What your child will learn
Understand why a strong password alone cannot stop a credential stuffing attack
Compare SMS vs TOTP authenticator vs passkey and explain why TOTP/passkeys resist SIM-swap attacks
Walk through the full setup flow of enabling an authenticator app (QR scan → TOTP entry → confirmation)
Recognize an MFA fatigue (push-bombing) attack and respond correctly by denying all requests and changing password
Identify the safest storage methods for 2FA recovery codes and explain why screenshots and email are insecure
How this mission works
A 5-scene deep dive into 2FA and account takeover defense. Scene 1: Watch a credential stuffing attack stopped cold by 2FA — the attacker has the correct password but cannot produce the TOTP code. Scene 2: Compare SMS vs authenticator app vs passkey during a live SIM-swap attack to understand which 2FA methods are SIM-swap-proof. Scene 3: Walk through the complete authenticator app setup flow — scan a QR code, enter a 6-digit TOTP, confirm the link. Scene 4: Survive a 3am MFA fatigue push-bombing attack — identify the pattern and respond correctly. Scene 5: Store recovery codes securely and prove you can recover your account when your phone is lost.
What students actually encounter
An attacker has your leaked password from a data breach. They enter it at your email login — and get blocked. Why?
A SIM-swap attack transfers your phone number to the attacker. Which 2FA method is still safe: SMS, TOTP app, or passkey?
It's 3:17 AM and you receive 5 consecutive push approval requests you didn't initiate. What kind of attack is this and what do you do?
Cipher is with them the whole way
When a student gets stuck on Two-Factor Titan, Cipher appears with a mission-specific nudge — no spoilers, just a hint toward the right thinking. Make a wrong choice, and Cipher explains the real-world consequence. Finish the mission, and Cipher generates a personalized performance debrief based on exactly how the student played it.
ISTE alignment
Students demonstrate tangible cybersecurity practices by configuring two-factor authentication and managing recovery codes (2a); safe behaviors against credential stuffing and MFA fatigue attacks (2b); and recognize cyber threats to individuals including SIM-swap attacks and push-bombing (2d).