figma guide

Designing two-factor authentication and security settings UI in Figma: MFA setup, backup codes, and trusted devices

Design 2FA and security settings UI in Figma with authenticator setup, SMS backup, recovery codes, trusted devices, password change, and Dev Mode specs for account security.

Published
Updated
Jul 05, 2026
Read time
8 min
Level
Beginner

Quick answer

Security settings let users change passwords, enable two-factor authentication (2FA), manage backup codes, and review active sessions—usually under Account → Security. Design enable flows for authenticator app (QR + manual key + verify code), optional SMS backup, and recovery codes shown once at setup. Include disable-2FA with re-auth, a trusted devices list, and password change with current-password verification. Challenge screens during login reuse the same code-entry component. Start from the Figma guides hub and pair with login, email verification / OTP, and account dashboard guides.


Who this is for

  • Product designers building account security pages and login MFA challenges.
  • Design system teams standardizing OTP inputs and security banners across web and mobile.
  • Engineers implementing TOTP, SMS fallback, session revocation, and rate limiting.

Security settings surface comparison

SurfaceWhen to useTrade-off
Account security pagePassword, 2FA, sessionsCanonical settings hub
Login MFA challengeStep after password successReuse OtpCodeInput component
Forced enrollment promptHigh-risk accounts or admin policyModal after login—easy to dismiss
Checkout re-authChange payment on fileShort password or OTP only
Support-assisted resetUser lost deviceOut of band—not designed in Figma file

Verdict: one SecuritySettingsPanel on the account route plus shared MfaChallengeForm and OtpCodeInput used at login and during enable/disable flows.


SecuritySettingsPanel anatomy

PartSpecNotes
Page title”Security” or “Sign-in & security”Under account nav
Password row”Change password” link or inline formRequires current password
2FA status rowEnabled / Not enabled badge + CTAPrimary security action
Recovery codes rowView/regenerate (when 2FA on)Shown only when enabled
Trusted devicesSession list with revokeLast active, location approx
Sign out everywhereSecondary destructiveRevokes all sessions
Recent activityOptional login logIP, device, timestamp
SecuritySettingsPanel
├── Variant: mfaEnabled=false | true
├── Variant: state=default | editingPassword
└── Layers:
    ├── PageHeader
    ├── PasswordSection
    ├── TwoFactorSection
    │   ├── MfaStatusBadge
    │   ├── EnableMfaButton | ManageMfaButton
    │   └── RecoveryCodesRow
    ├── TrustedDevicesSection
    │   └── DeviceRow (repeat)
    ├── SignOutAllButton
    └── ActivityLog (optional)

Cross-link privacy settings when delete-account and export require re-auth here.


Enable 2FA flow (authenticator app)

StepUINotes
1. IntroBenefits copy + “Set up authenticator”Mention Google Authenticator, 1Password, etc.
2. QR codeLarge QR + “Can’t scan?” expandManual secret key with copy button
3. Verify6-digit OTP inputAuto-advance per digit
4. Recovery codesGrid of 8–10 codes + download/printOne-time display warning
5. SuccessBanner on security page”Two-factor authentication is on”
6. SMS backupOptional add phone stepVerify phone with SMS code
EnableMfaFlow
├── Variant: step=intro | scanQr | verifyCode | showRecoveryCodes | success
├── Variant: method=authenticator | sms
└── Layers:
    ├── QrCodePanel
    ├── ManualSecretKey
    ├── OtpCodeInput
    ├── RecoveryCodesGrid
    ├── DownloadCodesButton
    └── SmsBackupStep (optional)

Verdict: never let users skip recovery codes without explicit “I saved these” checkbox—support volume spikes when they lose phones.


OtpCodeInput component

Reuse across login challenge, enable verify, SMS verify, and disable confirm.

PropertySpec
Digits6 (TOTP) or 4–8 configurable
Input modenumeric keyboard on mobile
Auto-focusFirst empty cell
PasteFull code from clipboard
ErrorShake + “Invalid code”
ResendSMS only—60s cooldown timer
Backup link”Use a recovery code instead”
OtpCodeInput
├── Variant: digits=6 | 8
├── Variant: state=default | error | disabled
└── Layers:
    ├── DigitCell (repeat)
    ├── ErrorMessage
    ├── ResendTimer (sms only)
    └── UseRecoveryCodeLink

Match spacing and focus rings from form input states.


Recovery codes UI

StateUI
First setupFull grid + “Copy all” + “Download .txt”
RegenerateWarning: invalidates old codes
Enter at loginSingle text field or 8-char input
Low codes leftBanner when ≤2 remain
Used codeError at login

Store codes as hashed server-side—design should never show them again after first setup except regenerate flow.


Disable 2FA flow

StepUI
1. Entry”Turn off” from security page
2. WarningReduced account security copy
3. Re-authPassword + current TOTP or recovery code
4. ConfirmDestructive button “Turn off two-factor authentication”
5. SuccessEmail notification “2FA disabled on your account”

Require stronger verification than enable—password alone is not enough if 2FA is active.


Trusted devices and sessions

ElementSpec
Device rowIcon + “Chrome on MacOS” + “Current session” badge
MetaLast active, approximate location
RevokePer-row “Sign out”
Sign out everywhereSeparate button below list
EmptyN/A—always at least current
TrustedDevicesList
├── Variant: state=default | revoking
└── Layers:
    ├── DeviceRow (repeat)
    │   ├── DeviceIcon
    │   ├── DeviceLabel
    │   ├── LastActiveMeta
    │   ├── CurrentBadge (conditional)
    │   └── RevokeButton
    └── SignOutAllButton

Pair with notification preferences for security alert emails when new device signs in.


Change password form

FieldValidation UI
Current passwordRequired; wrong password inline error
New passwordStrength meter; policy rules listed
Confirm newMatch error
Submit”Update password”
ChangePasswordForm
├── Variant: state=default | success | error
└── Layers:
    ├── CurrentPasswordField
    ├── NewPasswordField
    ├── StrengthMeter
    ├── ConfirmPasswordField
    ├── LogoutOtherSessionsCheckbox
    └── SubmitButton

After success, show toast and optionally redirect to dashboard.


Login MFA challenge (reuse)

When password succeeds but 2FA is enabled, swap AuthForm to challenge mode—see login guide for mode=mfaChallenge.

StateUI
DefaultOtpCodeInput + “Trust this device 30 days” checkbox
SMS sentMasked phone + resend timer
Recovery modeSingle field for backup code
LockedToo many attempts—15 min cooldown banner
SuccessRedirect to return URL or dashboard

Remember device checkbox should explain trade-off: “Don’t ask again on this browser for 30 days.”


Mobile layout

PatternSpec
QR setupFull-width QR; manual key in accordion
OTP cellsLarger tap targets—48px min width per cell
Recovery codes2-column grid; scroll if needed
Device listRevoke as swipe or overflow menu
Sticky CTA”Verify” fixed bottom during setup

Test QR scanning UX on real devices—designers often crop QR too small in Figma frames.


Handoff checklist

ItemDev Mode annotation
TOTP issuer nameShown in authenticator app (brand string)
Recovery code formatXXXX-XXXX × 10; single-use
Rate limits5 failed OTP → 15 min lock
Session revoke APIDELETE /sessions/:id
Trust device cookieTTL 30 days; httpOnly
2FA disableRequires password + TOTP or recovery
Email triggersenable, disable, new device, password change
a11yOTP cells as grouped input; errors announced

Document SMS vs authenticator priority—which method is primary at login when both exist.


Common mistakes

MistakeWhy it hurtsFix
Recovery codes shown twiceSecurity riskOne-time display only
Skip verify step after QRBroken setupRequire 6-digit confirm
Disable with password onlyAccount takeoverRequire active 2FA factor
Tiny QR in mobile frameUsers can’t scanMin 200×200px in spec
No “trust device” copyConfusion on checkboxExplain 30-day behavior
Different OTP UI at login vs settingsInconsistent UXOne OtpCodeInput component
No email on security changesUser can’t detect fraudNotify on enable/disable/password
SMS as only 2FASIM-swap riskPrefer authenticator; SMS as backup

  1. Build OtpCodeInput with 6-digit, paste, and error states.
  2. Design SecuritySettingsPanel with password + 2FA status rows.
  3. Flow enable MFA: QR → verify → recovery codes → success.
  4. Design disable + regenerate with re-auth modals.
  5. Add trusted devices list with revoke and sign-out-all.
  6. Reuse MfaChallengeForm on login—link from login post.
  7. Spec email notifications for each security event.
  8. Prototype full enable flow on 375px mobile frame.

FAQ

Authenticator only or SMS too?

Authenticator first—cheaper and more secure. Offer SMS as optional backup with clear SIM-risk note.

Force 2FA for all users?

Design forced enrollment modal after login for high-risk roles; optional banner for everyone else.

WebAuthn / passkeys?

If your roadmap includes passkeys, add a Passkeys row above 2FA with “Add passkey”—same security page IA.

Show IP addresses in activity log?

City + country is enough for most ecommerce—full IP in support tools only.


Next steps

Share on X

§ Keep reading

Related guides.