figma guide

Designing active sessions and device management UI in Figma: trusted devices, sign out everywhere, and session lists

Design active sessions and device management UI in Figma with session lists, trusted devices, sign-out-everywhere actions, and Dev Mode specs for account security flows.

Published
Updated
Jul 08, 2026
Read time
7 min
Level
Beginner

Quick answer

Active sessions and device management UI shows users where they are signed in, which devices are trusted, and how to revoke access—usually under Account → Security → Sessions or Devices. Design a session list with device name, browser/OS, location (approximate), last active time, and a This device badge on the current session. Add Revoke per row, Sign out everywhere else, and optional Trust this device for skipping MFA on known hardware. Pair with session timeout (idle expiry) and security settings (2FA enrollment)—this page is about visibility and control, not re-login prompts. Start from the Figma guides hub.


Who this is for

  • Product designers building “Where you’re signed in” pages for SaaS, ecommerce, and banking-style apps.
  • Design system teams separating session lists from login history and audit logs.
  • Engineers implementing session revocation, device fingerprints, refresh-token rotation, and trusted-device cookies.

Sessions vs timeout vs audit log

SurfaceUser questionPrimary action
Active sessions list”Where am I logged in right now?”Revoke one session or all others
Session timeout UI”Will I lose my cart if I go idle?”Extend session or re-login
Security audit log”What security events happened?”Read-only history
Connected accounts”Which OAuth apps have access?”Disconnect third-party app
Passkeys / 2FA settings”How do I sign in more securely?”Enroll credentials

Verdict: do not merge active sessions with login history in one table—live sessions need revoke actions; history is read-only. Link between them with “View security activity” if you ship an audit log.


Session list row anatomy

PartSpecNotes
Device label”Chrome on macOS” or user-editable nameParse UA; allow rename
Current badge”This device” on active rowOnly one per account
LocationCity + country (IP-derived)”~ Vancouver, CA” with tooltip on accuracy
Last activeRelative time”Active now” vs “3 days ago”
Sign-in methodPassword, passkey, SSO, OAuthIcon + short label
Revoke actionText button or iconConfirm modal for current device
Trusted indicatorShield or “Trusted” chipOptional MFA skip
SessionListRow
├── Variant: isCurrent=true | false
├── Variant: trusted=true | false
├── Variant: state=active | idle | expired
└── Layers:
    ├── DeviceIcon (desktop | mobile | tablet)
    ├── DeviceLabel
    ├── CurrentBadge (conditional)
    ├── MetaLine (location · last active)
    ├── AuthMethodChip
    └── RevokeButton

Page layout patterns

PatternBest forLayout
Flat session listConsumer apps, 1–5 devicesCard list under Security
Grouped by deviceMultiple browsers per machineCollapse Chrome + Safari under “MacBook Pro”
Tabs: Sessions / DevicesEnterprise with MDMSessions = browsers; Devices = enrolled hardware
Empty stateNew account, single session”You’re only signed in here” + security tips
Loading skeletonSlow geo lookup3–4 placeholder rows

Link early in the intro to account dashboard navigation so Security → Sessions is discoverable from My Account sidebars.


Sign out everywhere and bulk revoke

ActionScopeConfirmation
Revoke sessionOne rowModal: “Sign out Chrome on Windows?”
Sign out all other sessionsAll except currentPrimary destructive; list count in copy
Sign out everywhereIncluding currentFull-page redirect to login
Revoke after password changeBackend autoBanner: “Other sessions were signed out”

Copy example: “Sign out of 4 other sessions. You’ll stay signed in on this Mac.”

For revoking the current session, mirror session expired—redirect to login with returnUrl if the user cancels mid-flow.


Trusted devices and MFA skip

StateUIBehavior
Trust promptCheckbox on login after MFA”Don’t ask again on this device for 30 days”
Trusted listSubsection under sessionsRemove trust = require MFA next login
Trust expiredRow shows “Trust expired”No revoke—session may still be active
Corporate policyHide trust optionSSO-only tenants disable consumer trust

Document in Dev Mode: trusted device is not the same as remember me cookie—different TTL and revocation path. Cross-link passkeys when device-bound credentials replace trust cookies.


SSO and enterprise session nuances

CaseDesign note
IdP session still validRevoking app session may not log out Okta—explain in help text
Multiple org membershipsFilter sessions by workspace/tenant
Admin force sign-outMember sees forced logout banner
Concurrent session limitsError on login: “Too many devices—revoke one in settings”

Pair with SSO login when workforce users expect IT-controlled session policies.


Mobile and responsive specs

BreakpointAdjustment
MobileStack meta under device label; full-width Revoke
TabletSame as mobile; avoid cramped three-column tables
DesktopTable: Device · Location · Last active · Action

Show device type icon (phone/laptop) at 20–24px—helps users spot unfamiliar mobile sessions quickly.


States and edge cases

StateUI treatment
Active nowGreen dot or “Active now”
IdleLast active timestamp
Expired rowRemove from list or gray “Expired”
Unknown device”Unknown browser” + generic icon
VPN locationSame city wrong country—avoid alarmist copy
Rate-limited revokeToast: “Try again in a minute”

Accessibility and content

RequirementImplementation
Row semantics<li> or table row with scoped heading
RevokeAccessible name includes device: “Sign out Chrome on Windows”
Current badgeNot color-only; include text
LocationExplain approximation in help tooltip
Destructive confirmFocus trap in modal; Esc cancels

Handoff checklist

ItemDev Mode annotation
Session IDOpaque; never show raw token
Revoke APIInvalidates refresh token for that session
Current session detectionMatch client session id
Geo fieldsCity/country from IP; nullable
Trusted device flagSeparate from session row optional
Sign out all othersExcludes currentSessionId
Post-revokeWebSocket or polling to drop other tabs
a11yAnnounce revoke success

Clarify whether mobile app sessions appear in the same list as web—often a separate “Mobile apps” section with last sync time.


Common mistakes

MistakeWhy it hurtsFix
No “This device” badgeUsers revoke themselves by accidentHighlight current row
Exact street addressCreepy; often wrongCity-level only
Login history mixed inUsers try to “revoke” old loginsSplit pages
Revoke without confirmFat-finger sign-outModal for current device
Hidden under generic SecurityLow discoveryLink from post-login security email
No empty stateConfusing blank pageSingle-session reassurance
Trust device without expiryStolen laptop riskShow expiry date; allow remove
Missing SSO disclaimerSupport tickets”You may still be signed in to your company portal”

  1. Audit related flows: timeout, 2FA, privacy.
  2. Design SessionListRow variants: current, trusted, mobile, unknown.
  3. Build Security → Sessions page with bulk “Sign out other sessions” CTA.
  4. Add revoke confirmation modals with device-specific copy.
  5. Optional trusted devices subsection with remove-trust action.
  6. Spec empty, loading, and error states.
  7. Link to audit log for historical sign-in events.
  8. Prototype revoke on another device → forced logout banner on that client.

FAQ

How many sessions should we show?

All non-expired sessions with pagination after ~20 rows. Hide expired tokens server-side.

Should we show IP addresses?

Usually no—city + country is enough for consumers. Enterprise admins may get IP in a separate admin audit view.

Revoke vs change password?

Change password often revokes all sessions automatically—show a banner on this page when that happens. Per-session revoke is finer-grained.

Native mobile apps in the list?

Yes—label as “iPhone app” / “Android app” with last active from app heartbeat, not browser UA.

Ecommerce shoppers need this?

Recommended for saved payment methods and account dashboard access—lighter copy than banking, same revoke patterns.


Next steps

Share on X

§ Keep reading

Related guides.