📝 Problem Description
Design a secure user authentication system supporting multiple auth methods (password, OAuth, MFA). Handle session management, token refresh, and account security features like rate limiting and anomaly detection.
👤 Use Cases
1.
User wants to signs up so that account created, verification email sent
2.
User wants to logs in so that receives access and refresh tokens
3.
User wants to enables MFA so that TOTP configured for account
4.
User wants to logs in from new device so that verification required
✅ Functional Requirements
- •User registration with email verification
- •Password-based authentication
- •OAuth (Google, GitHub, etc.)
- •Multi-factor authentication (TOTP, SMS)
- •Session management
- •Password reset flow
- •Account lockout after failures
⚡ Non-Functional Requirements
- •Login latency < 200ms
- •Token validation < 10ms
- •99.99% availability
- •Secure against common attacks
⚠️ Constraints & Assumptions
- •Never store plaintext passwords
- •Tokens must be revocable
- •Must comply with security standards
📊 Capacity Estimation
👥 Users
100M users
💾 Storage
50GB (user data, sessions)
⚡ QPS
Logins: 10K/sec, Token validations: 100K/sec
📐 Assumptions
- • 100M registered users
- • 10M daily active users
- • Average 5 API calls per user per session
- • Average session: 30 minutes
💡 Key Concepts
CRITICAL
Password Hashing
Use bcrypt/Argon2 with salt. Never store plaintext.
CRITICAL
JWT Tokens
Stateless access tokens with short expiry (15 min).
HIGH
Refresh Tokens
Long-lived tokens stored in DB for revocation.
HIGH
Rate Limiting
Prevent brute force with per-user and per-IP limits.
MEDIUM
TOTP MFA
Time-based one-time passwords (Google Authenticator).
💡 Interview Tips
- 💡Start with the authentication flow
- 💡Discuss password hashing (bcrypt, Argon2)
- 💡Emphasize security best practices
- 💡Be prepared to discuss JWT vs sessions
- 💡Know the OAuth2 flows
- 💡Understand the MFA integration