What is multi-factor authentication (MFA) and why is it important?

Heisenbug logo
TheHeisenBug

Search

Search across questions, learning content, and hands-on projects

Ace Your Next Tech Interview

5,986+ interview questions across 87 technologies — with expert answers, advanced search, AI-powered assistance, personal highlights, structured learning paths, and hands-on practice projects.

5,986+Questions & Answers
87Technologies
AdvancedSearch
Built-inAsk AI
PersonalHighlights
StructuredLearning Paths
Hands-onPractice Projects

Lifetime Access

One-time payment. No subscriptions. Unlock everything, forever.

$19.90USD

or R$49.90 BRL

FeatureFreePremium
Question titlesAllAll
Answers per topicTop 5All
Learning chaptersFirst 5All
Practice projectsFirst 3All
Highlights
Ask AI
Read tracking
Search

Authentication & OAuth Interview Questions

  1. [JUNIOR] What is authentication and how does it differ from authorization?
  2. [JUNIOR] What is OAuth and what problem does it solve?
  3. [JUNIOR] What is a JSON Web Token (JWT) and what is its structure?
  4. [MID] How does the OAuth 2.0 Authorization Code grant flow work step by step?
  5. [MID] What is PKCE (Proof Key for Code Exchange) and how does it enhance OAuth 2.0 security?
  6. [JUNIOR] What are the main components (roles) of the OAuth 2.0 framework?
  7. [JUNIOR] What is the difference between access tokens and refresh tokens?
  8. [JUNIOR] What is session-based authentication and how does it work?
  9. [JUNIOR] What is token-based authentication and how does it differ from session-based authentication?
  10. [MID] How do refresh tokens work in OAuth 2.0 and what is their lifecycle?
  11. [MID] How does the state parameter prevent CSRF attacks in OAuth flows?
  12. [MID] How do you handle token expiration and renewal in an application?
  13. [MID] How do you store JWTs securely on the client side?
  14. [SENIOR] How would you implement OAuth 2.0 in a microservices architecture with secure token propagation?
  15. [SENIOR] How do you invalidate or revoke JWT tokens given that they are stateless?
  16. [SENIOR] What are the main security vulnerabilities in OAuth 2.0 and how can you mitigate them?
  17. [JUNIOR] What is the purpose of the client ID and client secret in OAuth?
  18. [JUNIOR] What is the purpose of the redirect URI in the OAuth flow?
  19. [JUNIOR] What are scopes in OAuth and why are they important?
  20. [JUNIOR] What is OpenID Connect (OIDC) and how does it relate to OAuth 2.0?
  21. [JUNIOR] What is single sign-on (SSO) and how does it benefit users?
  22. [MID] How does the Implicit grant flow work and why is it no longer recommended?
  23. [MID] How does the Client Credentials grant flow work and when is it appropriate to use it?
  24. [MID] How does JWT compare to session-based authentication in terms of security and scalability?
  25. [MID] What are JWT claims and what are the commonly used standard claims such as iss, sub, aud, and exp?
  26. [MID] What is the role of the ID Token in OpenID Connect and what information does it contain?
  27. [MID] How can you revoke an access token in OAuth 2.0?
  28. [SENIOR] How do you protect against token leakage and token theft in OAuth implementations?
  29. [SENIOR] How would you implement logout functionality in an OAuth 2.0 and OpenID Connect application?
  30. [SENIOR] How do you implement role-based access control (RBAC) using OAuth scopes and JWT claims?
  31. [SENIOR] How do you implement OAuth 2.0 with PKCE in single-page and mobile applications?
  32. [SENIOR] How would you design an OAuth solution that safeguards against cross-site request forgery (CSRF) attacks?
  33. [JUNIOR] What is multi-factor authentication (MFA) and why is it important?
  34. [JUNIOR] What are HTTP status codes 401 and 403 and how do they relate to authentication and authorization?
  35. [MID] What is the difference between symmetric and asymmetric signing algorithms in JWT?
  36. [MID] How does OAuth support single sign-on (SSO) across multiple applications?
  37. [SENIOR] How would you design an API gateway to manage OAuth and OIDC flows for access control?
  38. [SENIOR] How do you implement token introspection in OAuth 2.0 and when is it needed?
  39. [SENIOR] How would you implement JWT key rotation and what are the considerations?
  40. [SENIOR] What are the best practices for OAuth token expiration and refresh strategies in distributed systems?
  41. [EXPERT] What are the trade-offs between stateful and stateless authentication architectures at scale?
  42. [JUNIOR] What is the difference between OAuth 1.0 and OAuth 2.0?
  43. [MID] How does the Resource Owner Password Credentials flow work and when should it be used?
  44. [MID] How does OAuth differ from SAML as an authentication and authorization protocol?
  45. [MID] What is the difference between opaque tokens and JWTs?
  46. [MID] What is the UserInfo endpoint in OpenID Connect and how is it used?
  47. [SENIOR] What is the purpose of the kid (Key ID) header parameter in JWT key management?
  48. [SENIOR] What are Pushed Authorization Requests (PAR) and how do they improve OAuth security?
  49. [SENIOR] What is token exchange in OAuth 2.0 and when would you use it in a microservices architecture?
  50. [SENIOR] How do you handle JWT validation in load-balanced environments?
  51. [EXPERT] What is the difference between JWE (JSON Web Encryption) and JWS (JSON Web Signature) and when would you use each?
  52. [EXPERT] How would you implement a zero-trust authentication architecture using OAuth 2.0 and JWT?
  53. [EXPERT] How would you implement cross-origin single sign-out across multiple services in an OIDC system?
  54. [EXPERT] How do you implement OAuth and OIDC for federated identity across multiple identity providers?
  55. [EXPERT] How do you design a token revocation mechanism that scales in a distributed system?
  56. [MID] How does the OAuth bearer token differ from the MAC token?
  57. [EXPERT] How do you handle JWT clock skew and time synchronization issues in distributed systems?
  58. [EXPERT] What is the back-channel logout mechanism in OpenID Connect and how does it work?
  59. [EXPERT] What are the OIDC response types and how do they affect authentication flows including the Hybrid Flow?
  60. [EXPERT] How would you implement the OAuth 2.0 Device Authorization grant for input-constrained devices?
  61. [EXPERT] What is Dynamic Client Registration in OpenID Connect and when would you use it?
  62. [EXPERT] How would you prepare JWT implementations for post-quantum cryptographic algorithms?