Skip to main content

One-time passcode

A text field paired with CTAs enabling users to a request single-use code to authenticate a transaction or session.

Task flows refer to the steps users progress through when interacting with patterns. They’re based on specific scenarios and demonstrate how users can successfully perform tasks within each pattern layout. To find prototypes for the task flow examples shown on this page, visit our Task flows (internal only).

Verification task flows

In verification flows, users are either completing the initial setup of their account information or using their verification method after setup. User success in this flow type is illustrated by the following scenarios.

Registering verification method

To verify their identity, the user must first set up a verification method. This initiates the verification process for their account and may follow account setup, recovery, or security settings for 2-step authentication.

A page titled Let's set up your phone and an input field labeled Mobile phone and a button labeled send code.

Verifying identity with verification method

After setting up at least one verification method, the user can initiate the flow to verify their identity. They will be prompted with a step up to verify their account or identity with an OTP.

A page titled Let's make sure it's you with a shielded phone number and a button labeled Send code.

Selecting verification method

If the user has set up multiple verification methods, they can select which one they wish to use to verify their account. Verification methods may vary depending on the product.

A page titled Let's make sure it's you with multiple buttons for options to send a code.

Resend task flows

In resend flows, users are requesting a new verification code to be sent to them. User success in this flow type is illustrated by the following scenarios.


30s timer countdown after Resend was initiated. Debounce when the user requests new OTP through “Resend.” Disable “Resend” after press.

Resending code through same method

The user chooses to have a new code sent through the same method they used the first time.

A page titled Enter verification code with an input field and confirm button.

Resending code through alternate method

The user chooses to have a new code sent through a different method.

A page titled Let's make sure it's you with multiple buttons for options to send a code.

Validation task flows

Validation flows illustrate user attempts to verify their identities and error pathways preventing success. To learn more about client-side validation and server-side validation, refer to Forms.

Client-side validation

Tabbing out of input field

When tabbing out of the input field before attempting to confirm the code, the user receives feedback stating that they didn’t enter all 6 digits.

A page titled Enter verification code with a filled input field in error state stating all six digits must be entered.

Submitting incomplete form

After entering an incomplete code or no code at all and attempting to submit, the user receives feedback instructing them to properly fill out the erroneous field.

A page titled Enter verification code with a filled input field in error state and error section message stating a valid code must be entered.

Server-side validation

Submitting incorrect code

The user submitted the incorrect code and is instructed to re-enter it correctly.

A page titled Enter verification code with a filled input field in error state and error section message stating the code entered is incorrect.

Submitting expired code

The user submits an expired code and receives feedback instructing them to request a new OTP.

A page titled Enter verification code with a filled input field in error state and error section message stating the code entered is expired.

Maxing out code entry attempts

The user entered the code incorrectly and reached the maximum number of attempts with the current code. They can verify their identity with a new code.

A page titled Get new verification code with a message letting the user know they've reached the maximum number of code entry attempts and an option to send new code.

Maxing out identity verification attempts

The user has reached the maximum number of attempts to confirm their identity after entering mismatched data on three different codes. They can no longer confirm their identity on that device.

A page titled Identity not confirmed with a message letting the user know they were not able to confirm their identity and to contact support.

These materials are intended for illustrative purposes only. They are provided AS-IS and should not be relied upon for marketing, legal, tax, financial, regulatory or other advice. Any links to third party sites are for your information only and do not constitute endorsement by or affiliation with Visa. Visa has no insight into and/or control over third party content and code and disclaims all liability for any such components.

Copyright © 2025 Visa. All rights reserved.