InterviewStack.io LogoInterviewStack.io

Authentication and Access Control Questions

Comprehensive coverage of methods, protocols, design principles, and practical mechanisms for proving identity and enforcing permissions across systems. Authentication topics include credential based methods such as passwords and secure password storage, Multi Factor Authentication, one time passwords, certificate based and passwordless authentication, biometric options, federated identity and single sign on using Open Authorization, OpenID Connect and Security Assertion Markup Language, and service identity approaches such as Kerberos and mutual Transport Layer Security. Covers token based and session based patterns including JSON Web Token and session cookies, secure cookie practices, token lifecycle and refresh strategies, token revocation approaches, refresh token design, and secure storage and transport of credentials and tokens. Authorization and access control topics include role based access control, attribute based access control, discretionary and mandatory access control, access control lists and policy based access control, Open Authorization scopes and permission modeling, privilege management and the principle of least privilege, and defenses against privilege escalation and broken access control. The description also addresses cryptographic foundations that underlie identity systems including symmetric and asymmetric cryptography, public key infrastructure and certificate lifecycle management, secure key management and rotation, and encryption in transit and at rest. Common threats and mitigations are covered, such as credential stuffing, brute force attacks, replay attacks, session fixation, cross site request forgery, broken authentication logic, rate limiting, account lockout strategies, secrets management, secure transport, and careful authorization checks. Candidates should be able to design authentication and authorization flows for both user and service identities, evaluate protocol and implementation trade offs, specify secure lifecycle and storage strategies for credentials and tokens, and propose mitigations for common failures and attacks.

HardTechnical
60 practiced
Describe a complete key and certificate lifecycle management plan for signing JWTs and for TLS certificates across development, staging, and production environments. Cover key generation and storage (KMS/HSM), automated rotation processes, CI/CD integration for deployment, emergency revocation procedures, minimizing downtime during rollovers, and how to publish and cache public keys (JWKS) safely.
HardTechnical
51 practiced
Design an approach to map OAuth scopes to application-level fine-grained permissions for APIs. Support hierarchical permissions, resource-level checks (including field-level authorization), policy caching for performance, and explain how to ensure permission updates take effect promptly for existing tokens while maintaining high throughput for API endpoints.
EasyTechnical
47 practiced
Describe how to implement a passwordless 'magic link' login via email for web users. Include secure token generation, token storage, delivery, validation, expiry, single-use enforcement, redirect handling, and discuss security concerns and abuse vectors (for example token replay, mail interception, email bombing).
HardSystem Design
61 practiced
Design an end-to-end authentication and authorization architecture for a SaaS platform with 10M users that supports web SPAs, server-rendered pages, mobile apps, third-party APIs, SSO via SAML and OIDC, social login providers, and a microservices backend. Specify token flows for user and service identities, session management choices, refresh strategies, token revocation, rate limiting, certificate/key rotation, identity provider integration patterns, and recovery plans for a major credential compromise.
MediumTechnical
89 practiced
Describe secure secret storage strategies for: (a) server-side applications running in cloud environments, (b) browser-based SPAs, and (c) native mobile apps. Cover use of cloud KMS/Vault, environment variables, OS keychains, runtime secret injection during CI/CD, and explain which secrets must never be shipped to clients.

Unlock Full Question Bank

Get access to hundreds of Authentication and Access Control interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.