MFA Monitoring and Detection
RCCE students will learn multi-factor authentication technologies, deployment strategies, and attack resistance including TOTP, FIDO2/WebAuthn, push notifications, hardware tokens, and biometric authentication. RCCE students will learn to evaluate MFA methods by security strength and usability, deploy MFA across enterprise applications and remote access systems, configure MFA policies in identity providers, detect and respond to MFA bypass techniques including SIM swapping, MFA fatigue attacks, adversary-in-the-middle phishing, and real-time phishing proxies. The course covers MFA enrollment management, recovery procedures, and migration strategies from weaker to stronger authentication factors. This monitoring course teaches comprehensive detection and observability strategies for proactive security operations. At an expert level, RCCE students will learn to instrument systems for security telemetry, build detection pipelines, configure alerting, and maintain monitoring coverage as environments evolve. Students gain the visibility and detection capabilities needed to catch threats early.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing MFA Monitoring and Detection
- Monitor and audit privilege usage; detect escalation attempts
- Explain Course Overview fundamentals
- Execute hands-on tasks for deployment & policy
- Build detections and response workflows for privilege escalation, including TOTP, FIDO2/WebAuthn, and Enterprise MFA rollouts.
- Execute hands-on tasks for authentication factor categories
- Execute hands-on tasks for knowledge factor
- Execute hands-on tasks for possession factor
- Execute hands-on tasks for inherence factor — covering Something you know, Something you have.
- Explain MFA Architecture Overview fundamentals
- Execute hands-on tasks for how totp works — covering Shared secret generated at enrollment.
- Execute hands-on tasks for ctap2 transport — covering Browser-native API for credential mgmt.
- Execute hands-on tasks for why fido2 is phishing-resistant — covering Origin bound: credentials only valid for registered domain.
| Module 01 | MFA Monitoring |
| Module 02 | Course Overview |
| Module 03 | Deployment & Policy |
| Module 04 | Detection & Response |
| Module 05 | Authentication Factor Categories |
| Module 06 | Knowledge Factor |
| Module 07 | Possession Factor |
| Module 08 | Inherence Factor |
| Module 09 | MFA Architecture Overview |
| Module 10 | How TOTP Works |
| Module 11 | CTAP2 Transport |
| Module 12 | Why FIDO2 is Phishing-Resistant |
| Module 13 | Push Notification Authentication |
| Module 14 | Login Initiated |
All hands-on labs run on Rocheston Rose X OS. Students practice mfa monitoring and detection by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Monitor and audit privilege usage; detect escalation attempts
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for deployment & policy
- Lab 4: Build detections and response workflows for privilege escalation
- Lab 5: Execute hands-on tasks for authentication factor categories
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for MFA Monitoring and Detection, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI