Code Room
System designHardsd-g468
Subject AuthenticationLevel Senior–Staff~50 minCommon in Security interviewsIndustries Technology

Question

Design the server side of a passkey system that must support BOTH synced passkeys (a credential that follows the user across their devices via a platform/cloud keychain) and device-bound passkeys (hardware-backed, never leaves the device — required for high-assurance enterprise tenants), for a 150M-user identity provider. The model must let a user register many credentials, let enterprise admins require device-bound + attestation, and handle the recovery nightmare: a user who loses their only device. Discuss the credential data model, how you distinguish synced vs device-bound at registration, attestation, and a recovery path that doesn't reopen a phishing hole.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.