Posts

Conference Talk at IT Summit by Heise 2025, togther with Alexander Schwarz Regaining digital sovereignty using the example of digital identities Digital identities are the key to digital sovereignty. Those who manage identities control access, data flows, and ultimately the rules of the game in the digital space. Using cloud services based in the USA, such as Entra ID or Okta, creates dependencies and risks for users and providers. Digital identities consolidate a variety of information about a person....

TL;DR; This post explains a phishing technique for FIDO cross‑device (hybrid) authentication. An attacker can run an AitM proxy that shows a fake, OS‑like QR code prompt in the browser. The attack requires placing one or more Bluetooth beacons within the victim’s Bluetooth range. See Proof of Concept and Demo Video Housekeeping First of all, I want to make clear that I am 100% convinced of FIDO. That’s a game-changer when it comes to security!...

TL;DR; I found a bypass for the recently fixed vulnerability, CVE-2024-9956, in Mobile Safari. The original fix blocks FIDO:/ URIs from being navigable. I was able to bypass it with a specifically crafted deep link to the Shortcuts app that leverages the x-cancel and x-error query parameters to open arbitrary URLs when the shortcut isn’t successful. Apple fixed it due to my report on 29 July 2025. CVE-2024-9956 (February 2025) All major mobile browsers were found to be vulnerable, allowing FIDO:/ intents to be triggered by a page....

Conference Talk at MCTTP 2025 Topic: Secure your Identity In today’s digital landscape, robust identity management is crucial for ensuring security and efficiency for companies. In this session the journey of a DAX30 company will be shared how the identity space was changed to address modern threats and risks. For large multinationals with a legacy history this becomes a real challenge. We will share some insights of a comprehensive architecture and technology stack that is detached from common SaaS IDPs and vendor agnostic....

TL;DR; EDIT 19.09.2025: Microsoft fixed it for normal Entra tenants, but still possible for federated Entra tenants. This is a novel technique that leverages the well-known Device Code phishing approach. It dynamically initiates the flow as soon as the victim opens the phishing link and instantly redirects them to the authentication page. A headless browser automates this by directly entering the generated Device Code into the webpage behind the scenes. This defeats the 10-minute token validity limitation and eliminates the need for the victim to manually perform these steps, elevating the efficiency of the attack to a new level....

Imagine if one could simply use FIDO Security Keys or Security Cards on any device through a unified interface that works seamlessly. When examining pluggable interfaces, we find various types such as USB-A, USB-C, and Thunderbolt, which often limit cross-device usability or require adapters. Maybe devices don’t have a pluggable interface at all due to design decisions, security restrictions or something similar. In theory there is one interface that appears to be a promising solution: NFC....

Conference Talk at Rethink!IAM 2025 IAM as First Line of Defense All-in on Passkeys - Allow Passkeys exclusively for all users – with no fallback to Password, SMS, Call or App Passkey Challenges – Recovery, Multi-IdPs, Apps on iOS/Android, NFC, etc. Control over Trust – Identities, Credentials & Authentications Identity Data Lake – All Data for automation

Summary I discovered a vulnerability in Envoy Gateway, which allowed attackers to manipulate access logs via malicious User-Agent string. By injecting payloads into the User-Agent Header, attackers could overwrite log fields (e.g., spoof IP addresses) or crash observability tools by corrupting log formats. After discovering this CVE-2025-25294, I responsibly disclosed it to the maintainers and also fixed the code via that Commit. Impact In all Envoy Gateway versions prior to 1....

Conference Talk at Inside IAM 2025 How to go all-in on Passkeys How do you allow Passkeys exclusively for all users – with no fallback to Password, SMS, Call or App? How do you ensure a secure registration and recovery? How do you enable legacy applications which are only capable of basic authentication? In short: How do you go passwordless everywhere without fallback? We will share insights of the next steps towards an identity-centric zero-trust environment....

TL;DR Companies rely solely on Passkeys for authentication. Issues and breaking changes within the Passkey ecosystem can prevent users from signing in. We kindly request all contributors of the Passkey ecosystem to be mindful of your responsibilities and act carefully. More details Companies rely solely on Passkeys for authentication Some global companies have progressed beyond the adoption phase and now rely solely on Passkeys. In fact, they have chosen to discard other conventional authentication methods (i....