Learning Objectives
What you will accomplish
By the end of this lab, you will be able to explain and demonstrate each of the following security concepts in practice.
Authentication FactorsIdentify and apply all three authentication factor types (something you know, have, are).
TOTP / Authenticator AppsUse a simulated authenticator app to generate and enter time-based one-time passwords.
Account Lockout PolicyTrigger and observe an account lockout to understand brute-force protection.
Role-Based Access ControlAssign permissions to roles and observe least-privilege access in action.
MFA ImportanceExplain why MFA significantly reduces credential compromise risk.
IAM ConceptsDefine IAM, the Principle of Least Privilege, and separation of duties.
Scenario
NexaCorp Security Portal
You are a newly hired IT Security Analyst at NexaCorp. Your manager has asked you to onboard to the company's internal security portal and complete your identity verification setup.
🔒 Safe Environment: This lab uses a fully simulated corporate portal. No real credentials are created, stored, or transmitted. All data exists only in your browser session.
Background
Password-based authentication is a Knowledge Factor — something you know. It is the most common but weakest form of authentication when used alone. In this module, you will log into the NexaCorp portal using your assigned credentials.
⚠ Security Note: Passwords alone are not sufficient for sensitive systems. Attackers can steal passwords through phishing, brute force, or credential stuffing. MFA is required after this step.
Task: Log into the Portal
Use the credentials below to log into the NexaCorp security portal simulator.
Your Credentials
Username: jsmith@nexacorp.com
Password: NexaCorp@2025!
💡 Tip: In a real environment, you would never see credentials written down. This is only for lab purposes.
N
NexaCorp
Secure Employee Portal
Welcome back
Sign in to your account to continue
⚠Invalid credentials. Please try again.
Incorrect password. Check your credentials.
What is TOTP?
Time-based One-Time Passwords (TOTP) are a Possession Factor — something you have. An authenticator app (like Google Authenticator or Microsoft Authenticator) generates a 6-digit code that changes every 30 seconds, synchronized with a shared secret between the app and server.
How it works: TOTP = HMAC-SHA1(shared_secret + floor(current_time / 30)). The server and app independently compute the same value, proving you possess the registered device without transmitting the secret.
Task: Complete MFA Verification
Your password was accepted. NexaCorp now requires a second factor. Open your authenticator app (simulated on the right) and enter the current 6-digit code.
N
NexaCorp
Two-Factor Verification
🔐
Verification Required
Enter the 6-digit code from your authenticator app
⚠Incorrect code. Codes expire every 30 seconds.
✓Code verified! Identity confirmed.
Code didn't arrive? Use backup code
📝 Lab Note: The code in the authenticator app is your current valid TOTP. It regenerates every 30 seconds. Watch the timer ring — when it expires, a new code is generated. You must enter the code shown before it expires.
NexaCorp Authenticator App
Authenticator
NexaCorp
jsmith@nexacorp.com
— — — — — —
30
GitHub
jsmith
••• •••
Tap the code to copy it or type manually
Why Lockout Policies Exist
Account lockout policies are a defense against brute-force attacks — automated attempts to guess passwords by trying thousands of combinations. By locking an account after a set number of failures, we make brute-force attacks computationally impractical.
NexaCorp Policy: Accounts are locked after 3 consecutive failed login attempts. The lockout lasts 15 minutes. This event is logged to the SIEM.
Task: Trigger Account Lockout
A test account has been created for this exercise. Deliberately enter wrong passwords to observe the lockout policy in action.
Test Account
Username: testuser@nexacorp.com
Try any wrong password to trigger lockout.
Failed Attempts (max: 3)
[00:00:00] SYSTEM: Account lockout test initialized
[00:00:00] TARGET: testuser@nexacorp.com
N
NexaCorp
Secure Employee Portal
Sign In
Enter wrong passwords to test lockout
⚠Invalid credentials.
Reflection Questions — Answer in your mind:
- What attack does account lockout primarily defend against?
- What is a potential downside of very aggressive lockout policies?
- How does SIEM logging of failed logins help detect attacks even before lockout?
RBAC Concept
Role-Based Access Control (RBAC) assigns permissions to roles, not directly to users. Users are assigned roles. This enforces the Principle of Least Privilege — giving users only the access they need to do their job, and nothing more.
NexaCorp has three roles: Security Admin, Security Analyst, and Read-Only Viewer. Each has a different set of permissions to the Security Portal.
Task 1: Review Permission Matrix
Study the permission matrix below for NexaCorp's three security roles.
| Permission | Admin | Analyst | Viewer |
|---|---|---|---|
| View dashboards & reports | ✓ | ✓ | ✓ |
| Run vulnerability scans | ✓ | ✓ | ✕ |
| Create/modify alert rules | ✓ | ✓ | ✕ |
| Export sensitive incident data | ✓ | ✕ | ✕ |
| Manage user accounts | ✓ | ✕ | ✕ |
| Modify IAM policies | ✓ | ✕ | ✕ |
| Access audit logs | ✓ | ✓ | ✕ |
Task 2: Assign Roles — Drag & Drop
Assign the correct role to each NexaCorp employee based on their job description. Drag the role badge to the correct zone.
✓ All roles assigned correctly! Well done.
⚠ One or more roles are incorrect. Review job descriptions and try again.
Available Roles
Admin Security Admin — Full control over all systems and users
Analyst Security Analyst — Investigate and respond to threats
Viewer Read-Only Viewer — View dashboards and reports only
Employees to Assign
Maria Chen — Head of IT Security. Manages all user accounts, IAM policies, and incident response teams.
Drop role here
David Park — SOC Analyst L2. Investigates alerts, runs scans, accesses audit logs. Cannot export data.
Drop role here
Lisa Torres — HR Manager. Needs to view security dashboards for compliance reporting. No technical access needed.
Drop role here
Answer all 5 questions to complete the lab. Select the best answer for each question.
COMPLETION CERTIFICATE
—
—
Identity & Access Management Lab | NexaCorp Security Portal Simulation
5/5
Modules Completed
—/5
Quiz Score
✓
MFA Configured
Summary of Concepts Demonstrated
✓
Username & password authentication (Knowledge Factor)✓
TOTP multi-factor authentication via Authenticator App (Possession Factor)✓
Account lockout policy and brute-force protection✓
Role-Based Access Control (RBAC) and Principle of Least Privilege✓
IAM fundamentals knowledge check
📚 Next Steps: Review the NIST SP 800-63 Digital Identity Guidelines, CompTIA Security+ Domain 2 (Threats, Vulnerabilities, Mitigations), and explore AWS IAM or Azure Active Directory for real-world implementations.