Auth flows that don't make users rage-quit
Magic links, social, passwords, passkeys. The actual data on what converts, and the small UX details that quietly halve drop-off.
Sign-up is the page where the most users leave. Not because they decided your product wasn't for them, they already decided it was, that's why they're here. They leave because the form was annoying.
Most teams treat auth as a solved problem and copy whatever their auth provider's example shows. The example is usually generic and almost always shipped without the small UX details that account for half the conversion lift. Here's what to actually ship in 2026.
Pick the right auth method
Magic link
One field, one click in an email, you're in. Magic links convert the best for consumer products with low security stakes, Notion, Cron, Linear's free tier. They fail when the user's email is in a corporate sandbox that delays delivery 30+ seconds (which feels broken).
Social (Google, GitHub, Apple)
Highest conversion when offered as the first option, lowest friction otherwise. Pick the providers your audience already has accounts on, GitHub for dev tools, Google for general SaaS, Apple for consumer. More than three options and you've added decision fatigue, which hurts more than it helps.
Email + password
The default. Lower conversion than magic link, higher ceiling than social (because the user keeps a credential they can use anywhere). Required for enterprise. Required when the user expects to revisit on a device that doesn't share email.
Passkeys
The future, currently the present-imperfect. Conversion when offered alongside other methods is mediocre because users don't know what they are. Conversion when offered as the primary method by a brand the user already trusts (Apple, Google, GitHub) is excellent. Ship them, but ship them as an upgrade prompt after first login, not as the first thing on the sign-up page.
The order matters
On a sign-up page with multiple methods, conversion follows visual hierarchy almost perfectly. Whatever is biggest and topmost gets the most clicks. So:
- 01Lead with the method that has the best long-term retention, not just the easiest sign-up. Social converts at sign-up but creates lock-in to the provider. Email+password is harder up front but the user owns the credential.
- 02Show 2 social options max above the divider. "Continue with Google" and "Continue with Apple" or GitHub. Below a horizontal divider with the word "or", show the email field.
- 03Don't bury the alternative. If you lead with email, the social buttons should still be visible without scrolling. Users who want them won't search.
The small details
- Auto-focus the email field on load. Saves a click, costs nothing.
- Show password requirements before the user types. "At least 8 characters, including a number" displayed below the field, not as an error after submission. Errors after submission are the single largest source of rage-quits.
- Reveal-password toggle on the password field, on by default. The 2008 convention of always-masked passwords assumed shoulder surfers were the threat model; in 2026, typos are.
- Disable the submit button only while the request is in flight, never based on field validation. Disabled buttons confuse users who can't tell what's missing.
- Tell users where the magic link was sent, with the exact email visible. "We sent a link to
alex@example.com, check your inbox." If they typed it wrong, this is the moment they catch it. - Provide a resend option after 30 seconds, not immediately. Immediate resends train users to spam-click.
Sign-up vs sign-in: one page or two?
One page, with a clear toggle between the two modes. Two separate pages doubles your maintenance and confuses users who don't remember whether they have an account. The toggle should sit at the top, visible without scrolling, with the alternative spelled out: "Already have an account? Sign in."
If you're using magic links exclusively, you don't even need the toggle, magic link sign-up and sign-in are the same flow. This is the biggest UX advantage of magic links over passwords, and most teams don't realize they get it for free.
Post-auth: the moment that decides retention
The page a user lands on after first sign-in matters more than the sign-up form itself. Drop them on a dashboard with no data and they bounce. Drop them in an onboarding flow that asks 12 questions and they bounce. Drop them in the product with a single, achievable first action, and they convert.
Build yours
The auth entry has tuned prompts for the sign-up, sign-in, and magic-link confirmation patterns above. Pair with the production stack entry for the auth provider picks, Clerk, Auth.js, WorkOS, and the tradeoffs between them.
Keep reading
Forms that feel fast (even when they're not)
Inline validation, field grouping, the multi-step pattern, and the small details that turn a 12-field form into something users actually finish.
The pricing page patterns SaaS uses in 2026
Three plans isn't a law. Here are the patterns the best teams ship, and the per-plan moves that actually move conversion.