Code Room
System designHardsd-g473
Subject AuthenticationLevel Senior–Staff~50 minCommon in Security interviewsIndustries Technology

Question

Design a continuous (post-login) authentication / session-risk system: most products authenticate at login and then trust the session for hours, but you want to keep scoring a session AFTER login and demand step-up (or kill the session) the moment risk rises — e.g., the device fingerprint shifts mid-session, the IP hops countries impossibly fast, or behavior looks scripted. This runs inline for 50M sessions at ~150k actions/sec and must add <15ms to a request. Discuss the signals, where the risk model runs without blowing the latency budget, how a risk spike triggers step-up without disrupting low-risk users, and how you avoid false-positive lockouts.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.