About

I’m a postdoctoral researcher in the field of Cyber Security. My current research spans areas of Authentication and Usability, and Privacy. Among other things, I am researching how to improve the security of passwords without reducing usability. My work was featured in Schneier on Security, The Daily Swig, t-online.de, GIGA.de, Heise, Golem.de, Kölner Stadtanzeiger, and other media outlets.

Besides that, I already contributed my expertise in Usable Security & Privacy to the industry (e.g., Meta, Telenor). I also work as a senior software engineer at Vodafone.

I also co-wrote the book Programmieren trainieren (Exercise programming) which was released in the Hanser Verlag.

Research Interests

  • Risk-Based Authentication
  • Usable Security and Privacy
  • Mobile Authentication
  • Usable Passwords
  • Privacy Dashboards
  • Developer-Centered Security
  • Human-Computer-Interaction (HCI)

Awards

Open Data Impact Award 2022
Granted by: Stifterverband für die Deutsche Wissenschaft e.V.
Best ACSAC Video Production 2020
Granted by: Annual Computer Security Applications Conference (ACSAC)
RISE Germany Scholarship 2019, 2020
Granted by: German Academic Exchange Service (DAAD)
Best Graduate of the Year 2018/2019, Master Media Technology
Granted by: TH Köln - University of Applied Sciences

Education

Computer Science (Dr.-Ing.)
Ruhr University Bochum, Horst Görtz Institute for IT Security (2018 - 2023)
Reviewed by Markus Dürmuth, Martina Angela Sasse, and Luigi Lo Iacono
Thesis Defense Slides
Media Technology (M. Sc.)
TH Köln - University of Applied Sciences (2015 - 2018)
Media Technology (B. Eng.)
Cologne University of Applied Sciences (2011 - 2015)

Selected Publications


A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web ()
and ARES ’24. ACM.
PDF
@inproceedings{article_ares2024_wiefling,
  author = {Wiefling, Stephan and Hönscheid, Marian and {Lo Iacono}, Luigi},
  title  = {A {Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web}},
  booktitle = {19th {International} {Conference} on {Availability}, {Reliability} and {Security}},
  series = {A{RES} '24},
  location = {Vienna, Austria},
  doi = {10.1145/3664476.3664478},
  publisher = {ACM},
  month = aug,
  year   = {2024},
}

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication ()
and UbiSec ’23. Springer.
PDF Website
@inproceedings{article_ubisec2023_buettner,
  author = {Büttner, Andre and Pedersen, Andreas Thue and Wiefling, Stephan and Gruschka, Nils and {Lo Iacono}, Luigi},
  title  = {Is {It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication}},
  booktitle = {Ubi{Sec} '23},
  location = {Exeter, United Kingdom},
  doi = {10.1007/978-981-97-1274-8_26},
  publisher = {Springer},
  month = mar,
  year   = {2024},
}

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example ()
and CODASPY ’23. ACM.
PDF
@inproceedings{article_codaspy2023_unsel,
  title = {Risk-{Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example}},
  author = {Unsel, Vincent and Wiefling, Stephan and Gruschka, Nils and {Lo Iacono}, Luigi},
  booktitle = {13th {ACM Conference on Data and Application Security and Privacy}},
  year = {2023},
  series = {C{ODASPY} '23},
  location = {Charlotte, NC, USA},
  publisher = {ACM},
  doi = {10.1145/3577923.3583634},
  month = apr,
  year = {2023}
}

Data Protection Officers’ Perspectives on Privacy Challenges in Digital Ecosystems ()
and SPOSE ’22. Springer.
PDF PDF [Publisher]
@inproceedings{article_spose2022_wiefling,
  author = {Wiefling, Stephan and Tolsdorf, Jan and Lo Iacono, Luigi},
  title = {Data {Protection} {Officers}' {Perspectives} on {Privacy} {Challenges} in {Digital} {Ecosystems}},
  booktitle = {4th {Workshop} on {Security}, {Privacy}, {Organizations}, and {Systems} {Engineering}},
  series = {SPOSE '22},
  location = {Copenhagen, Denmark},
  doi = {10.1007/978-3-031-25460-4_13},
  publisher = {Springer},
  year = {2023}
}

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service ()
and ACM TOPS. ACM.
PDF
@article{article_tops2023_wiefling,
  author = {Wiefling, Stephan and Jørgensen, Paul René and Thunem, Sigurd and {Lo Iacono}, Luigi},
  title  = {Pump {Up} {Password} {Security}! {Evaluating} and {Enhancing} {Risk}-{Based} {Authentication} on a {Real}-{World} {Large}-{Scale} {Online} {Service}},
  journal = { {ACM} {Transactions} on {Privacy} and {Security}},
  doi = {10.1145/3546069},
  publisher = {ACM},
  volume = {26},
  number = {1},
  articleno = {6},
  issn = {2471-2566},
  month = {feb},
  year   = {2023}
}

Privacy Considerations for Risk-Based Authentication Systems ()
and IWPE ’21. IEEE.
PDF
@inproceedings{article_iwpe2021_wiefling,
  author = {Wiefling, Stephan and Tolsdorf, Jan and Lo Iacono, Luigi},
  title = {Privacy {Considerations} for {Risk}-{Based} {Authentication} {Systems}},
  booktitle = {2021 {International} {Workshop} on {Privacy} {Engineering}},
  series = {IWPE '21},
  location = {Vienna, Austria},
  doi = {10.1109/EuroSPW54576.2021.00040},
  pages = {320--327},
  publisher = {IEEE},
  month = sep,
  year = {2021}
}

"I just looked for the solution!" - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices ()
and IEEE TSE. IEEE.
PDF
@article{journals_tse2021_gorski,
  author = {Gorski, Peter Leo and Möller, Sebastian and Wiefling, Stephan and Lo Iacono, Luigi},
  journal = {IEEE Transactions on Software Engineering},
  title = {"I just looked for the solution!" - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices},
  year = {2021},
  publisher = {IEEE},
  doi = {10.1109/TSE.2021.3094171}
}

Verify It’s You: How Users Perceive Risk-based Authentication ()
and IEEE Security & Privacy. IEEE.
PDF
@article{journals_spm2021_wiefling,
  title = {Verify {It}'s {You}: {How} {Users} {Perceive} {Risk}-based {Authentication}},
  journal = {IEEE Security & Privacy},
  author = {Wiefling, Stephan and Dürmuth, Markus and Lo Iacono, Luigi},
  month = nov,
  volume = {19},
  number = {6},
  pages = {47--57},
  year = {2021},
  publisher = {IEEE},
  doi = {10.1109/MSEC.2021.3077954}
}

What’s in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics ()
and FC ’21. Springer.
PDF
@inproceedings{article_fc2021_wiefling,
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {What’s in {Score} for {Website} {Users}: {A} {Data}-{Driven} {Long}-{Term} {Study} on {Risk}-{Based} {Authentication} {Characteristics}},
  booktitle = {25th {International} {Conference} on {Financial} {Cryptography} and {Data} {Security} ({FC} '21)},
  pages = {361--381},
  location = {Grenada},
  month = mar,
  year = {2021}
  publisher = {Springer},
  doi = {10.1007/978-3-662-64331-0_19}
}

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication ()
and ACSAC ’20. ACM.
PDF
@inproceedings{article_acsac2020_wiefling,
  title = {More {Than} {Just} {Good} {Passwords}? A {Study} on {Usability} and {Security} {Perceptions} of {Risk-based} {Authentication}},
  booktitle = {36th {Annual} {Computer} {Security} {Applications} {Conference} ({ACSAC} '20)},
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  publisher = {ACM},
  location = {Austin, USA},
  month = dec,
  year = {2020},
  doi = {10.1145/3427228.3427243},
  pages = {203--218},
  isbn = {978-1-4503-8858-0/20/12},
}

Evaluation of Risk-based Re-Authentication Methods ()
and IFIP SEC ’20. Springer.
PDF
@inproceedings{article_ifipsec2020_wiefling,
  title = { {Evaluation} of {Risk-based} {Re}-{Authentication} {Methods}},
  booktitle = {35th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2020)},
  series = { {IFIP} {Advances} in {Information} and {Communication} {Technology}},
  author = {Wiefling, Stephan and Patil, Tanvi and D\"{u}rmuth, Markus and Lo Iacono, Luigi },
  publisher = {Springer International Publishing},
  location = {Maribor, Slovenia},
  volume = {580},
  pages = {280--294},
  isbn = {978-3-030-58200-5},
  doi = {10.1007/978-3-030-58201-2_19},
  month = sep,
  year = {2020},
}

Even Turing Should Sometimes Not Be Able To Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services ()
and NordSec ’19. Springer Nature.
PDF
@inproceedings{article_nordsec2019_wiefling,
  title = {Even {Turing} {Should} {Sometimes} {Not} {Be} {Able} {To} {Tell}: {Mimicking} {Humanoid} {Usage} {Behavior} for {Exploratory} {Studies} of {Online} {Services}},
  booktitle = {24th {Nordic} {Conference} on {Secure} {IT} {Systems} ({NordSec} 2019)},
  series = { {Lecture} {Notes} in {Computer} {Science}},
  author = {Wiefling, Stephan and Gruschka, Nils and Lo Iacono, Luigi},
  volume = {11875},
  pages = {188--203},
  isbn = {978-3-030-35055-0},
  doi = {10.1007/978-3-030-35055-0_12},
  publisher = {Springer Nature},
  location = {Aalborg, Denmark},
  month = nov,
  year = {2019}
}

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild ()
and IFIP SEC ’19. Springer.
PDF
@inproceedings{article_ifipsec2019_wiefling,
  title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
  booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
  series = { {IFIP} {Advances} in {Information} and {Communication} {Technology}},
  author = {Wiefling, Stephan and Lo Iacono, Luigi and D\"{u}rmuth, Markus},
  volume = {562},
  pages = {134--148},
  isbn = {978-3-030-22311-3},
  doi = {10.1007/978-3-030-22312-0_10},
  publisher = {Springer International Publishing},
  location = {Lisbon, Portugal},
  month = jun,
  year = {2019}
}