InterviewStack.io LogoInterviewStack.io

Authentication and Access Control Questions

Comprehensive coverage of methods, protocols, design principles, and practical mechanisms for proving identity and enforcing permissions across systems. Authentication topics include credential based methods such as passwords and secure password storage, Multi Factor Authentication, one time passwords, certificate based and passwordless authentication, biometric options, federated identity and single sign on using Open Authorization, OpenID Connect and Security Assertion Markup Language, and service identity approaches such as Kerberos and mutual Transport Layer Security. Covers token based and session based patterns including JSON Web Token and session cookies, secure cookie practices, token lifecycle and refresh strategies, token revocation approaches, refresh token design, and secure storage and transport of credentials and tokens. Authorization and access control topics include role based access control, attribute based access control, discretionary and mandatory access control, access control lists and policy based access control, Open Authorization scopes and permission modeling, privilege management and the principle of least privilege, and defenses against privilege escalation and broken access control. The description also addresses cryptographic foundations that underlie identity systems including symmetric and asymmetric cryptography, public key infrastructure and certificate lifecycle management, secure key management and rotation, and encryption in transit and at rest. Common threats and mitigations are covered, such as credential stuffing, brute force attacks, replay attacks, session fixation, cross site request forgery, broken authentication logic, rate limiting, account lockout strategies, secrets management, secure transport, and careful authorization checks. Candidates should be able to design authentication and authorization flows for both user and service identities, evaluate protocol and implementation trade offs, specify secure lifecycle and storage strategies for credentials and tokens, and propose mitigations for common failures and attacks.

MediumTechnical
48 practiced
Design rate-limiting and account lockout thresholds given a login endpoint receiving up to 10k attempts/sec, with periodic credential-stuffing spikes. Describe a combined per-IP, per-account, and global strategy, including exponential backoff, CAPTCHA triggers, temporary lockouts, and adaptive thresholds based on risk signals. Explain how you'd tune to avoid account denial-of-service while stopping automated attacks.
HardTechnical
78 practiced
Provide a comprehensive threat model for deploying WebAuthn/FIDO2-based passwordless authentication supporting both roaming authenticators (security keys) and platform authenticators (TPM, Secure Enclave). Address phishing resistance, lost/stolen devices, account recovery, credential migration between devices, attestation privacy, and server-side verification of attestation objects.
MediumTechnical
44 practiced
You're designing an enterprise access control model for an application with complex approval workflows, many dynamic resource attributes, and frequent org changes. Compare RBAC and ABAC and decide which approach (or hybrid) you'd choose. Describe how you'd implement role or attribute administration, policy evaluation, testing, and auditing, and name trade-offs in scalability and expressiveness.
EasyTechnical
79 practiced
Compare common Multi-Factor Authentication (MFA) approaches — TOTP (time-based OTP), SMS OTP, push-based approval, and hardware-backed/U2F/WebAuthn tokens — in terms of security, usability, deployability, and attack surface. For each method, list typical threats (e.g., SIM swapping, phishing, device theft) and describe when you would choose or avoid that method for a user-facing application.
EasyTechnical
50 practiced
Explain the difference between session fixation and Cross-Site Request Forgery (CSRF). For each attack describe how it works and provide concrete mitigations at the web-stack level (server-side session handling, cookie attributes, CSRF tokens, SameSite, session rotation on privilege changes).

Unlock Full Question Bank

Get access to hundreds of Authentication and Access Control interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.