Code Room
System designMedium
Question
Design the multi-factor authentication and account-recovery subsystem for a 200M-user identity provider supporting TOTP authenticator apps, SMS/voice OTP, and hardware security keys, with brute-force and credential-stuffing protection, and a recovery flow for users who lose their second factor. The login path peaks at 100K verifications/sec. Walk through how factors are enrolled and stored, how verification stays fast and abuse-resistant, and the security trade-offs in account recovery.
What a strong answer looks like
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.