Last updated

This module opens with an introduction to common attacks on online accounts, and the need for two-factor authentication. It then moves on to a few activities having students investigate the security of their own passwords, and where they might set up two-factor authentication for their primary email provider. It closes with a discussion about risk mitigation.

This module intends to tee up a second conversation about password management, and slides about phishing and password stuffing can be reused for the password management discussion.


Threat modeling

Estimated time

35-45 minutes


  • Upon successful completion of this lesson, students will be able to identify a phishing email.
  • Students will have a basic understanding of automated, dictionary-based attacks on online accounts.
  • Students will be able to identify common types of two-factor authentication tools.
  • Students will be able to identify step-by-step resources for setting up these defenses.

Why this matters

Understanding in concrete terms how likely attacks are executed in practice will help students focus their attention on the most common threats, and realistic ways to defend. Two-factor authentication is one of the most effective defenses against account break-ins. Chances are, your students are already familiar with it in some way — whether through their bank, hospital, or even your university's security requirements, so reiterating why this tactic is effective is key.


(Before class)

(After class)

Sample slides

Authentication, Part 1 (Google Slides)


Questions for discussion

  • Have you or someone you know ever experienced a security breach? (A stolen credit card, hacked account, and so on?) What happened?
  • How might this have been prevented?
  • How much risk is tied to your personal behaviors, versus the behaviors of the service provider?
  • What do you think service providers could do to better protect your data?

Donate to support press freedom

Your support is more important than ever.