figma guide

Designing passkeys and passwordless login UI in Figma: WebAuthn setup, biometrics, and sign-in flows

Design passkey and passwordless login UI in Figma with WebAuthn enrollment, biometric prompts, device lists, fallback flows, and Dev Mode specs for modern auth.

Published
Updated
Jul 06, 2026
Read time
8 min
Level
Beginner

Quick answer

Passkeys replace passwords with device-bound cryptographic keys—users sign in with Face ID, Touch ID, Windows Hello, or a security key instead of typing a password. Design enrollment on the account security page (add passkey after login), a passkey-first sign-in screen with email lookup, native biometric prompts (browser/OS UI—annotate as external), and fallbacks to password or OTP when passkeys fail. List registered passkeys with device labels and remove actions. Start from the Figma guides hub and pair with login, 2FA security settings, and account dashboard guides.


Who this is for

  • Product designers rolling out WebAuthn passkeys on login and account security pages.
  • Design system teams standardizing passkey CTAs, device lists, and fallback auth across web and mobile.
  • Engineers implementing conditional UI, discoverable credentials, and cross-device passkey sync.

Passkey vs password vs 2FA comparison

MethodUser experienceWhen to prioritize
PasskeyOne tap / biometric; phishing-resistantDefault for returning users on supported browsers
PasswordFamiliar; higher support burdenFallback, legacy accounts, shared devices
2FA (TOTP/SMS)Extra step after passwordHigh-risk accounts; pair with passkeys as step-up
Magic link emailNo password; inbox dependencyLow-friction guest or recovery path

Verdict: lead with passkey sign-in when the browser supports WebAuthn; keep password + 2FA as explicit fallbacks—not hidden behind broken passkey flows.


PasskeySignInForm anatomy

PartSpecNotes
Email fieldAutocomplete username webauthnTriggers discoverable credential prompt
Primary CTA”Sign in with passkey”Full width on mobile
Biometric hintIcon row: Face ID / fingerprint / keySets expectation before OS prompt
Fallback link”Use password instead”Always visible—never trap users
Create account”Sign up with passkey” on registerSame component, different copy
Error regionCancelled, unsupported, no passkey foundSpecific messages per failure
Loading”Checking for passkeys…”Brief—OS sheet appears quickly
PasskeySignInForm
├── Variant: mode=signIn | signUp
├── Variant: state=default | loading | error | unsupported
└── Layers:
    ├── BrandHeader
    ├── EmailField
    ├── PasskeyPrimaryButton
    ├── BiometricHintRow
    ├── FallbackPasswordLink
    ├── ErrorBanner
    └── CreateAccountLink

Reuse layout from login AuthForm—swap password fields for passkey CTA when authMethod=passkey.


Native biometric prompt (external UI)

Browsers and OSes render the actual WebAuthn sheet—you do not pixel-match it in Figma. Instead, add a spec frame labeled “System UI (not designed here)” with annotations:

PlatformWhat users seeDesign note
iOS SafariFace ID / Touch ID sheet with domainShow wireframe placeholder + domain string
Android ChromeFingerprint or screen lockSame placeholder pattern
macOS SafariTouch ID or passwordAnnotate rpId domain
WindowsWindows Hello PIN or biometric
Security keyUSB/NFC tap promptFor enterprise flows

Verdict: one PasskeySystemPromptPlaceholder component with variants per platform; link to WebAuthn docs in Dev Mode for engineers.


Add passkey enrollment flow

StepUINotes
1. Entry”Add a passkey” row on security settingsBelow or above 2FA section
2. IntroBenefits: faster sign-in, phishing-resistantOptional modal
3. Name passkeyDefault: “MacBook Pro” or “iPhone 15”Pre-fill from user agent
4. System promptPlaceholder frame—user confirms biometric
5. SuccessToast + new row in passkey listEmail: “New passkey added”
6. Skip”Maybe later” on optional promptsDon’t block dashboard
AddPasskeyFlow
├── Variant: step=intro | naming | systemPrompt | success
├── Variant: context=settings | postLoginNudge
└── Layers:
    ├── PasskeyBenefitsCopy
    ├── PasskeyNameField
    ├── PasskeySystemPromptPlaceholder
    ├── SuccessBanner
    └── PasskeyListRow (after success)

Post-login nudge modal: “Secure your account with a passkey”—dismissible once per device; pair with notification preferences for security emails.


PasskeyList component

ElementSpec
Row labelUser-editable name + created date
Device iconPhone, laptop, security key
Sync badge”Synced via iCloud Keychain” / “Google Password Manager”
Last usedOptional meta
RemoveDestructive; confirm modal
Empty”No passkeys yet” + Add CTA
Limit note”You can register up to 10 passkeys”
PasskeyList
├── Variant: state=empty | populated | removing
└── Layers:
    ├── PasskeyRow (repeat)
    │   ├── DeviceIcon
    │   ├── PasskeyName
    │   ├── SyncBadge (optional)
    │   ├── LastUsedMeta
    │   └── RemoveButton
    └── AddPasskeyButton

Cross-link privacy settings when account deletion must revoke all passkeys server-side.


Fallback and error states

ErrorUser messageNext action
User cancelled”Sign-in cancelled”Retry passkey or use password
No passkey for email”No passkey found for this account”Offer password sign-in or sign up
Unsupported browser”Passkeys aren’t supported here”Hide passkey CTA; show password only
Platform authenticator unavailable”Set up Face ID or a screen lock on this device”Link to device help
Cross-device timeout”Use your phone to complete sign-in”QR or hybrid transport UI
Revoked passkey”This passkey was removed”Remove stale row; password fallback

Design HybridTransportUI (optional): QR code on desktop that completes on phone—common for cross-device passkeys. Annotate as advanced; many teams defer to password fallback first.


Sign-up with passkey

StepUI
1. Email captureVerify uniqueness
2. Create passkeySystem prompt immediately after email
3. Profile optionalName, marketing opt-in—after passkey created
4. SuccessRedirect to account dashboard

Verdict: don’t ask for password on passkey-only registration unless regulations require a backup factor—offer add password later in security settings instead.


Mobile layout

PatternSpec
Passkey buttonMin 48px height; platform icon left
Email firstSingle field above passkey CTA
FallbackSticky footer link “Sign in with password”
EnrollmentFull-screen steps; system sheet overlays
List rowsSwipe to remove or overflow menu

Test on real devices—passkey UX is mostly native; Figma prototypes should focus on your chrome, not the OS sheet.


Handoff checklist

ItemDev Mode annotation
rpIdRegistered domain for WebAuthn
Discoverable credentialsmediation: conditional for autofill UI
User verificationRequired (userVerification: required)
AttestationNone vs enterprise policy
Passkey limitMax credentials per account
Remove passkey APIDELETE + re-auth requirement
Fallback orderpasskey → password → MFA
Email eventsadd passkey, remove passkey, sign-in from new device
a11yPasskey button has clear name; errors in live region

Document cross-device strategy: sync via platform (Apple/Google) vs hybrid QR vs password fallback.


Common mistakes

MistakeWhy it hurtsFix
Hiding password fallbackUsers locked out on unsupported browsersAlways show “Use password”
Designing fake biometric UIDevs can’t ship pixel-matched sheetsUse annotated placeholders
Passkey-only with no recoveryLost device = lost accountPassword, recovery email, or support path
Same copy for add vs sign-inConfusing CTAs”Sign in with passkey” vs “Add a passkey”
No email on passkey changesUser can’t detect account takeoverNotify on add/remove
Forcing passkey before email verifyInvalid credentials on unverified accountsVerify email first
Generic “Something went wrong”Support ticketsMap WebAuthn error codes to copy
Ignoring shared computersPasskeys persist on public PCs”Not this device?” + password

  1. Extend AuthForm with authMethod=passkey variant from login guide.
  2. Add PasskeyList to security settings page frame.
  3. Design AddPasskeyFlow with naming step and system prompt placeholder.
  4. Spec all error states—cancelled, unsupported, not found.
  5. Design post-login nudge modal (optional enrollment).
  6. Wire fallbacks to password and OTP flows.
  7. Annotate native UI frames per platform for engineering.
  8. Prototype sign-in on 375px with fallback link always visible.

FAQ

Replace passwords entirely?

Phased rollout: passkey-first with password fallback. Retire password only when analytics show low usage and support is trained.

Passkeys and 2FA together?

Passkeys are multi-factor (device + biometric). Extra TOTP is optional for admin roles—don’t double-prompt everyone.

Enterprise security keys?

Add SecurityKeyRow variant with USB/NFC icon and “Register YubiKey” copy—same list component, different device icon.

Passkeys on ecommerce guest checkout?

Usually account-only—guest checkout stays email-based. Offer passkey after account creation from order confirmation.

Sync across devices?

Show sync badge when platform reports iCloud/Google sync—users expect passkeys to “just work” on new phones.


Next steps

Share on X

§ Keep reading

Related guides.