Design a Secure Identity Management System

Functional Requirements:

• Users can register and create an account with a unique username and password.
• Users can log in to the system securely.
• Support for Multi-Factor Authentication (MFA) during login (e.g., SMS OTP or authenticator app).
• Users can reset their password securely if forgotten.
• The system issues an access token (e.g., OAuth2) upon successful authentication for use with third-party services.
• Admins can deactivate or lock user accounts.
• Out of scope: Full identity lifecycle management (e.g., user provisioning, deprovisioning), threat detection, and advanced analytics.

Non-Functional Requirements:

• High availability: The system should be available 99.9% of the time.
• Scalability: Must support up to 10 million users and 100,000 logins per day.
• Consistency: User authentication and account status changes (e.g., lockout) must be strongly consistent.
• Security: All sensitive data (passwords, tokens) must be encrypted at rest and in transit.
• Response time: Authentication requests should complete within 200ms under normal load.
• Auditability: All authentication attempts and account changes should be logged for audit purposes.