Skip to main content

Auth/IAM Questions

Usability

User roles

  • What different types of users that will be using the app, and what are their specific roles and responsibilities?
  • How will user roles and permissions be defined and managed within the app?
  • How will user authentication and authorization be handled?
  • Will there be any restrictions or limitations on certain actions or functionality based on user role?
  • How will you handlea user's role changes or their access needs to be revoked?
  • How will the app ensure that sensitive data is only accessible to authorized users?
  • How will the app ensure that users can only access data or functionality that is relevant to their role?

How will the app handle situations where:

  • a user is locked out of their account?

  • a user has forgotten their password?

  • a user is logged in from multiple devices?

  • a user lost their phone with the MFA authenticator

  • a user's role changes?

  • a user's role is changed by an administrator?

  • a user is suspected of malicious behavior?

  • a user has tried to login in 100 times in the past 5 minutes?

  • a user is added or removed from a group with specific permissions?

  • a user's role is changed based on certain conditions or triggers?

  • a user has multiple roles?

  • a user has different roles on different parts of the app?

  • a user is part of different user groups?

  • a user is in nested user groups?

  • a user's role changes dynamically depending on certain actions?

  • a user has to switch between different roles, permanently?

  • a user has to switch between different roles, temporarily?

  • a user's role is changed based on their job function or department?

  • Is the login process easy to understand and navigate for users?

  • Are there clear instructions and error messages provided to guide users through the login process?

  • Are there multiple ways to login (such as with a username and password, or through a third-party service like Google or Facebook) to accommodate different user preferences?

  • Is the system able to handle forgotten passwords and account recovery?

  • Is the system able to handle multiple user roles and permissions and provide personalized experiences?

  • Are there any security measures in place, such as two-factor authentication or password strength checks, to protect user accounts?

  • How long does the login process take? Is it fast and efficient or slow and cumbersome?

  • Are there any accessibility features, such as support for screen readers, for users with disabilities?

  • How does the system handle session management, such as automatic logout or "remember me" functionality?

  • How does the system handle and store sensitive data, such as passwords?

Cost

  • What is the pricing model for the service? Is it a one-time cost, a monthly or annual subscription, or based on usage?
  • How many users will be accessing the system? Will the cost increase as the number of users increases?
  • Is there a free trial or a free version of the service available?
  • Are there any additional costs for features such as multi-factor authentication or integration with other services?
  • Are there any costs for scalability, such as increased server capacity or additional data storage as the number of users increases?
  • Are there any costs for technical support or training?
  • Are there any hidden costs, such as costs for additional API calls or data transfer?
  • Are there any costs associated with the maintenance, monitoring and managing the service?
  • How does the cost of the service compare to other similar services on the market?
  • Are there any costs for compliance, security and data privacy?
  • Are there any costs for integrating the authentication service with other systems, such as a database or a single sign-on service?
  • Are there any costs for customizing the authentication service to meet specific needs or requirements?
  • Are there any costs for user account management, such as creating and deleting user accounts?
  • Are there any costs for data backups and disaster recovery in case of service failure?

Reliability

  • What is the availability of the service?
  • Are there any planned or unplanned downtime?
  • How does the service handle traffic spikes and high usage?
  • Is it able to scale to meet increased demand?
  • How does the service handle and recover from failures?
  • Is there a disaster recovery plan in place?
  • How does the service handle security breaches and unauthorized access attempts?
  • What are the service level agreements (SLAs) for uptime, response time, and data integrity?
  • What is the service's track record for uptime, response time, and data integrity?
  • Are there any historical data or records to support its reliability?
  • Are there any security certifications or accreditations held by the service?
  • How is the service monitored and maintained? Are there any proactive measures in place to prevent failures?
  • How does the service handle data backups and restore?
  • How does the service handle compliance and regulatory requirements?

Operations

  • How does the service integrate with existing DevOps and Continuous Integration/Continuous Deployment (CI/CD) processes?
  • How is the service deployed and configured in different environments? Are there any specific requirements or dependencies?
  • How is the service monitored and managed in production? Are there any specific tools or frameworks used?
  • How is the service updated and patched? Are there any specific procedures or best practices?
  • Are there any specific operational requirements, such as load balancing or auto-scaling?
  • Are there any specific security or compliance requirements that need to be considered for the service?
  • How is the service backed up and how often? How is it tested and restored?
  • How is the service's performance and health monitored, and what are the metrics used?
  • How is the service's security monitored and what are the measures in place for incident response?
  • How is the service's documentation and knowledge-base maintained? How is it shared and distributed among the team?

Performance

  • What is the maximum number of concurrent users that the Auth service can support?
  • What is the response time for a successful authentication request?
  • What is the average latency for an authentication request?
  • What is the system architecture for the Auth service?
  • Does the Auth service use caching to improve performance?
  • Does the Auth service support load balancing?
  • Does the Auth service support redundancy to ensure uptime?
  • Is there any authentication throttling to prevent brute force attacks?
  • What authentication protocols are supported by the Auth service?
  • How is the authentication data secured?
  • What is the average time to authenticate a user?
  • Are there any rate limits on authentications?
  • How much latency is added due to authentication requests?
  • Is there an authentication timeout configured?
  • Does the Auth service support two-factor authentication?

Security

  • What authentication protocols are supported?
  • How is user identity verified?
  • Is two-factor authentication supported?
  • Are logins tracked and monitored?
  • Are there password policies in place?
  • Are there rate limits on failed logins?
  • Are there audit logs in place to monitor activity?
  • How is user data stored and encrypted?
  • Are there any additional measures in place to protect user identity?
  • Are there any additional authentication requirements for privileged users?
  • Is there an approval process for new users?
  • Are there any restrictions on the number of active sessions per user?
  • How often are passwords required to be changed?
  • Is there any provision for password recovery or reset?
  • Is there an expiry date for user accounts?
  • Are there any restrictions on user account sharing?
  • Are there any restrictions on the use of weak passwords?
  • Are there any restrictions on the use of public networks for authentication?
  • Is there any provision for user revocation or deactivation?