In Winter 2025, I joined Shopify as a Software Engineering Intern on the Identity (Merchant Authn) team. This team manages the authentication infrastructure for millions of merchants. My role focused on hardening account security, integrating identity verification into financial flows, and improving the resilience of the authentication platform.

Account Security

With a platform the size of Shopify, protecting merchant accounts from takeover attacks is critical. I engineered several proactive security controls to mitigate vulnerabilities regarding Multi-Factor Authentication (MFA) state management.

MFA State Logic

I identified and patched a logical gap in the session management flow. Previously, if a user removed a security key or 2FA method, their existing sessions remained active. I implemented a global session revocation pattern: now, when the last MFA method is removed, the system automatically invalidates all other active sessions, ensuring that a bad actor cannot maintain access via a stale session after compromising credentials.

Pre-Action Verification

To prevent "lockout" attacks—where an attacker gains access and immediately enables 2FA to lock out the rightful owner, I introduced a verification gate. I added a middleware check that requires the account email to be fully verified before any MFA settings can be modified. This ensures that the actor modifying security settings is confirmed to be the account owner or at least has another backup method to access their account.

Method Guardrails

I also implemented guardrails to prevent users from entering invalid security states. For example, I added logic to prevent "Push Notification" auth from being the sole MFA method, as this creates a reliability risk if the user loses their specific device.

Financial Identity Flows

Shopify Payments allows merchants to manage their finances directly on the platform. Because of the sensitive nature of banking data, the onboarding process requires strict identity proofs.

I worked on integrating the Identity service with the Shopify Payments onboarding flow. This involved leveraging Shopify's internal "Trust Battery" system. I built the backend mutations to gate sensitive banking onboarding steps behind strict email and user verification checks.

This required handling complex edge cases, such as handling errors when the Trust Battery service was unreachable or when a user's verification state was in flux during the API call.

Infrastructure & Reliability

Beyond feature work, I contributed to the stability and developer experience of the Identity platform.

Database Resilience

At Shopify's scale, "edge cases" happen every minute. I investigated and fixed several concurrency and volume-related errors:

• Connection Limits: I implemented rescue logic for Trilogy:ProtocolError ("Too many connections") to gracefully handle spikes in authentication traffic without crashing the request.
• Race Conditions: I patched a UUID duplication error that occurred during high-concurrency identity synchronization events.
• SMS Throttling: I fixed a LimitExceeded exception in the SMS verification flow, ensuring that users hitting rate limits received helpful feedback rather than generic system errors.

"Return to Local Dev"

I helped lead the migration of the Identity service from cloud-based virtual environments back to local development. This was a significant infrastructure effort to reduce latency and cloud costs for the engineering team. I updated the environment configurations and resolved dependency conflicts to ensure that Identity could spin up reliably on local machines. This was part of an ongoing effort at Shopify to move all repositories to a single monorepo structure all on local development.

The Experience

This was my first formal internship, and it was a crash course in engineering at scale. Working on the Identity team taught me that security isn't just about encryption but it's also about handling state changes carefully and efficiently.

In addition to security-specific domain knowledge, I learned how to navigate a massive codebase, how to write clean, maintainable code, and how to communicate meaningfully across different teams.

Fun Stuff

Interning at Shopify was a lot of fun. They have a great environment for interns that allows us to work on real projects with good mentorship while also allowing us to meet other interns and build lasting connections. They provided monthly meetup budgets for us to hangout and also a pretty hefty book budget to buy books that are either career or personal development related.

I absolutely loved the experience and I would definitely recommend it to anyone looking for a great internship experience. In fact, I ended up accepting a return offer and will be returning to Shopify in Fall of 2025!

Big shout out to my mentor Derek Yu who is basically the king of Identity. He has insane amounts of domain knowledge and I'm very thankful to have been able to learn from him during my term.