Question
Design risk-based / step-up authentication for a fintech app: most actions need only a valid session, but high-risk actions (wire transfer, changing payout bank, adding a new device) require re-verifying identity (step-up to MFA), and the risk decision must consider signals like new device, impossible-travel geovelocity, transaction amount, and recent password change. Latency budget for the risk decision is ~50ms inline with the request. Walk through how the session carries auth strength, how the risk engine decides, and how step-up is enforced without a clunky experience.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.