| UI or UX | UI + UX - Expired authenticated-session state and safe return-to-task recovery | UI + UX - Authenticated-session expiry and reauthentication boundary warning | UI + UX - Returning-account authentication and session start flow | UI + UX - Credential-verification attempt lifecycle and login outcome handling | UI + UX - Authorization and access-boundary state | UI + UX - Recovery surface for failed or uncertain background saves |
| UI guidance | Show session timeout after the authenticated session has ended, with private content hidden, a clear reason such as inactivity or policy expiry, the last safe activity reference, and a primary sign-in or reauthentication path. | Show a visible countdown or clear expiry time before inactivity, absolute session, or reauthentication limits can interrupt work; place the warning near the current task or as a focused dialog when immediate action is required. | Render sign in as a focused authentication surface with a clear service or destination name, account identifier field, current-password or passkey path, password-manager-friendly attributes, recovery routes, create-account route, and neutral error area. | Render login as the outcome-sensitive credential verification state: pending verification, neutral failure, remaining attempts or wait time when policy allows, throttling or lockout state, unlock or recovery route, and successful session-created confirmation. | Show the blocked object or action, current account, permission level, required role, owner, and request path when revealing that information is allowed. | Show a persistent recovery surface when autosave did not protect the latest work, naming the affected field or section, last server-saved time, local copy status, and available recovery actions. |
| UX guidance | Use session timeout when the session is no longer valid and the product must protect privacy while helping the user recover safely through sign-in, reauthentication, return-to-task restoration, or a saved-draft route. | Use session timeout warning to balance security, privacy, accessibility, and continuity when an authenticated session is about to expire or require reauthentication. | Use sign in when users are returning to an existing account, protected resource, invitation, draft, checkout, or workspace and need to prove control of an authenticator. | Use login when users have already chosen an authentication route and submitted credentials or an authenticator output, and the product must explain the verification result safely. | Use permission denied state when the system knows the user is authenticated but their role, group, share, license, policy, or approval status blocks a specific object or action. | Use autosave recovery when users need to preserve effort after background saving fails, stalls, conflicts, expires, or only stores a local copy. |
| Good UI | A benefits form replaces private answers with Session ended after inactivity, shows reference SES-2048, says the draft was saved at 10:42, and offers Sign in to continue plus Start again. | A benefits form shows Your session will end in 2 minutes, says the draft is saved, and offers Stay signed in, Save and sign out, and Sign out. | A sign-in page names the workspace, shows email or username, password with current-password autocomplete, passkey option, forgot-password link, create-account link, and a destination reminder such as Continue to Q2 budget review. | After a failed login, the page keeps the email address, clears the password, shows Check your details and try again, gives 2 attempts remaining, and keeps forgot password and use passkey routes available. | A report page says Quarterly revenue report requires Finance viewer access, shows the current account, names the report owner, and offers Request access and Switch account. | A claim form says Household income answer failed to autosave at 10:42, keeps the typed answer visible, and offers Retry save, Copy answer, Restore last saved, and Continue after saved. |
| Bad UI | A modal says Timeout while the private page remains readable behind it. | The app logs out after 15 minutes with no countdown and clears a long form. | A sign-in page has four equal buttons for sign in, create account, reset password, and browse plans, with no indication of the protected destination. | The page says Password wrong for one email and No account found for another. | A denial page says Something went wrong and shows Retry even though the user lacks a required group. | A small toast says Could not save and disappears while the form still shows a green Saved label. |
| Good UX | A user returns from a break, sees that their session ended, signs in again, and lands back on the same saved claim step with private fields restored only after authentication. | A user pauses while gathering documents, sees the remaining time, extends the session once, then saves the draft before policy requires reauthentication. | A user opens a private document link, signs in with a saved passkey, and lands back on the same document with focus near the access confirmation. | A user mistypes the password twice, sees remaining attempts and a neutral account-details error, uses a passkey instead, and reaches the intended workspace with retry warnings cleared. | A user opens a restricted report, sees which account is signed in, requests viewer access with a reason, then sees that the request is pending with the owner. | A user loses network while writing a long answer, sees it is saved on this device only, reconnects, retries the same value, and continues after the timestamp updates. |
| Bad UX | A user comes back to a timed-out payment form, clicks Submit, and gets repeated server errors because expired controls stayed enabled. | A user returns from a phone call to find the form gone and a generic access denied page. | A user signs in from checkout and lands on a generic account dashboard, losing the cart and payment context. | A user gets locked out after repeated typos with no warning and no explanation of when to retry. | The app returns a blank screen for a restricted file, so the user cannot tell whether the file is gone, private, or opened with the wrong account. | A user submits after seeing Saved, but the newest section was failed and never reached the server. |
| Best fit | An authenticated session has expired or been terminated while the user was on a protected task. | An authenticated session can expire because of inactivity, overall lifetime, assurance policy, or reauthentication requirement. | Users need to access an existing account or protected destination. | Users have submitted credentials or authenticator output and need a safe verification result. | A signed-in user lacks permission to view, edit, publish, export, delete, approve, share, administer, or configure a resource. | Autosave failed, stalled, expired, or became uncertain while users still have meaningful local work. |
| Avoid when | The session is still active and users can act before expiry; use session timeout warning. | There is no authenticated session boundary and the issue is ordinary navigation away. | The user is creating a new account, choosing a new password, or verifying a new contact method. | The problem is choosing an authentication method or explaining why authentication is required before credentials are submitted. | The user is not signed in and the next step is authentication rather than authorization. | The product does not use autosave or local draft persistence. |
| Required state | Expired session state with private content hidden. | Active session with no warning. | Initial sign-in state with service or destination context. | Ready-to-submit login state with chosen identifier and authenticator route. | Whole-object access denied state. | Clean saved state with current server timestamp. |
| Accessibility burden | Move focus to the timeout heading when protected content is replaced, and use text that says the session ended rather than relying on a lock icon. | Warn users early enough to respond and avoid relying on a rapidly changing countdown as the only information. | Use explicit labels for identifier, password, passkey, SSO, and one-time-code controls rather than placeholder-only prompts. | Announce verifying, failed-login, throttled, lockout, and success states without forcing focus away from the next useful action. | Use a heading that identifies the access boundary and a text description that does not rely on lock icons or red color alone. | Announce failed, local-only, retrying, recovered, and conflict states through status text without repeating every save attempt. |
| Common misuse | Leaving the private page readable behind a timeout modal. | Using a client-only timer that disagrees with the server session. | Using account-specific error messages that reveal whether an identifier exists. | Returning different messages for unknown account, wrong password, disabled account, or locked account. | Treating authorization denial as a generic retryable error. | Leaving a green Saved label visible after a failed or stale autosave. |