Code Room
System designHardsd-g681
Subject AuthenticationLevel Senior–Staff~40 minCommon in Security interviewsIndustries Technology

Question

Design a passwordless authentication system built on WebAuthn/FIDO2 passkeys for a consumer platform with 80M users across web, iOS, and Android. It must support multiple passkeys per account, cross-device sign-in, account recovery without falling back to passwords, and resist phishing entirely. Threat model: phishing/AITM proxies, SIM-swap on any SMS fallback, lost-device lockout, and a leaked credential database. Constraints: sign-in p99 under 500ms, must interoperate with synced passkeys (iCloud/Google) and hardware security keys. Cover registration, the credential store, recovery, and the phishing-resistance property.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.