Don't build password-less login

A metrics-driven take on how password-less login wasted weeks of development time and hurt our signup funnel.

"Magic Link", also know as password-less login, enables users to sign in by clicking a link. With no need to remember a password or prove email ownership, many people have hailed "Magic Link" as the perfect authentication solution.

How it works on SnapHabit? After a user enters their enter email address, we direct them to their inbox to tap a link to sign in. Before diving into what went wrong, here's a snapshot of our authentication funnel:

• 11% of users required at least 4 magic-link emails before completing signing up.
• 18% of users never finished signup (clicked the magic link). On average, these users attempted signup twice, with several users submitting > 10 times.

... why would you use magic link, anyways?

Friends are core to SnapHabit, so the functionality to send a friend request is critical. Phone number or email felt like the cheapest way to support a unique identifier — as it could be used for both authentication and finding a friend.

Like most services, we first looked at using "Sign in with Google/Facebook". However, Apple recently adjusted App Store Guidelines... starting June 30, "apps that use a social login service ... must also offer Sign in with Apple"

Apple Sign In supports "Hide My Email", so many users who sign in with Apple would not have a meaningful email attached to their account. Asking for a user's email after they chose to "hide it" would be a poor user experience.

So in summary, we had 4 options for account creation:

1. Email + Password ... requires forgot password and users to prove email ownership
2. Support all third-party (Apple, Google, Facebook) ... and add a new unique identifier to allow friends to find each other, given email will not be sufficient
3. Phone number magic link ... we were relying on Expo (previously did not support phone-number auth), and we also felt emails would be a good/cheap tool for communication
4. Email magic link

Email magic link felt... perfect!  We built the login flow, complete with a custom email, instructional webpage, and deep linking. Hurrah, we had cracked the authentication funnel!

What went wrong and how we tried to solve

If you're interested in the technical details of how we implemented some of these fixes, let me know and we'll consider publishing.

1. Users clicking the link on another device.

Of 10 users we chatted with who had issues, 4 tried to click the link on another device. There are two routes to solving this:

• technical solution to support this behavior (clicking the link on desktop will authenticate the user on mobile)
• better instructional text

The latter was simpler, so we started with that:

And again.

And more.

2. User confusion about clicking a link to login

At least 2 people mentioned they simply did not understand that they needed to authenticate with email.  To solve this, we added

• call-to-action to open Apple Mail or Gmail
• disabled the "resend" button for 10 seconds, to encourage users to tap the mail CTA before attempting login again

3. Users entering the wrong email

Many users who did not finish finish signing up (eg. did not click email link) had accounts with a ".con" domain.  We added an notice to alert users of a possibly unintended typo:

... What's next

Despite attempting to solve 1, 2 and 3, our funnel drop-off is still larger than we'd like (~15% of users do not open the email correctly).

So after two months of solution hackery, we're cutting our losses and adding sign in with Google, Facebook and Apple options. If we still see users opting for email sign-in and failing to complete, we'll consider making the full-circle shift back to an email/password model.

I hope our sharing this painful journey can save you from taking a similar path!  Let me know if you have any questions or feedback at [email protected].

Don't have SnapHabit yet? You can download the app on iOS here and Android here.