Code Room
System designMediumsd-g685
Subject SecurityLevel Mid–Senior~35 minCommon in Security · Reliability & on-call interviewsIndustries Technology

Question

Design a CAPTCHA / challenge service that protects high-value endpoints (signup, login, checkout, password reset) across many customer websites, issuing 1M challenges/s globally with under 100ms to render a challenge token. Threat model: automated solvers, cheap human CAPTCHA-farms, and token replay/sharing. Goals: stop bots while keeping friction near-zero for real humans (accessibility matters), and stop a solved token from being reused or transferred. Cover the challenge types, the verification/token flow, replay/transfer protection, and the score-vs-block decision.

What a strong answer looks like

Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.

Narrate your design
Loading whiteboard…
Run or narrate your approach, then ask the coach.