Auth System Design

Visual Problem Diagram

Auth System Design architecture diagram

Scenario

Credential stuffing hits 50K logins/min with reused passwords while legitimate users on mobile need refresh tokens that survive app restarts without keeping JWTs forever. Sessions, password hashing, and MFA hooks are the interview—not OAuth provider logos.

Design an authentication system with registration, login, logout, password reset, and optional MFA. Security failures are credential leaks and session hijack—hashing, token rotation, and rate limits are mandatory depth.

You should support email/password auth, sessions, refresh tokens, and secure reset flows. Be ready to compare JWT vs server sessions and explain refresh rotation.

Constraints

Functional

Register, login, logout, password reset, MFA optional, session revoke

Non-functional

< 200 ms login p95, resist brute force, secure password storage, 99.99% auth availability

Scale

10M users, 1K logins/s peak, global sessions

Stages ahead

1Requirement Analysis
2API Design
3High-Level Design
4HLD Extensions
5Trade-offs