MaxLab

Research Areas

Most of our work focuses on the intersection between human behavior and technical security.
Last update: January 2026

Our research, implemented by Google and deployed on billions of Android devices, has received significant international media attention, including coverage by Ars Technica, Electronic Frontier Foundation, Forbes, The Verge, WIRED, and ZDNet, and appeared in German-speaking news like Der Spiegel, Der Standard, Süddeutsche Zeitung, and Tagesschau, and was shown in documentaries by STRG_F and NZZ, and even appeared in a TV game show.

User Authentication
Recent research projects in the user authentication domain are outlined below, with representative papers included for illustration.

Passwordless Authentication

Passwordless Authentication: FIDO2 & Passkeys

Obstacles Companies Face Deploying FIDO2 Passwordless Authentication — USENIX Security '24
Mitigating Users' Misconceptions About FIDO2 Biometric WebAuthn — USENIX Security '21

Password Security

Password Security: Reused & Weak Passwords

Measuring the Risk Password Reuse Poses for a University — USENIX Security '23
Reasoning Analytically About Password-Cracking Software — IEEE SP '19
On the Accuracy of Password Strength Meters — ACM CCS '18

Security Warnings & Notifications

Security Warnings & Notifications: Nuding & Misconceptions

Optimizing Two-Factor Authentication Notification Design Patterns — USENIX Security '21
Designing Password-Reuse Notifications — ACM CCS '18

Mobile Authentication

Mobile Authentication: Recovery & PINs

Understanding How Users Prepare for and React to Smartphone Theft — USENIX Security '25
On the Security of Smartphone Unlock PINs — ACM TOPS '21
Analyzing the Security of Smartphone Unlock PINs — IEEE SP '20

Fallback Authentication

Fallback Authentication: Comparison & Security Analysis

A Comparative Long-Term Study of Fallback Authentication Schemes — ACM CHI '24
Analyzing 4 Million Real-World Personal Knowledge Questions — PASSWORDS '15

Risk-Based Authentication

Risk-Based Authentication: Configuration & Warning

Understanding Users' Interaction with Login Notifications — ACM CHI '24
How Administrators Configure Risk-based Authentication — USENIX SOUPS '22

Alternative Schemes

Alternative Schemes: Implicit Memory & Emoji

Towards Implicit Visual Memory-Based Authentication — ISOC NDSS '17
Quantifying the Security of Emoji-based Authentication — ISOC USEC '17

Crypto & Authentication

Crypto & Authentication: Post-Quantum Crypto & Honey Encryption

Towards Quantum Large-Scale Password Guessing on Real-World Distributions — Springer CANS '21
On the Security of Cracking-Resistant Password Vaults — ACM CCS '16

Enterprise & Access Control

Enterprise & Access Control: Awareness Training & IoT

Quantifying Cybersecurity Training in Organizations Through SEC 10-K Filings — ACM CCS '25
Rethinking Access Control and Authentication for the Home IoT — USENIX Security '18

Usable Privacy
Recent research projects in the usable privacy domain are outlined below, with representative papers included for illustration.

Online Behavioral Advertising

Online Behavioral Advertising: Dashboards & Transparency

How Does Connecting Online Activities to Advertising Inferences Impact Privacy Perceptions? — PETS '24
Evaluating User Perceptions and Reactions to Google's My Activity — USENIX Security '21

Disruptive Technologies

Disruptive Technologies: Mobile Apps & Smart Speakers

A Privacy and Security Analysis of Mobile Child Care Applications — PETS '22
Exploring Accidental Triggers of Smart Speakers — Computer Speech & Language '22