Signup drop-off FAQ

The percentage of users who begin a signup flow but do not complete it. SaaS median is 60-80% drop-off per Segment 2024 and Statsig benchmarks, meaning fewer than half who start typically finish. This is distinct from onboarding drop-off (post-signup activation) and checkout abandonment (ecommerce). The rate varies significantly by auth method.

Email+password: 35-55%. Google OAuth: 55-75%. Magic link: 70-85%. B2B enterprise is lower due to required qualification fields. Mobile is 5-15pp lower than desktop. Source: Segment 2023/2024, Statsig public benchmarks, Auth0 case data.

Top causes: hard email-verify gate (8-20pp per Userpilot and Auth0), required phone (3-12pp per Formisimo/Zuko), too many fields (~8-10pp per field beyond 2 per Baymard), captcha friction (2-5pp per HubSpot), NIST-violating password rules, confirm-password field (3-7pp per NN/g and LukeW), country dropdown defaulting to USA (1-3pp for international traffic).

+10-25pp for B2C and +8-15pp for B2B per Segment 2023 benchmark. The lift is real but each provider has trade-offs: Apple Sign In hides the real email via relay, Google OAuth can be blocked by corporate IT admins, and OAuth-only accounts have no fallback login path if the provider has an outage. Always offer an email fallback.

Magic links lift signup conversion +15-30pp per Auth0 case data and Slack and Notion's disclosed patterns. The trade-off: repeat login requires checking email every session. The hybrid pattern - magic link at first signup, offer passkey or password setup inside the product - captures the conversion lift without the repeat-login friction.

Hard-gate verification (cannot use product until verified) costs 8-20pp per Userpilot and Auth0 case data. Verify-later patterns (full product access, verification required before high-stakes actions) recover most of that without meaningfully increasing abuse. Hard gates are appropriate for financial services, healthcare, and anti-abuse critical contexts only.

B2C: 1-3 fields. B2B SaaS: 3-6 is defensible. Each field beyond 2 costs approximately 8-10pp per Baymard research. The most common unnecessary fields are confirm-password (replace with visibility toggle), required phone (ask after signup), and required company at signup (enrich from email domain).

Yes. reCAPTCHA v2 checkbox costs 2-5% of legitimate signups per HubSpot and Baymard data. Invisible variants (Cloudflare Turnstile, reCAPTCHA v3) cost near-zero for legitimate users. Turnstile is the best overall choice for most products in 2026: invisible, no Google scripts, GDPR-friendly, free.

NIST SP 800-63B (Section 5.1.1.2): minimum 8 characters, allow up to 64. No forced composition rules (uppercase/lowercase/number/symbol requirements are explicitly deprecated). No forced rotation on a schedule. Check against known-breached lists (HIBP Pwned Passwords API). Allow paste. Show visibility toggle. No password hints. Available free at pages.nist.gov/800-63-3/sp800-63b.html

Collecting only the minimum at signup - email plus password or OAuth - and asking for additional data contextually inside the product, at the moment it is needed. Shopify collects only shop URL and email. Figma adds a role dropdown. Notion uses magic link only. Everything else is asked inside the product when the request is justified by a specific product moment.

Yes, within reason. B2B users are in a higher-stakes purchase context and tolerate more fields. 3-6 fields is defensible. But PLG B2B (Figma, Notion, Linear) behaves more like B2C at signup - get to value fast, collect more data inside the product. Sales-led B2B demo request forms are a different category with different rules.

5-15pp lower per Segment and Baymard research. Causes: fat-finger input errors on small targets, wrong keyboard types (showing QWERTY for phone numbers), missing autocomplete attributes preventing password manager autofill, and captcha friction that is harder on mobile. All are fixable with correct inputmode and autocomplete attributes.

Yes, if the default is USA and significant traffic is international. 1-3% drop on non-US users per Baymard internationalisation research. Fix: IP-based country defaulting with manual override, likely-countries grouping at the top of the dropdown. Better: skip the field entirely if you do not genuinely need it for localisation or compliance.

Required for iOS App Store apps if you offer Google or Facebook SSO - Apple mandates it for App Store compliance. For B2C mobile-heavy products, approximately 60% of iOS users prefer it when available. Trade-off: Apple's Hide My Email relay means you receive a relayed address rather than the user's real email, complicating customer success and transactional email.

The framework: (additional signups from friction reduction) x LTV = annual recoverable value. Use the interactive calculator on the homepage. Default assumptions: ~8-10pp per extra field beyond 2, 12pp for hard email-verify gate, 3pp for captcha, +18pp for adding OAuth. Override with your own measured data from A/B tests.