figma guide

Designing login, registration, and password recovery UI in Figma: auth flows, states, and handoff

Design login, sign-up, and password recovery UI in Figma with email/password forms, social auth buttons, MFA states, and Dev Mode specs for ecommerce account gates.

Published
Updated
Jul 03, 2026
Read time
7 min
Level
Beginner

Quick answer

Login and registration screens gate access to account areas, checkout benefits, and saved data—usually as a dedicated page or modal with email/password fields, social sign-in options, and links to sign up or reset password. Design three core flows: Sign in, Create account, and Forgot password (email capture → confirmation → new password). Include loading, error, locked-account, and MFA challenge states. Keep forms short: email + password for login; add name and marketing opt-in only when needed. Start from the Figma guides hub and pair with the account dashboard and forms patterns guides.


Who this is for

  • Product designers building auth gates before checkout, wishlist, or account areas.
  • Design system teams standardizing sign-in modals vs full-page auth across web and mobile.
  • Engineers implementing session redirects, OAuth buttons, rate limits, and password policy validation.

Auth surface comparison

SurfaceWhen to useTrade-off
Full-page authDedicated /login and /register routesBest for SEO, deep links, and return URLs
Modal / drawerQuick gate on PDP, wishlist, or mini cartFaster but harder to bookmark
Inline checkout authGuest vs account choice at checkoutReduces abandonment if optional
Header account menuLogged-in state onlyLinks to dashboard, not login form

Verdict: use a full-page sign-in as the canonical pattern; reuse the same AuthForm component inside modals when you need lightweight gates.


AuthForm anatomy

PartSpecNotes
Brand headerLogo + short headline”Sign in to your account”
Social rowGoogle, Apple, optional FacebookFull-width stacked buttons
Divider”or continue with email”Centered text on line
Email fieldtype=email, autocompleteRequired
Password fieldShow/hide toggleLink to forgot password
Primary CTA”Sign in” / “Create account”Full width
Secondary linkToggle login ↔ register”Don’t have an account? Sign up”
Legal footerTerms + Privacy linksRequired for registration
Return URL note”You’ll return to checkout”When ?redirect= present
AuthForm
├── Variant: mode=signIn | signUp | forgotPassword | resetPassword | mfaChallenge
├── Variant: layout=page | modal
├── Property: socialEnabled=true
└── Layers:
    ├── BrandHeader
    ├── SocialAuthStack
    │   └── SocialButton (repeat)
    ├── Divider
    ├── EmailField
    ├── PasswordField
    ├── ForgotPasswordLink (signIn only)
    ├── MarketingOptIn (signUp only)
    ├── SubmitButton
    ├── ModeToggleLink
    └── LegalFooter (signUp only)

Use form input states—default, focus, error, disabled—and toggle switches for marketing consent on sign-up.


Sign-in flow states

StateUI treatmentCopy example
DefaultEmpty fields, enabled CTA”Sign in”
LoadingSpinner on button, fields disabled”Signing in…”
Invalid credentialsInline error below password”Email or password is incorrect”
Account lockedBanner + support link”Too many attempts. Try again in 15 minutes.”
Unverified emailBanner + resend link”Confirm your email to continue”
MFA requiredSwitch to code entry step”Enter the 6-digit code”
SuccessBrief toast then redirectRedirect to return URL or dashboard

Never use vague errors like “Something went wrong” for credential failures—users retry blindly and support tickets spike.


Registration flow fields

FieldRequiredWhen to skip
EmailYesNever
PasswordYesSocial-only signup
Confirm passwordOptionalUse strength meter instead of duplicate field
First / last nameOften yesCollect at checkout if guest-first
PhoneOptionalSMS tracking or MFA only
Marketing opt-inUnchecked defaultGDPR/CAN-SPAM compliant
Terms acceptanceCheckbox or implicit linkJurisdiction-dependent
SignUpForm
├── Variant: state=default | validating | success | emailExists
└── Layers:
    ├── NameRow (First + Last)
    ├── EmailField
    ├── PasswordField + StrengthMeter
    ├── MarketingCheckbox
    ├── TermsCheckbox
    └── CreateAccountButton

Pair password fields with a strength meter (weak/fair/strong) and policy hint: “8+ characters, one number.”


Password recovery flow

StepScreenPrimary action
1Forgot passwordSubmit email
2Check your emailOpen mail app / resend
3Reset password (from link)New password + confirm
4SuccessSign in with new password
PasswordRecovery
├── Step: requestEmail
├── Step: emailSent
├── Step: resetForm
└── Step: resetSuccess

Design the email sent step even if engineering handles it as a toast—users need confirmation the request worked. Include resend with cooldown annotation (e.g. 60 seconds). Reset form should validate token expiry with a clear “Link expired” state and CTA to request a new link.


Social auth button specs

ProviderLabelIcon placement
Google”Continue with Google”Leading brand icon
Apple”Continue with Apple”Required on iOS-heavy audiences
Facebook”Continue with Facebook”Optional; declining in B2C

Stack buttons full width with consistent height (44–48px). Do not bury social auth below a long registration form—put social options above email fields to reduce friction.


BreakpointPage layoutModal layout
DesktopCentered card max 400–440pxSame card inside overlay
MobileFull-width padded formFull-screen sheet with close
FocusSingle columnTrap focus; Esc closes only if safe

For modals, reuse modal overlay patterns with backdrop dim and close button. Auth modals should not close on backdrop click if a half-filled form risks data loss—confirm first or disable backdrop dismiss.


MFA and security UI

PatternUINotes
Email OTP6 single-digit inputs or one code fieldAuto-advance between boxes
Authenticator appCode field + “Use backup code” linkShow device name if known
SMS OTPCode field + resend timerPair with phone on file
Remember deviceCheckbox30-day trust annotation

MFA screens need back to sign-in without losing the email context. Show which method is active: “We sent a code to j***@email.com.”


Handoff checklist

ItemDev Mode annotation
Return URL?redirect=/checkout preserved through auth
Session mergeGuest cart → account on login
OAuth callbacksProvider-specific error states
Rate limitingLockout UI after N failures
Password policyMin length, complexity rules in validation copy
Autocompleteemail, current-password, new-password
Analyticsauth_sign_in_start, auth_sign_in_success, auth_sign_up_complete
a11yLabels, aria-invalid, error announcements
LocalizationRTL layout for Arabic storefronts

Pair with Dev Mode checklist and password-protected prototype guidance for stakeholder reviews.


Common mistakes

MistakeWhy it hurtsFix
Login and register as unrelated layoutsInconsistent trustOne AuthForm with mode variant
No forgot-password linkSupport load + abandonmentAlways visible on sign-in
Confirm-password field onlyExtra frictionStrength meter + show/hide toggle
Social buttons below long formsLow OAuth uptakeSocial first, email second
Generic error messagesBrute-force retriesSpecific, safe copy per failure type
Modal with no return contextUsers lose checkoutShow “Return to cart” note
Marketing opt-in pre-checkedLegal riskUnchecked default
Missing logged-out header stateConfusing navShow “Sign in” in header account slot

  1. Pick auth surfaces (page, modal, checkout inline) from your funnel map.
  2. Build AuthForm with signIn, signUp, and forgotPassword variants.
  3. Add social auth row and divider above email fields.
  4. Design all field states using shared form components.
  5. Wire password recovery as a four-step mini-flow with email-sent confirmation.
  6. Add MFA challenge frame if your platform supports 2FA.
  7. Spec return URL, cart merge, and analytics in Dev Mode.
  8. Prototype sign-in → account dashboard and checkout redirect paths.

FAQ

Separate mobile app login screens?

Reuse the same AuthForm component; on native apps, prefer full-screen over modals and follow platform HIG for Apple/Google button styling.

Show password requirements upfront?

Yes—a short hint under the password field beats errors after submit. Update copy when engineering changes policy.

Account creation during checkout?

Offer optional account creation after payment (“Save details for next time”) rather than forcing registration before purchase. See guest checkout patterns.

If the product supports passwordless email links, add a “Email me a sign-in link” tertiary action—do not replace password fields unless the backend is link-only.


Next steps

Share on X

§ Keep reading

Related guides.