• ---

• 1 October 16, 2025: Kickoff

• ---

References

• Golla et al. EmojiAuth: Quantifying the Security of Emoji-based Authentication. ISOC USEC. 2017.
• Markert et al. This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs. IEEE S&P. 2020.
• Maximilian Golla. On the Usability and Security of Password-Based User Authentication. Ruhr University Bochum, May 2019.
• Bonneau et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. IEEE S&P. 2012.

• ---

• 2 October 23, 2025: Passwords 101

• ---

References

• Boyd et al. Protocols for Authentication and Key Establishment. Springer. 2020.
• Golla et al. "Will Any Password Do?" Exploring Rate-Limiting on the Web. USENIX WAY. 2018.
• Bonneau et al. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. Springer FC. 2010.
• Stevens et al. The First Collision for Full SHA-1. IACR CRYPTO. 2017.
• Liu et al. Reasoning Analytically About Password-Cracking Software. IEEE S&P. 2019.
• Ur et al. "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab. USENIX SOUPS. 2015.
• Ur et al. Do Users' Perceptions of Password Security Match Reality?. ACM CHI. 2016.
• Dürmuth et al. OMEN: Faster Password Guessing Using an Ordered Markov Enumerator. Springer ESSoS. 2015.
• Golla and Dürmuth. On the Accuracy of Password Strength Meters. ACM CCS. 2018.
• Malone et al. Investigating the Distribution of Password Choices. ACM WWW. 2012.
• Florêncio et al. Pushing on String: The 'Don't Care' Region of Password Strength. Communications of the ACM. 2016.

• ---

• 3 October 30, 2025: Passwords Attacks

• ---

References

• Golla and Dürmuth. On the Accuracy of Password Strength Meters. ACM CCS. 2018.
• Claude Shannon. A Mathematical Theory of Communication. Bell System Technical Journal. 1948.
• Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. IEEE S&P. 2012.
• Liu et al. Reasoning Analytically About Password-Cracking Software. IEEE S&P. 2019.
• Ur et al. How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation. USENIX Security. 2012.
• Golla et al. Bars, Badges, and High Scores: On the Impact of Password Strength Visualizations. USENIX WAY. 2018.
• Ur et al. Design and Evaluation of a Data-Driven Password Meter. ACM CHI. 2017.
• Daniel Lowe Wheeler. zxcvbn: Low-Budget Password Strength Estimation. USENIX Security. 2016.
• Lee et al. Password Policies of Most Top Websites Fail to Follow Best Practices. USENIX SOUPS. 2022.
• Zhang et al. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. ACM CCS. 2010.
• Tan et al. Practical Recommendations for Stronger, More Usable Passwords. ACM CCS. 2020.
• Stobert and Biddle. The Password Life Cycle: User Behaviour in Managing Passwords. USENIX SOUPS. 2014.
• Dhamija et al. Why Phishing Works. ACM CHI. 2006.
• Lain et al. Phishing in Organizations: Findings from a Large-Scale and Long-Term Study. IEEE S&P. 2022.
• Ho et al. Understanding the Efficacy of Phishing Training in Practice. IEEE S&P. 2025.
• Reinheimer et al. An Investigation of Phishing Awareness and Education over Time: When and How to Best Remind Users. USENIX SOUPS. 2020.
• Volkamer et al. Analysing Simulated Phishing Campaigns for Staff. Springer SPOSE. 2020.
• Golla et al. "What was that site doing with my Facebook password?" Designing Password-Reuse Notifications. ACM CCS. 2018.

• ---

• 4 November 6, 2025: Password Defenses - Part 1

• ---

References

• Nisenoff et al. A Two-Decade Retrospective Analysis of a University's Vulnerability to Attacks Exploiting Reused Passwords. USENIX Security. 2023.
• Markert et al. View The Email to Get Hacked: Attacking SMS-Based Two-Factor Authentication. WAY. 2019.
• Golla et al. Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns. USENIX Security. 2021.
• Mirian et al. Hack for Hire: Exploring the Emerging Market for Account Hijacking. ACM WWW. 2019.
• Reynolds et al. Empirical Measurement of Systemic 2FA Usability. USENIX Security. 2020.
• Das et al. Why Johnny Doesn't Use Two Factor: A Two-Phase Usability Study of the FIDO U2F Security Key. Springer FC. 2018.
• Reese et al. A Usability Study of Five Two-Factor Authentication Methods. USENIX SOUPS. 2019.
• Amft et al. An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. ACM CCS. 2023.
• Golla et al. On the Security of Cracking-Resistant Password Vaults. ACM CCS. 2016.

• ---

• 5 November 13, 2025: Password Defenses - Part 2

• ---

References

• Cherapau et al. On the Impact of Touch ID on iPhone Passcodes. USENIX SOUPS. 2015.
• Pearman et al. Why People (Don't) Use Password Managers Effectively. USENIX SOUPS. 2019.
• Huaman et al. They Would Do Better If They Worked Together: Interaction Problems Between Password Managers and the Web. IEEE S&P. 2021.
• Wiefling et al. Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild. IFIP SEC. 2019.
• Markert et al. "As soon as it's a risk, I want to require MFA": How Administrators Configure Risk-based Authentication. USENIX SOUPS. 2022.
• Markert et al. Understanding Users' Interaction with Login Notifications. ACM CHI. 2024.
• Thomas et al. Protecting Accounts from Credential Stuffing with Password Breach Alerting. USENIX Security. 2019.
• Oh et al. Understanding and Improving User Adoption and Security Awareness in Password Checkup Services. ACM CHI. 2025.
• Krause et al. An In-Depth Analysis of Automation Capabilities of Password Update Processes on Top-Ranked Websites. arXiv preprint. 2025.

• ---

• 6 November 20, 2025: Password Protocols

• ---

References

• Bauer et al. A Comparison of Users' Perceptions of and Willingness to use Google, Facebook, and Google+ Single-Sign-On Functionality. ACM DIM. 2013.
• Balash et al. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. USENIX Security. 2022.
• Bellovin and Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. IEEE S&P. 1992.
• Wang et al. Password-Authenticated Key Exchange Protocols: A Survey. ACM Computing Surveys. 2025.
• Wu. The Secure Remote Password Protocol. ISOC NDSS. 1998.
• Jarecki et al. OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks. Springer Eurocrypt. 2018.

• ---

• 7 November 27, 2025: Hardware Tokens and Biometrics - Part 1

• ---

References

• Theofanos et al. Secure and Usable Enterprise Authentication: Lessons from the Field. IEEE Security & Privacy. 2016.
• Farke et al. "You still use the password after all" – Exploring FIDO2 Security Keys in a Small Company. USENIX SOUPS. 2020.
• Reynolds et al. A Tale of Two Studies: The Best and Worst of YubiKey Usability. IEEE S&P. 2018.
• Lyastani et al. Is FIDO2 the Kingslayer of User Authentication? A Comparative Usability Study of FIDO2 Passwordless Authentication. IEEE S&P. 2020.
• Würsching et al. FIDO2 the Rescue? Platform vs. Roaming Authentication on Smartphones. ACM CHI. 2023.
• Oswald et al. Side-Channel Attacks on the Yubikey 2 One-Time Password Generator. Springer RAID. 2013.
• Cherapau et al. On the Impact of Touch ID on iPhone Passcodes. USENIX SOUPS. 2015.
• Mecke et al. Do They Understand What They Are Using? – Assessing Perception and Usage of Biometrics. arXiv preprint. 2024.
• Wolf et al. "Pretty Close to a Must-Have": Balancing Usability Desire and Security Concern in Biometric Adoption. ACM CHI. 2019.

• ---

• 8 December 4, 2025: Biometrics - Part 2 and Passwordless Authentication - Part 1

• ---

References

• Mare et al. ZEBRA: Zero-Effort Bilateral Recurring Authentication. IEEE S&P. 2014.
• Boyd et al. Understanding the Security and Privacy Advice Given to Black Lives Matter Protesters. ACM CHI. 2021.
• Grosse and Upadhyay. Authentication at Scale. IEEE Security & Privacy. 2012.
• Lassak et al. Why Aren't We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. USENIX Security. 2024.
• Farke et al. Exploring FIDO2 Security Keys in a Small Company. USENIX SOUPS. 2021.
• Lassak et al. "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn. USENIX Security. 2021.

• ---

• 9 December 11, 2025: Passwordless Authentication - Part 2 and Graphical Passwords - Part 1

• ---

References

• Yadav and Seamons. A Security and Usability Analysis of Local Attacks Against FIDO2. ISOC NDSS. 2024.
• Mahdad et al. Breaching Security Keys without Root: FIDO2 Deception Attacks via Overlays exploiting Limited Display Authenticators. ACM CCS. 2024.
• Ulqinaku et al. Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols. USENIX Security. 2021.
• Lassak et al. Why Aren't We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. USENIX Security. 2024.
• Lassak et al. "It's Stored, Hopefully, on an Encrypted Server": Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn. USENIX Security. 2021.
• Jermyn et al. The Design and Analysis of Graphical Passwords. USENIX Security. 1999.
• Hai Tao. Pass-Go, a New Graphical Password Scheme. PhD Thesis. University of Ottawa. 2006.
• Golla et al. EmojiAuth: Quantifying the Security of Emoji-based Authentication. ISOC USEC. 2017.

• ---

• 10 December 18, 2025: Graphical Passwords - Part 2 and Mobile Authentication

• ---

References

• Wiedenbeck et al. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. Elsevier IJHCS. 2005.
• Dirik et al. Modeling User Choice in the Passpoints Graphical Password Scheme. USENIX SOUPS. 2007.
• Chiasson et al. Persuasive Cued Click-Points: Design, Implementation, and Evaluation of a Knowledge-Based Authentication Mechanism. IEEE TDSC. 2012.
• Thorpe et al. Usability and Security Evaluation of GeoPass: A Geographic Location-Password Scheme. USENIX SOUPS. 2013.
• Golla and Bailey. GeoFallbackAuth: Towards Graphical Fallback Authentication via Street-Level Imagery and Personal Memories. Unpublished. 2014.
• Davis et al. On User Choice in Graphical Password Schemes. USENIX Security. 2004.
• Dhamija and Perrig. Déjà Vu: A User Study Using Images for Authentication. USENIX Security. 2000.
• Melicher et al. Usability and Security of Text Passwords on Mobile Devices. ACM CHI. 2016.
• Golla et al. On the In-Accuracy and Influence of Android Pattern Strength Meters. ISOC USEC. 2019.
• Markert et al. This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs. IEEE S&P. 2020.
• Markert et al. On the Security of Smartphone Unlock PINs. ACM TOPS. 2021.
• Sergei Skorobogatov. The Bumpy Road Towards iPhone 5C NAND Mirroring. arXiv preprint. 2016.
• Stefan Savage. Lawful Device Access without Mass Surveillance Risk: A Technical Design Discussion. ACM CCS. 2018.
• Lisovets et al. Let's Take it Offline: Boosting Brute-Force Attacks on iPhone's User Authentication through SCA. IACR CHES. 2021.
• Aviv et al. Towards Baselines for Shoulder Surfing on Mobile Authentication. ACM ACSAC. 2017.
• Krombholz et al. Use the Force: Evaluating Force-Sensitive Authentication for Mobile Devices. USENIX SOUPS. 2016.
• Khan et al. Evaluating Attack and Defense Strategies for Smartphone PIN Shoulder Surfing. ACM CHI. 2018.
• Draschbacher et al. ChoiceJacking: Compromising Mobile Devices Through Malicious Chargers like a Decade Ago. USENIX Security. 2025.
• Aviv et al. Smudge Attacks on Smartphone Touch Screens. USENIX WOOT. 2010.
• Abdelrahman et al. Stay Cool! Understanding Thermal Attacks on Mobile-based User Authentication. ACM CHI. 2017.
• Krombholz et al. The Petri Dish Attack: Guessing Secrets Based on Bacterial Growth. ISOC NDSS. 2018.
• Uellenbeck et al. Quantifying the Security of Graphical Passwords: The Case of Android Unlock Patterns. ACM CCS. 2013.
• Loge et al. On User Choice for Android Unlock Patterns. ISOC EuroUSEC. 2016.
• Aviv et al. Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock. ACM ACSAC. 2015.

• ---

• 11 January 8, 2026: Evaluating and Comparing Schemes

• ---

References

• Markert et al. Understanding Users' Interaction with Login Notifications. ACM CHI. 2024.
• Joseph Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords. IEEE S&P. 2012.
• Chatterjee et al. pASSWORD tYPOS and How to Correct Them Securely. IEEE S&P. 2016.
• Golla et al. Driving 2FA Adoption at Scale: Optimizing Two-Factor Authentication Notification Design Patterns. USENIX Security. 2021.
• Bhardwaj et al. Understanding How Users Prepare for and React to Smartphone Theft. USENIX Security. 2025.
• Matejka et al. Generating Datasets with Varied Appearance and Identical Statistics through Simulated Annealing. ACM CHI. 2017.
• John Brooke. SUS: A "Quick and Dirty" Usability Scale. In Usability Evaluation in Industry (Taylor & Francis). 1996.
• Bangor et al. Determining What Individual SUS Scores Mean: Adding an Adjective Rating Scale. UXPA JUX. 2009.
• Laugwitz et al. Construction and Evaluation of a User Experience Questionnaire. Springer USAB. 2008.
• Schrepp et al. Design and Evaluation of a Short Version of the User Experience Questionnaire (UEQ-S). UNIR IJIMAI. 2017.
• Hart and Staveland. Development of NASA-TLX (Task Load Index): Results of Empirical and Theoretical Research. Elsevier Advances in Psychology. 1988.
• Bonneau et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. IEEE S&P. 2012.
• Mayer et al. Supporting Decision Makers in Choosing Suitable Authentication Schemes. University of Plymouth HAISA. 2016.
• Mayer et al. ACCESSv2: A Collaborative Authentication Research and Decision Support Platform. USENIX WAY. 2018.

• ---

• 12 January 15, 2026: Fallback Authentication

• ---

References

• Reeder et al. 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE S&P. 2017.
• Inglesant and Sasse. The True Cost of Unusable Password Policies: Password Use in the Wild. ACM CHI. 2010.
• Florêncio et al. An Administrator’s Guide to Internet Password Research. USENIX LISA. 2014.
• Jakobsson et al. Love and Authentication. ACM CHI. 2008.
• Hang et al. Where Have You Been? Using Location-Based Security Questions for Fallback Authentication. USENIX SOUPS. 2015.
• Castelluccia et al. Towards Implicit Visual Memory-Based Authentication. ISOC NDSS. 2017.
• Schechter et al. It's No Secret. Measuring the Security and Reliability of Authentication via "Secret" Questions. IEEE S&P. 2009.
• Zviran and Haga. User Authentication by Cognitive Passwords: An Empirical Assessment. IEEE JCIT. 1990.
• Bonneau et al. Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google. ACM WWW. 2015.
• Golla and Dürmuth. Analyzing 4 Million Real-World Personal Knowledge Questions. Springer PASSWORDS. 2015.
• Li et al. Email as a Master Key: Analyzing Account Recovery in the Wild. IEEE INFOCOM. 2018.
• Kraus et al. How Do Users Chain Email Accounts Together?. IFIP SEC. 2021.
• Brainard et al. Fourth-Factor Authentication: Somebody You Know. ACM CCS. 2006.
• Schechter et al. It's Not What You Know, but Who You Know: A Social Approach to Last-Resort Authentication. ACM CHI. 2009.
• Javed et al. Secure Fallback Authentication and the Trusted Friend Attack. IEEE ICDCSW. 2014.
• Kunke et al. Evaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication. GI ODI. 2021.
• Lassak et al. Why Aren't We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. USENIX Security. 2024.
• Lassak et al. A Comparative Long-Term Study of Fallback Authentication Schemes. ACM CHI. 2024.
• Brad Hill. Moving Account Recovery beyond Email and the 'Secret' Question. USENIX Enigma. 2017.
• Blessing et al. SoK: Web Authentication and Recovery in the Age of End-to-End Encryption. PETS. 2025.
• Pilar Garcia. Who Are You Again? Verifying User Access Rights in an Encryption Based System. PASSWORDS. 2019.
• Büttner et al. Is it Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication. Springer UbiSec. 2023.
• Griffith and Jakobsson. Messin' with Texas Deriving Mother's Maiden Names Using Public Records. Springer ACNS. 2005.
• Ariel Rabkin. Personal Knowledge Questions for Fallback Authentication: Security Questions in the Era of Facebook. ACM SOUPS. 2008.
• Bonneau et al. What's in a Name? Evaluating Statistical Attacks on Personal Knowledge Questions. Springer FC. 2010.
• Gelernter et al. The Password Reset MitM Attack. IEEE S&P. 2017.
• Lee et al. An Empirical Study of Wireless Carrier Authentication for SIM Swaps. USENIX SOUPS. 2020.
• Ulqinaku et al. Is Real-time Phishing Eliminated with FIDO? Social Engineering Downgrade Attacks against FIDO Protocols. USENIX Security. 2021.
• Klivan et al. "We've Disabled MFA for You": An Evaluation of the Security and Usability of Multi-Factor Authentication Recovery Deployments. ACM CCS. 2023.

• ---

• 13 January 22, 2026: Exam Preparation

• ---

References

• Sanchez et al. Implicit Task Performance Reveals Individually Reliable Sequence Learning Without Explicit Knowledge. Springer Psychonomic Bulletin. 2010.
• Denning et al. Exploring Implicit Memory for Painless Password Recovery. ACM CHI. 2011.
• Bojinov et al. Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks. USENIX Security. 2012.
• Castelluccia et al. Towards Implicit Visual Memory-Based Authentication. ISOC NDSS. 2017.
• Joudaki et al. Reinforcing System-Assigned Passphrases Through Implicit Learning. ACM CCS. 2018.
• Thorpe et al. Pass-Thoughts: Authenticating with our Minds. ACM NSPW. 2005.
• Marcel and del R. Millán. Person Authentication Using Brainwaves (EEG) and Maximum A Posteriori Model Adaptation. IEEE TPAMI. 2007.
• Monrose and Rubin. Authentication via Keystroke Dynamics. ACM CCS. 1997.
• Zhang and Wang. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. USENIX Security. 2009.

• ---

• 14 January 29, 2026: Cybersecurity in Organizational Practice (Guest Lecture by Dr. Jonas Hielscher - CHESS Lab)

• ---

References

• Gutfleisch et al. Microsoft Office Macro Warnings: A Design Comedy of Errors with Tragic Security Consequences. ACM EuroUSEC. 2021.
• Akhawe and Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. USENIX Security. 2013.
• Menges et al. Why IT Security Needs Therapy. Springer ESORICS. 2021.
• Adams and Sasse. Users Are Not the Enemy. ACM Communications of the ACM. 1999.
• Gabriel and Furnell. Selecting Security Champions. Elsevier Computer Fraud & Security. 2011.
• Menges et al. Caring Not Scaring - An Evaluation of a Workshop to Train Apprentices as Security Champions. ACM EuroUSEC. 2023.
• Becker et al. Finding Security Champions in Blends of Organisational Culture. ISOC EuroUSEC. 2017.
• Ashenden and Lawrence. Security Dialogues: Building Better Relationships between Security and Business. IEEE Security & Privacy. 2016.
• Renaud and Coles-Kemp. Accessible and Inclusive Cyber Security: A Nuanced and Complex Challenge. Springer SN Computer Science. 2022.
• Hielscher et al. "Taking out the Trash": Why Security Behavior Change requires Intentional Forgetting. ACM NSPW. 2021.
• Reeder et al. 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE S&P. 2017.
• Florêncio et al. FUD: A Plea for Intolerance. ACM Communications of the ACM. 2014.
• Reichmann et al. Security Knight in Shining Armor: What and Who VPN Providers Claim to Shield Consumers Against. ACM CHI. 2025.
• Tyler Moore. How Shifting Liability Explains Rising Cybercrime Costs. Rossfest Festschrift. 2025.
• Ross Anderson. Why Cryptosystems Fail. ACM CCS. 1993.
• Hielscher et al. The CISO View of Human-Centred Security. USENIX Security. 2023.
• Hielscher and Parkin. Deconstructing Drivers and Goals of Organizational Security Awareness. USENIX Security. 2024.
• Hielscher et al. Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors' Promises. ACM CCS. 2024.
• Constantinides et al. Security and Usability of a Personalized User Authentication Paradigm. ACM TOC Health. 2023.
• Haber and Rolls. Identity Attack Vectors: Strategically Designing and Implementing Identity Security. Apress. 2024.
• Lassak et al. Why Aren't We Using Passkeys? Obstacles Companies Face Deploying FIDO2 Passwordless Authentication. USENIX Security. 2024.

• ---

• Not Covered (Future Work)

• ---

References

• Dürmuth et al. Towards Quantum Large-Scale Password Guessing on Real-World Distributions. Springer CANS. 2021.
• Juels and Ristenpart. Honey Encryption: Beyond the Brute-Force Barrier. Springer EUROCRYPT. 2014.
• Monsen et al. Device Bound Session Credentials. W3C First Public Working Draft. 2025.
• Golla et al. "I want my money back!" Limiting Online Password-Guessing Financially. USENIX WAY. 2017.