figma guide

Designing audit log and security activity UI in Figma: sign-in history, alerts, and account event feeds

Design audit log and security activity UI in Figma with sign-in history, password changes, export feeds, filters, and Dev Mode specs for account transparency flows.

Published
Updated
Jul 08, 2026
Read time
7 min
Level
Beginner

Quick answer

Audit log and security activity UI gives users a read-only timeline of account events—sign-ins, password changes, 2FA updates, data exports, and failed login attempts—usually under Account → Security → Activity. Design an event feed with icon, title, timestamp, device/location metadata, and optional detail expand. Add filters (sign-ins, security changes, billing) and email alert toggles for suspicious activity. This is history, not control: live session revoke belongs on active sessions. Start from the Figma guides hub and pair with security settings and privacy flows.


Who this is for

  • Product designers building transparency feeds for SaaS, ecommerce accounts, and compliance-conscious products.
  • Design system teams distinguishing activity logs from notifications inbox and admin audit consoles.
  • Engineers implementing immutable event streams, retention policies, and security alert webhooks.

Activity feed vs sessions vs notifications

SurfaceMutable?Typical events
Security activity feedRead-onlyPassword changed, 2FA enabled, export requested
Active sessions listRevoke actionsCurrent Chrome on macOS
Notifications inboxMark readOrder shipped, promo, product updates
Admin org audit logAdmin-onlyMember invited, role changed, SSO updated
Email security alertsOut-of-band”New sign-in from Toronto”

Verdict: use a SecurityEventRow component with event-type icons—do not reuse order notification cards. Link “Not you? Revoke sessions” from sign-in events only.


Event categories and icons

CategoryExample eventsIcon hint
AuthenticationSuccessful sign-in, failed attempt, SSO loginKey or door
Credential changesPassword updated, passkey added, recovery email changedLock
2FA / securityAuthenticator enabled, backup codes regeneratedShield
Session controlSigned out everywhere, session revokedLogout
Data rightsExport requested, account deletion scheduledDocument
Connected appsGoogle connected, OAuth app revokedLink
ProfileEmail changed, phone verifiedUser

Keep failed login attempts visible but not alarming—“Failed sign-in attempt” with no extra CTA unless threshold triggers lockout messaging per login specs.


SecurityEventRow anatomy

PartSpecNotes
Icon24px by event categoryConsistent color system
TitlePast tense, scannable”Password changed”
TimestampAbsolute + relative”Jul 8, 2026 · 2 hours ago”
Meta lineDevice · location · IP regionMatch session list format
Expand chevronOptional detailActor, app version, request id for support
Action linkContextual”Secure your account” on unknown sign-in
SecurityEventRow
├── Variant: category=auth | credential | mfa | data | app
├── Variant: severity=info | warning | critical
├── Variant: expanded=true | false
└── Layers:
    ├── EventIcon
    ├── Title
    ├── Timestamp
    ├── MetaLine
    ├── DetailPanel (optional)
    └── ActionLink (conditional)

Page layout and filters

ElementSpec
Page title”Security activity” or “Recent activity”
Retention note”Events from the last 90 days”
Filter chipsAll · Sign-ins · Security changes · Data
Date rangeOptional advanced filter for power users
Empty state”No activity yet” after new signup
Load morePagination or infinite scroll

Place under Account → Security beside sessions—tabs work well: Sessions (revoke) | Activity (history).


High-signal events to always show

EventWhy users care
New sign-in from new device/locationFraud detection
Password or email changedAccount takeover signal
2FA disabledCritical—use warning severity
Passkey or backup codes changedCredential hygiene
Data export completedGDPR transparency
Account deletion requestedIrreversible action trail
SSO enforcement toggledEnterprise policy (admin view)

Cross-link email verification when email-change events appear—show “Pending verification” as a distinct event state.


Email and push alert settings

ToggleDefaultCopy
New sign-in alertsOn”Email me when someone signs in from a new device”
Password changedOnCannot disable on some regulated products
Failed login thresholdOff or On”After 5 failed attempts”
Export / delete requestsOnCompliance notification

Design toggles on the same page or link to notification preferences with a Security subsection—avoid duplicate toggles in two places.


Warning and critical event treatment

SeverityVisualExample
InfoNeutral iconRoutine sign-in
WarningAmber accentSign-in from new country
CriticalRed accent + inline CTA2FA removed, email changed

Unknown sign-in row example:

Sign-in from new location · Chrome on Windows · ~ Toronto, CA
Jul 8, 2026 · 10:42 AM
This wasn’t me →

“This wasn’t me” flows: revoke other sessions → prompt password change → suggest enabling 2FA.


Enterprise vs consumer scope

AudienceFeed scope
Consumer accountPersonal auth and data events only
Org memberPersonal events + “Admin changed your role”
Org adminSeparate Admin audit log with member actions, SSO config, billing
SSO-only userShow IdP sign-in; note password events may be empty

Do not expose other users’ activity in a member-facing feed—reserve for admin consoles paired with SSO setup wizards.


Mobile and responsive layout

BreakpointPattern
MobileVertical timeline with left icon rail
DesktopTable optional for dense history; timeline for mixed event types
Expand detailBottom sheet on mobile, inline accordion on desktop

Timestamps stay timezone-aware—use account timezone from account dashboard settings when available.


Handoff checklist

ItemDev Mode annotation
Event type enumMaps to icon and filter
occurredAtISO timestamp, display localized
ImmutabilityNo edit/delete in UI
Retention window90/180/365 days per policy
PII in detailsMask email partials in expanded JSON
Failed loginAggregate vs per-attempt rows
Alert webhooksSame events power email
a11yTimeline announced as list; severity not color-only

Document support correlation id in expanded detail for enterprise tickets—not in the default row.


Common mistakes

MistakeWhy it hurtsFix
Revoke button on history rowsUsers expect time travelLink to sessions page
Order events in security feedNoiseKeep commerce in order history
No retention disclaimerLegal mismatchShow “90 days” prominently
Identical copy for success/fail loginMissed fraud signalSeparate failed attempt styling
Missing “wasn’t me” pathAlert fatigueCTA on new-location sign-ins
Admin events in user feedPrivacy leakRole-gated admin log
Real-time expectationConfusion when delayed”May take a few minutes to appear”
Duplicated email togglesConflicting settingsSingle source in notification prefs

  1. Inventory events with engineering—auth, profile, data, OAuth, session.
  2. Design SecurityEventRow with category icons and severity variants.
  3. Build Activity page with filters and retention note.
  4. Add expand detail for support-friendly metadata.
  5. Wire “wasn’t me” to sessions revoke + password change prompt.
  6. Align alert toggles with notification preferences.
  7. Separate admin audit frames if B2B—do not mix with member feed.
  8. Prototype filter chips and unknown sign-in CTA path.

FAQ

How is this different from login history in banking apps?

Same UX pattern—read-only sign-ins plus security changes. Banking often adds transaction events; keep commerce out of this feed unless the product is finance-first.

Show failed login attempts?

Yes, after a single failure or threshold—helps users detect credential stuffing. Cap volume to avoid scroll spam.

Real-time updates?

Polling or websocket optional—most users refresh manually. Email alerts cover async awareness.

GDPR data export include activity log?

Include in export JSON when legally required; the in-app feed is a convenience subset with retention limits.

Ecommerce accounts need a full audit log?

Light version is enough: sign-ins, password/email change, address/payment method updates, export/delete—link order history for purchases.


Next steps

Share on X

§ Keep reading

Related guides.