Authentication and Access Control Questions

Comprehensive coverage of methods, protocols, design principles, and practical mechanisms for proving identity and enforcing permissions across systems. Authentication topics include credential based methods such as passwords and secure password storage, Multi Factor Authentication, one time passwords, certificate based and passwordless authentication, biometric options, federated identity and single sign on using Open Authorization, OpenID Connect and Security Assertion Markup Language, and service identity approaches such as Kerberos and mutual Transport Layer Security. Covers token based and session based patterns including JSON Web Token and session cookies, secure cookie practices, token lifecycle and refresh strategies, token revocation approaches, refresh token design, and secure storage and transport of credentials and tokens. Authorization and access control topics include role based access control, attribute based access control, discretionary and mandatory access control, access control lists and policy based access control, Open Authorization scopes and permission modeling, privilege management and the principle of least privilege, and defenses against privilege escalation and broken access control. The description also addresses cryptographic foundations that underlie identity systems including symmetric and asymmetric cryptography, public key infrastructure and certificate lifecycle management, secure key management and rotation, and encryption in transit and at rest. Common threats and mitigations are covered, such as credential stuffing, brute force attacks, replay attacks, session fixation, cross site request forgery, broken authentication logic, rate limiting, account lockout strategies, secrets management, secure transport, and careful authorization checks. Candidates should be able to design authentication and authorization flows for both user and service identities, evaluate protocol and implementation trade offs, specify secure lifecycle and storage strategies for credentials and tokens, and propose mitigations for common failures and attacks.

HardTechnical

53 practiced

Explain potential race conditions and replay attacks that can occur when implementing refresh token rotation in distributed environments (multiple app servers handling concurrent refresh requests). Propose concrete data models and atomic operations (for example using DB compare-and-swap or Redis transactions) to enforce single-use semantics and prevent token replay without causing high latency.

HardTechnical

60 practiced

Describe a complete key and certificate lifecycle management plan for signing JWTs and for TLS certificates across development, staging, and production environments. Cover key generation and storage (KMS/HSM), automated rotation processes, CI/CD integration for deployment, emergency revocation procedures, minimizing downtime during rollovers, and how to publish and cache public keys (JWKS) safely.

HardSystem Design

61 practiced

Design an end-to-end authentication and authorization architecture for a SaaS platform with 10M users that supports web SPAs, server-rendered pages, mobile apps, third-party APIs, SSO via SAML and OIDC, social login providers, and a microservices backend. Specify token flows for user and service identities, session management choices, refresh strategies, token revocation, rate limiting, certificate/key rotation, identity provider integration patterns, and recovery plans for a major credential compromise.

HardSystem Design

50 practiced

Design an Attribute-Based Access Control (ABAC) system for a platform that requires dynamic, context-sensitive policies. Describe: a policy language/representation, how to source attributes (user, resource, environment), policy evaluation order and conflict resolution, caching for performance, attribute freshness guarantees, and how to interoperate with an existing RBAC system for backward compatibility.

EasyTechnical

55 practiced

Define session fixation attacks and describe concrete server-side measures a full-stack application should take upon successful authentication to prevent session fixation. Provide examples for cookie-based session stores and for token-based authentication (JWTs in cookies or headers).

Unlock Full Question Bank

Get access to hundreds of Authentication and Access Control interview questions and detailed answers.

Join thousands of developers preparing for their dream job.