figma guide

Designing session timeout and re-authentication UI in Figma: idle warnings, expired sessions, and step-up auth

Design session timeout UI in Figma with idle countdown modals, expired session screens, step-up re-auth for sensitive actions, and Dev Mode specs for account security flows.

Published
Updated
Jul 07, 2026
Read time
7 min
Level
Beginner

Quick answer

Session timeout UI warns users before an idle session ends, handles expired sessions gracefully, and asks for step-up re-authentication before sensitive changes—distinct from the trusted-devices list in security settings. Design three surfaces: an idle warning modal with a visible countdown and “Stay signed in” action, a session expired full-page or modal that preserves return URLs, and a re-auth gate (password, passkey, or OTP) before payment edits, account deletion, or 2FA changes. Never silently drop users mid-checkout without saving context. Start from the Figma guides hub and pair with security settings, login, and checkout guides.


Who this is for

  • Product designers building idle logout, banking-style re-auth, and checkout session recovery.
  • Design system teams separating session expiry modals from login screens and MFA challenges.
  • Engineers implementing sliding expiration, refresh tokens, activity pings, and sensitive-action guards.

Session UX surface comparison

SurfaceTriggerUser goal
Idle warning modalNo activity for N minutesExtend session without re-login
Session expired screenToken invalid or idle timeout firedSign in again and return to task
Step-up re-auth modalSensitive action while session still validProve identity again for one operation
Forced logout bannerAdmin revoke, password change, sign-out-allExplain why session ended
Background refreshSilent token renewalNo UI—document in Dev Mode notes

Verdict: reuse login form components on the session-expired screen, but use a dedicated SessionTimeoutModal for idle warnings—different copy, different primary CTA, no “Create account” toggle.


Idle warning modal anatomy

PartSpecNotes
Headline”Your session is about to expire”Plain language
CountdownMM:SS or circular progressUpdates every second
Body copy”You’ve been inactive. Stay signed in to keep your cart.”Context-aware
Primary CTA”Stay signed in”Extends session via activity ping
Secondary CTA”Sign out now”Clears session immediately
Dismiss on activityOptional—keyboard/mouse resets timerDocument behavior
SessionTimeoutModal
├── Variant: context=default | checkout | admin
├── Variant: secondsRemaining=120 | 60 | 30
└── Layers:
    ├── WarningIcon
    ├── Headline
    ├── CountdownDisplay
    ├── ContextMessage
    ├── StaySignedInButton (primary)
    └── SignOutButton (secondary)

Show the modal before hard logout—common windows are 2 minutes warning after 15–30 minutes idle for ecommerce; shorter for banking or healthcare.


Session expired screen

When the session is already invalid, replace modal with a focused recovery screen.

ElementSpec
Headline”Your session has expired”
ExplanationWhy (idle, security, password changed)
Return context”Sign in to return to checkout” + step indicator preserved visually
Auth formReuse AuthForm from login guide
Guest path”Continue as guest” when checkout allows
Cart preservation note”Your cart is saved for 7 days”
SessionExpiredScreen
├── Variant: returnUrl=checkout | account | default
├── Variant: authMode=password | passkey | social
└── Layers:
    ├── ExpiredIllustration (optional)
    ├── Headline
    ├── ReturnContextBanner
    ├── AuthForm (compact)
    └── GuestCheckoutLink (conditional)

Do not send users to marketing homepage without explanation—that spikes support tickets and abandoned carts.


Step-up re-authentication (sensitive actions)

Re-auth while the session is still valid differs from full session expiry.

ActionRe-auth methodUI pattern
Change passwordCurrent passwordInline form on security page
Add/remove payment methodPassword or OTPModal before save
Disable 2FAPassword + TOTPMulti-step modal
Delete accountPassword + OTPSee privacy settings
Export personal dataPassword or email linkConfirm modal
Change primary emailOTP to old + new emailTwo-step verify
StepUpReAuthModal
├── Variant: method=password | otp | passkey
├── Variant: action=changePayment | disableMfa | deleteAccount
└── Layers:
    ├── ActionSummary ("Confirm it's you")
    ├── ReAuthFields
    ├── ErrorMessage
    ├── ConfirmButton
    └── CancelButton

Place re-auth immediately before the destructive or sensitive submit—not on page load.


Checkout-specific session rules

ScenarioDesign requirement
Idle during checkoutWarning mentions cart and address will be kept
Expired at payment stepReturn to same checkout step after login
Guest checkoutSession tied to cart token—copy explains merge on login
Payment in progressNever interrupt 3-D Secure or processor modal
Tab backgrounded (mobile)Optional shorter idle on payment pages

Link to guest checkout when login merges guest cart into account.


Countdown and timer states

StateUI
Warning visibleModal blocks interaction until choice or timeout
User clicks Stay signed inModal closes; reset idle clock; optional success toast
Timer hits zeroTransition to session expired or auto sign-out
User clicks Sign outImmediate logout; redirect to home or login
Network error on extendInline error “Could not refresh session—sign in again”

Use aria-live="polite" on countdown for screen readers—announce at 60s, 30s, 10s only to avoid noise.


Relationship to trusted devices

The security settings trusted devices list shows active sessions users can revoke manually. Session timeout UI handles automatic expiry from inactivity.

FeatureTrusted devices listSession timeout UI
User intentReview and revoke sessionsRespond to idle or expiry
TimingAnytime in settingsDuring active use
Copy focusDevice name, last activeCountdown, stay signed in
OverlapRevoked session → forced logout bannerSame banner component

Share a ForcedLogoutBanner when admin or “sign out everywhere” ends the session mid-task.


Mobile layout

PatternSpec
Idle modalBottom sheet on mobile; full-width CTAs
CountdownLarge numeric timer—min 32px
Session expiredFull-screen; sticky sign-in button
Re-auth modalUse passkey button when available
CheckoutDo not cover payment WebView

Test app switcher behavior—users idle while reading email; warning should appear on return.


Handoff checklist

ItemDev Mode annotation
Idle thresholde.g. 25 min idle → 2 min warning
Activity eventsmouse, key, scroll, touch reset timer
Extend endpointPOST /session/extend on Stay signed in
Return URL?redirect= preserved through expired flow
Step-up scopeSingle action token TTL 5 min
Hard logoutClear cart rules documented
Concurrent tabsSync logout via storage event
a11yFocus trap in modal; Esc does not dismiss without action policy

Document whether Stay signed in requires network or only client-side timer reset.


Common mistakes

MistakeWhy it hurtsFix
Same UI as login pageUsers think account was deletedDistinct expired copy + return context
No warning before logoutLost checkout workAlways show countdown modal
Re-auth on page loadFriction on every visitGate only sensitive submits
Interrupt 3DS flowPayment failuresPause idle timer during processor steps
Silent redirect to homeConfusion and abandonmentSession expired screen with return URL
Infinite “Stay signed in” clicksSecurity theaterRate-limit extends; max session age
Different OTP UI than MFAInconsistent UXReuse OTP input
No copy for password-change logoutUsers think bugForced logout banner with reason

  1. Define idle policy with engineering (warning duration, max session age).
  2. Design SessionTimeoutModal with countdown and two CTAs.
  3. Design SessionExpiredScreen reusing AuthForm with return banner.
  4. Add StepUpReAuthModal variants for payment, MFA, and delete flows.
  5. Spec checkout idle copy and payment-step exceptions.
  6. Link forced logout to trusted-devices revoke and password change emails.
  7. Prototype idle → warning → stay signed in → continue checkout on mobile.
  8. Annotate activity events and token refresh in Dev Mode.

FAQ

How long should idle timeout be?

Ecommerce: 20–30 min idle with 2 min warning is common. Finance/health: shorter. Align with legal and fraud teams—not design alone.

Warn on every tab or only active tab?

Only the visible tab should show the modal; background tabs sync on logout. Note multi-tab behavior in handoff.

Passkeys for step-up re-auth?

Yes when the user has a passkey—offer “Confirm with passkey” as primary over password on supported browsers.

Session expired during OTP entry?

Preserve OTP screen state where possible; extend session when user requests new code if policy allows.

Same modal for staff admin tools?

Use context=admin variant with stricter copy and shorter timers; link to account dashboard patterns for consumer vs admin.


Next steps

Share on X

§ Keep reading

Related guides.