dennis Kniep, Andreas Pellengahr

Talk at Authenticate 2022: Journey to Implement FIDO

Conference Talk at Authenticate Conference 2022: Our journey to implement FIDO in a global science & technology company. You can see the recording here

October 19, 2022 · 1 min · Dennis Kniep, Andreas Pellengahr

Keynote at Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication

Keynote at Authenticate Virtual Summit: Modernizing Healthcare with Strong Authentication: Moving Beyond Passwords. You can see the recording here

June 16, 2022 · 1 min · Dennis Kniep, Andreas Pellengahr