// Fuscht First Fundamentals
FFF
Fuscht First Fundamentals

Identity security is not just for security teams. Anyone who logs into a work account, uses a company laptop, or receives emails from colleagues is part of the attack surface. This is what everyone should know.

This is not the Fuscht curriculum. Basic identity security knowledge should not be behind a paywall. If you work anywhere near a computer, this is for you. Ready to go deeper? The Fuscht platform is where that happens.
Duration
~20 min
Level
Absolute Beginner
Cost
Always free.
// 01 / Read

What is
Identity

Before anything else, a system needs to answer one question: who is asking? Identity is how computers answer that question.

The Simple Version
Identity is how a system knows who you are
Every time you log into something, a computer checks whether it recognises you. Your username tells it who you claim to be. Your password is the proof. Together, they form your identity in that system. Without this check, anyone could access anything.
Type 01
You
Your work account. Your email. Your laptop login. Every system you log into has a record of you with a list of what you are allowed to do. That record is your digital identity in that system.
Type 02
Your Device
Your laptop or phone also has an identity. Organisations use this to check whether the device accessing company resources is one they trust. A personal phone and a managed work laptop are treated differently.
Type 03
Applications
Software has identities too. When an application needs to access company data, it authenticates just like a person does. These are called service accounts or application identities. More on this in section 05.
Why It Matters
Identity is the Front Door
In most modern organisations there is no physical boundary between inside and outside. Cloud tools, remote work, and third-party apps mean everything is internet-facing. Identity is the only thing standing between an attacker and your company's data.
The shift that changed everything: Ten years ago, attackers broke through firewalls and network defences. Today, 82% of breaches involve compromised credentials or identity abuse. Attackers do not break in. They log in.
Start here
// 02 / Read

How Credentials
Work and
Why They Fail

A credential is anything that proves you are who you say you are. Passwords are the most common. They are also the most commonly stolen, guessed, and reused.

What a Password Actually Is
A shared secret between you and the system
A password is something only you and the system you are logging into know. When you type it, the system checks it against what it has stored. If they match, you are in. The problem is that passwords can be guessed, stolen, or leaked. And once someone else has yours, they are you as far as the system is concerned.
Problem 01
Reusing Passwords
Using the same password on multiple sites is one of the most common and dangerous habits in security. When any one of those sites gets breached, attackers take the leaked credentials and try them on every other site. This is called credential stuffing and it works because most people reuse passwords.
Problem 02
Weak Passwords
Short or predictable passwords can be guessed automatically. Attackers run programs that try millions of combinations per second. A password like "Summer2024!" is not as secure as it feels. Length matters far more than complexity. A long, random passphrase is significantly harder to crack than a short password with symbols.
Problem 03
Data Breaches
When a company you have an account with gets breached, your email and password may end up for sale online. Attackers buy these lists and try every credential on other services. You may have credentials in a breach right now without knowing. Sites like haveibeenpwned.com let you check.
The Fix
Password Managers
A password manager generates a unique, long, random password for every site and stores them securely. You only need to remember one master password. This means a breach of one site cannot be used against any other. Using a password manager is the single most impactful thing most people can do for their personal security.
Right now: Go to haveibeenpwned.com and enter your work email address. If your credentials appear in a known breach, change that password immediately. Then change it everywhere you used the same one.
// 03 / Read

What MFA
Does

Multi-factor authentication adds a second check on top of your password. It makes things significantly harder for attackers. It is not perfect. Understanding both sides of that matters.

The Basic Idea
Something you know plus something you have
MFA requires two things to log in: your password (something you know) and a second factor (something you have, like your phone). Even if an attacker steals your password, they cannot get in without that second factor. This is why MFA is one of the most effective basic security controls available.
MFA Stops This
Credential Stuffing
An attacker has your username and password from a breach. Without MFA they can log straight in. With MFA they need your phone or authenticator app too. They probably do not have that. MFA blocks the vast majority of automated credential attacks entirely.
MFA Stops This
Password Guessing
Even if an attacker correctly guesses your password, MFA means they still cannot get in. The second factor is the barrier. For most automated attacks, this is enough to make your account not worth targeting.
MFA Does Not Stop This
Push Notification Abuse
If an attacker has your password, they can trigger an MFA push to your phone. If you approve it without checking, you have let them in. Never approve an MFA notification you did not initiate. If you get one out of nowhere, it means someone has your password and is trying to log in as you right now.
MFA Does Not Stop This
Advanced Phishing
Sophisticated phishing attacks can capture your session even after you complete MFA. This is less common and requires more skill to execute. For most people in non-technical roles, MFA remains a very strong protection. The lesson is that MFA is necessary but not the end of the conversation.
One rule: Never approve an MFA push notification you did not initiate. If you receive one while not actively logging in, deny it, then immediately change your password. Someone has your credentials.
// 04 / Read

How Attackers
Get In

Most attackers do not need technical skills to get into your organisation. They need you to make one mistake. These are the most common ways that happens.

Method 01
Phishing Emails
An email that looks legitimate but is designed to steal your credentials or trick you into clicking a malicious link. Modern phishing emails are often indistinguishable from real ones. They may impersonate your IT team, your manager, a vendor, or a service you use. The goal is to get you to enter your username and password on a fake login page.
Method 02
Social Engineering
An attacker calls your IT helpdesk pretending to be you and convinces them to reset your password or MFA. No technical skill required. The MGM Resorts breach in 2023 that cost over $100 million started with a single phone call to a helpdesk agent. The attacker looked up an employee on LinkedIn and impersonated them convincingly enough to get access.
Method 03
Fake CAPTCHAs
You land on a webpage that asks you to verify you are human by pressing a keyboard shortcut and pasting a command into your computer. This is called ClickFix. The command installs malware or steals your credentials. It looks like a legitimate verification step. No legitimate website will ever ask you to run a command in your terminal or Run box to prove you are human.
Method 04
Session Hijacking
When you log into a website, your browser gets a session token that keeps you logged in. If an attacker steals that token, they can use it to access your account without your password. This is why logging out of sensitive systems matters, especially on shared or public devices. Closing the browser tab is not the same as logging out.
The pattern across all of these: Attackers target people, not systems. No firewall stops a convincing phone call. No antivirus catches a password you typed into a fake login page. Understanding that you are part of the security posture is the first step to not being the weakest link.
// 05 / Read

Software That
Logs In Too

It is not just people who have accounts. The software your organisation uses has identities too. And those identities are often the ones nobody is watching.

The Concept
Non-human identities
When one piece of software needs to talk to another, it needs to authenticate. Your payroll system needs to access your HR database. Your backup tool needs to access your file storage. Each of these connections uses an account with credentials and permissions. These are called non-human identities or service accounts. In the average organisation, there are 144 of these for every human employee. Most of them are not actively managed or monitored.
Why This Matters
Nobody Watches Them
When a person leaves your company, their account gets disabled. When a software project ends, its service account often keeps running. With active credentials. With permissions. With nobody assigned to monitor it. An attacker who finds one of these dormant accounts has access that may go unnoticed for months.
Why This Matters
They Cannot Use MFA
You can add MFA to a human account. Software cannot respond to a push notification. This means service accounts almost always authenticate with just a username and password or a secret key. If that key leaks, there is nothing stopping an attacker from using it. No second factor to block them.
Common Mistakes
Secrets in the Wrong Places
Developers sometimes store service account credentials directly in code, in chat messages, or in shared documents. When that code gets uploaded to a public location or that document gets shared to the wrong person, those credentials are exposed. This is one of the most common ways service account credentials get stolen.
What You Can Do
Ask the Question
You do not need to be a security expert to help here. If you see a password or secret key in a shared document, an email, or a chat message, flag it to your IT team. If you are leaving a project, ask whether any service accounts or API keys created for that project have been reviewed. Small questions lead to big risk reductions.
// 06 / Reinforce

Match the
Attack

Drag each attack type to what it primarily targets or steals.

Drag items from the pool to the correct slot.

// Attack Types
Phishing Email
Credential Stuffing
Social Engineering
ClickFix
Session Hijacking
Steals credentials via fake login page
Drop here
Uses your password from another breach
Drop here
Tricks a person into giving access verbally
Drop here
Tricks you into running a malicious command
Drop here
Steals your logged-in browser session token
Drop here
// 07 / Reinforce

Match the
Control

Drag each security control to what it primarily protects against.

Drag items from the pool to the correct slot.

// Security Controls
MFA
Password Manager
Logging Out
HaveIBeenPwned
Healthy Skepticism
Blocks attackers who have your password
Drop here
Prevents credential stuffing across sites
Drop here
Stops session hijacking on shared devices
Drop here
Tells you if your credentials were leaked
Drop here
Your best defence against social engineering
Drop here
// 08 / Test

Quiz

10 questions covering everything in this course. Pass at 7 out of 10.

FFF // Fundamentals Assessment 01 / 10

out of 10