Code Room
System designHardsd-g680
Subject SecurityLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology

Question

Design a device-attestation system that lets a backend verify that a connecting client is running on genuine, unmodified hardware/software before granting access to sensitive APIs — covering 30M mobile and IoT devices. Threat model: rooted/jailbroken devices, emulators, replayed attestation tokens, and cloned device identities. Hardware capabilities vary: some devices have a TPM/secure enclave, many cheap IoT devices have none. The verification must add under 200ms to a session handshake and survive a key-extraction attempt on any single device without compromising the fleet. Cover the attestation protocol, the trust root, replay protection, and how you handle devices with no secure hardware.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.