InterviewStack.io LogoInterviewStack.io

Authentication and Access Control Questions

Comprehensive coverage of methods, protocols, design principles, and practical mechanisms for proving identity and enforcing permissions across systems. Authentication topics include credential based methods such as passwords and secure password storage, Multi Factor Authentication, one time passwords, certificate based and passwordless authentication, biometric options, federated identity and single sign on using Open Authorization, OpenID Connect and Security Assertion Markup Language, and service identity approaches such as Kerberos and mutual Transport Layer Security. Covers token based and session based patterns including JSON Web Token and session cookies, secure cookie practices, token lifecycle and refresh strategies, token revocation approaches, refresh token design, and secure storage and transport of credentials and tokens. Authorization and access control topics include role based access control, attribute based access control, discretionary and mandatory access control, access control lists and policy based access control, Open Authorization scopes and permission modeling, privilege management and the principle of least privilege, and defenses against privilege escalation and broken access control. The description also addresses cryptographic foundations that underlie identity systems including symmetric and asymmetric cryptography, public key infrastructure and certificate lifecycle management, secure key management and rotation, and encryption in transit and at rest. Common threats and mitigations are covered, such as credential stuffing, brute force attacks, replay attacks, session fixation, cross site request forgery, broken authentication logic, rate limiting, account lockout strategies, secrets management, secure transport, and careful authorization checks. Candidates should be able to design authentication and authorization flows for both user and service identities, evaluate protocol and implementation trade offs, specify secure lifecycle and storage strategies for credentials and tokens, and propose mitigations for common failures and attacks.

MediumTechnical
59 practiced
As a Security Architect, design an Attribute-Based Access Control (ABAC) policy set for a document management system where access depends on user role, document sensitivity label, project membership, and time-of-day. Provide sample policy expressions and describe the policy evaluation flow including PIP (attribute provider), PDP (policy decision point), and caching considerations.
HardTechnical
51 practiced
Case study: stolen refresh tokens from a mobile app store leak were used to mint access tokens and access user data. As a Security Architect, outline the incident response: immediate detection and containment steps, revocation and invalidation strategy, forensic data to collect, user communication plan, short- and long-term remediations, and changes to reduce recurrence.
MediumTechnical
44 practiced
As a Security Architect, propose defenses against credential stuffing and brute-force attacks for a public login endpoint. Include detection techniques, global vs per-account rate limiting, progressive delays or account lockout strategies, CAPTCHAs, device/IP fingerprinting, false-positive mitigation, and monitoring/alerting integration.
EasyTechnical
59 practiced
As a Security Architect, explain the practical difference between authentication and authorization across web apps, APIs, and service-to-service communication. For each layer (client, API gateway, resource server), describe where identity proofing and permission enforcement should occur, examples of mixing responsibilities that led to failures, and architectural consequences of making the wrong choice.
MediumSystem Design
49 practiced
As a Security Architect, design an MFA rollout plan for a largely remote workforce that still depends on legacy web applications without modern SSO. Describe architecture options (IdP + gateway/agents), migration phases, fallback/recovery strategies, enrollment, and how you'll measure success while balancing security and usability.

Unlock Full Question Bank

Get access to hundreds of Authentication and Access Control interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.