figma guide

Designing suspicious login alerts and account recovery UI in Figma: fraud signals, lockouts, and secure reset flows

Design suspicious login alerts and account recovery UI in Figma with fraud banners, step-up verification, lockout screens, and Dev Mode specs for account takeover response flows.

Published
Updated
Jul 09, 2026
Read time
8 min
Level
Beginner

Quick answer

Suspicious login alerts and account recovery UI tells users something risky happened—new device sign-in, impossible travel, credential stuffing—and gives a safe path to secure the account before damage spreads. Design email and in-app alerts with device, location, and time; a “This wasn’t me” CTA that revokes sessions and forces password reset; step-up verification (2FA, email OTP, passkey) when risk scores spike; and lockout screens when too many failed attempts occur. This is the response layer—detection events appear in the audit log, live control lives on active sessions, and enrollment happens in security settings. Start from the Figma guides hub.


Who this is for

  • Product designers building fraud-aware sign-in, alert emails, and post-breach recovery wizards for SaaS and ecommerce accounts.
  • Design system teams separating one-time recovery flows from everyday login and notification inbox patterns.
  • Engineers implementing risk scoring, session invalidation, rate limits, and secure reset tokens with short TTL.

Alert surfaces vs recovery flows vs prevention

SurfaceTriggerUser action
Security alert emailNew device / geo anomaly”Secure account” deep link
In-app bannerRecent suspicious sign-in while logged inReview activity or dismiss
Login challengeRisk score mid-authComplete 2FA or email OTP
Account lockout screenFailed attempts thresholdWait, reset password, contact support
Recovery wizardUser reports compromiseRevoke → reset → re-enroll MFA
Audit log rowEvent recordedRead-only; link to recovery

Verdict: alerts inform; recovery flows remediate. Do not put revoke buttons inside marketing emails without re-auth—deep links should land on a verified step-up screen first.


Suspicious sign-in signal types

SignalExample UI copySeverity
New device”New sign-in on Chrome for Windows”Warning
New location”Sign-in from ~ Lagos, NG (first time)“Warning
Impossible travel”Two sign-ins 30 minutes apart in different countries”Critical
Failed attempt burst”5 failed sign-in attempts in 10 minutes”Warning
Password spray pattern”Multiple accounts targeted from same IP”Critical (admin)
Credential change after anomaly”Email changed 2 minutes after new sign-in”Critical

Pair impossible-travel alerts with session timeout docs—users confuse idle expiry with fraud lockout.


Email alert anatomy

PartSpecNotes
SubjectSpecific, not scary-generic”New sign-in to your account”
Was this you?Binary framing”Yes, it was me” vs “No, secure my account”
Event summaryDevice · browser · approx location · timeMatch audit log row format
Secure CTAPrimary buttonLinks to authenticated recovery entry
Ignore linkSecondary”I recognize this device” (optional feedback to risk engine)
Support footerStaticNo reply-to for security; link help center
No secretsNever include passwords or full OTPPhishing template risk

Copy example: “Someone signed in to Acme with your email on Jul 9 at 3:14 AM from Chrome on Windows near Toronto, CA. If this wasn’t you, secure your account now.”

Cross-link notification preferences so users can tune alert frequency without disabling critical security emails entirely.


In-app banner and modal patterns

PatternWhenDismissible?
Top bannerUser already signed in; event within 24hYes, after acknowledge
Blocking modalCritical: email changed + new geoNo until action
Account health cardDashboard widget summarizing riskN/A
Push notificationMobile companionOpens recovery deep link
SuspiciousSignInBanner
├── Variant: severity=warning | critical
├── Variant: dismissed=true | false
└── Layers:
    ├── Icon (shield-warning)
    ├── Headline
    ├── EventSummary
    ├── PrimaryCTA ("Review activity")
    ├── SecondaryCTA ("This was me")
    └── DismissButton (warning only)

“This was me” should log user confirmation and reduce false-positive alerts—not skip security for future events from that device. Optionally offer Trust this device per active sessions specs.


”This wasn’t me” recovery wizard

Design a linear wizard with progress and irreversible steps called out.

StepScreenActions
1. Verify identityRe-auth: password + 2FA or email OTPGate before revoke
2. Revoke sessionsList all active sessions pre-checked”Sign out everywhere” default on
3. Reset passwordNew password + strength meterInvalidate reset links on complete
4. Review accountEmail, phone, OAuth, payment methodsFlag changes in last 48h
5. Re-enroll MFAForce 2FA or passkey if previously offLink security settings
6. ConfirmationSummary + link to activity log”Your account is secured”

Do not ask users to forward suspicious emails to support as step 1—that trains phishing behavior.


Step-up verification at login

When risk engine challenges mid-login (before session minted):

Challenge typeUIFallback
Email OTP6-digit code entryResend with cooldown
Authenticator TOTPSame as 2FA loginBackup codes
PasskeyPlatform promptPassword + OTP if passkey unavailable
CAPTCHABot signal onlyNot a substitute for MFA

Reuse email verification / OTP components—annotate context=step_up_login in Dev Mode so copy differs from signup verify (“Confirm it’s you signing in”).


Account lockout screen

ElementSpec
Headline”Too many sign-in attempts”
ExplanationTemporary lock; not necessarily compromise
Countdown”Try again in 14:32” or static “15 minutes”
Reset password CTAAlways visible
Support linkLast resort
No email enumerationSame copy for unknown vs known account on public lockout

Differentiate user lockout (their account) from IP rate limit (shared network)—copy should not imply the user’s password was wrong when the café Wi‑Fi triggered IP throttling.


Post-recovery account review checklist

Surface changes attackers commonly make:

ItemUI treatment
Email addressHighlight if changed in last 48h; revert flow
Phone numberSame
Connected OAuth appsLink connected accounts
API keysLink API keys with “Review keys”
Payment methodsLink payment methods
Saved addressesLink address book
Notification prefsAttacker may disable alerts

Use warning chips on rows modified recently; do not auto-revert without user confirmation (support may need audit trail).


Enterprise and SSO considerations

ScenarioUX note
SSO-only tenantRecovery may redirect to IdP admin; no local password reset
Forced SSO after incidentAdmin banner + member email
Shared kioskSuppress “trust device” on shared hardware
Break-glass adminSeparate flow—not consumer wizard

Cross-link SSO login when local recovery CTAs do not apply.


Mobile and responsive layout

BreakpointPattern
Mobile emailSingle column; 44px min touch targets on CTAs
Mobile wizardFull-screen steps; sticky primary action
DesktopTwo-column review step: timeline left, actions right
Deep linksUniversal links open app to recovery step with token

Banners on mobile should not cover sticky checkout or cart CTAs on ecommerce—use dedicated account area only.


Handoff checklist

ItemDev Mode annotation
riskEventIdCorrelates email, banner, audit row
Token TTLRecovery deep links expire in 15–60 min
Single-use tokensInvalidate after password reset
Session revoke scopeAll refresh tokens vs current only
Rate limit headersOptional for API clients
Email template variantswarning vs critical
a11yBanner role=alert; wizard steps as ordered list
LocalizationLocation strings approximate; avoid false precision

Document support escalation: when automated recovery fails, show ticket form with pre-filled riskEventId.


Common mistakes

MistakeWhy it hurtsFix
Revoke via unauthenticated email linkAccount takeover completesStep-up before revoke
Generic “unusual activity” copyUsers ignore alertsSpecific device + time
Same UI for lockout and fraudUnnecessary panicSeparate copy and severity
Permanent dismiss on critical modalMissed takeoverRe-show until resolved
Recovery wizard with 12 stepsAbandonmentMax 5–6 steps
No post-recovery reviewAttacker changes persistChecklist screen
Marketing email styling on security alertsPhishing training failureDistinct security template
Showing full IP addressesPrivacy + support noiseCity-level approximation

  1. Map risk events with engineering—align with audit log event types.
  2. Design email template with was-this-you framing and secure deep link.
  3. Build in-app banner with warning vs critical variants.
  4. Prototype recovery wizard from step-up through confirmation.
  5. Add lockout screen with reset-password escape hatch.
  6. Wire post-recovery review linking OAuth, keys, and payment surfaces.
  7. Test deep links on mobile and expired-token error state.
  8. Align copy with login and 2FA components.

FAQ

Should every new device trigger an email?

Not always. Tune by risk score—trusted device cookie, passkey, or recent same-geo sign-in can suppress alerts. Always log to audit feed.

Show alerts for failed login attempts to the account owner?

Yes, after a threshold (e.g. 5 in 15 minutes)—helps detect credential stuffing without alerting on every typo.

Can users disable suspicious login emails?

Partially. Allow reducing non-critical alerts; keep critical (email changed, 2FA removed) mandatory on regulated products.

Same flow for ecommerce vs B2B SaaS?

Core wizard is shared; B2B adds org admin notification and SSO-specific branches per SSO specs.

How does this relate to password recovery?

Password reset is one step inside recovery; login recovery covers forgot-password entry points—link between them when lockout offers reset.


Next steps

Share on X

§ Keep reading

Related guides.