
Don’t require a user to be interested twice: lessons on reducing signup friction - bbirnbaum
https://bbirnbaum.com/two-lessons-on-reducing-sign-up-friction/
======
gk1
It’s a good lesson but let’s not forget that completing the signup is not the
goal in itself. If you look at post-signup user activity you will find _many_
users stick around for a few minutes and then leave, never to return again.

If someone can’t be bothered to click a verification email, then removing that
step is not going to magically turn them into an active user. More likely they
will be one of the many people who leave after a few minutes.

I do a signup/onboarding optimization for startups, and here’s what I found
from a recent project:

1) The verification email was NOT a significant bottleneck to signups. That
is, most people clicked the link.

2) Removing the verification step did NOT have a meaningful impact on
conversion rates.

If you don’t have a problem with user quality then sure, avoid the
verification step. But if you have a good reason for the verification step
then don’t sweat the drop-off rates.

And more importantly: Treat signups as a leading indicator of success, not the
ultimate goal.

Edit: On second reading I see the author is talking about a verification step
that requires an admin approval, which could take hours. Yeah, don’t do that.

~~~
hinkley
Also removing that step means that I get 'spam' that contains scary amounts of
PID in it.

I'm looking at you, Mint, who sent me someone else's financial data for months
and months, and did not have an unsubscribe button (outside of user account
preferences).

If a gamer uses my email address to sign up for a service, I'm gonna log into
their account and change settings. Or once, in a mood, just delete their
account (many services use email address as an identifier, so you can't use
that service if someone used your preferred email address). I figure it's like
someone accidentally giving out your number in a bar to get away from a creep.
You just happened to lose the random digit lottery.

I'm never going to log into someone's financial system to do that. You're
crossed a line from petty vigilantism (under duress) into "this is starting to
resemble a felony" territory. It took ages to ask the right question of Mint
support to get them to do something about it. And really, fuck anyone who puts
people in this position in the first place.

If you are sending communications to a user repeatedly, you believe you have a
relationship with them whether they want it or not. If you are collecting
sensitive data on them, and then telegraphing it in those communications, then
_verify their goddamn contact information first_.

Or, stop trying to have those conversations over unauthenticated channels.

[edit to add: and then there was the lonely guy who signed up for eight+
dating sites while I was in a rough patch with my partner and I had to
scramble to unsubscribe lest she think I was planning my escape. Seriously
dude, not cool]

~~~
agency
I feel you. I have {commonFirstName}.{commonLastName}@gmail.com and I get so
much email intended for other people. Services that don’t verify email and
require you to login to unsubscribe are the _worst_

~~~
xingyzt
Slight tangent: A lot of people might not know that periods in the first half
of a gmail address actually get ignored when relaying. They're only there
visually. Some services don't check for this and you can register multiple
accounts with u.ser@gmail.com, us.er@gmail.com, use.r@gmail.com which all get
forwarded to user@gmail.com.

------
bonestamp2
The best and most simple onboarding process I've ever experienced was with
expensify. I don't know if it's still like this, but you just enter your email
address and you're in... your account is running and you're logged in.
Everything else can be figured out later.

Bots? Idle new accounts are probably deleted after a number of days. Password?
A reset/creation link can be sent to your email the next time you try to
login. Payment? That's only important if you're going to use the software --
it can be handled when appropriate.

Unless your service has some major expense or limited resource associated with
account setup (ex. assigning the user a new phone number), I would love to see
more signups like this. The lack of friction made me feel so happy as a
customer and I instantly had a positive impression of the service because it
already felt like it was adding value by making my life easier. I wouldn't be
surprised if this also has a positive impact on their conversion rate.

~~~
JoshTriplett
That's fine as long as you send a welcome email immediately that says "If you
didn't create this account, use this link and you'll never get another email
at this address".

I've seen services forget that, and then it's possible to sign up with someone
else's email address, use the account, and have someone else get spammed or
harassed. That needs to be part of your threat model. "What if a bot signs up"
is about protecting your service and people using it. "What happens if someone
signs up with someone else's information" is about protecting _other people_ ,
who may have nothing to do with the service.

~~~
jlokier
> "If you didn't create this account, use this link and you'll never get
> another email at this address"

If I get an _unsolicited_ email for a service I don't recognise, that has a
link in it and a message asking me to click on it, should I click on it?

Commmon advice is don't click on links in mails you aren't expecting. It just
confirms your address is real for spam harvesting.

~~~
bcrosby95
I don't know who gives that advice, but it seems poorly thought out. Email
providers already tell people sending email when an address is real or not.
You clicking the link would tell them you read your email.

I'm also not sure what you're afraid of. If your account has been in existence
for long enough, you already get a lot of spam. It just gets blocked or
filtered. The vast majority of your emails that actually get to your inbox are
from people trying to do the right thing, not people trying to screw you over.

~~~
sokoloff
> Email providers already tell people sending email when an address is real or
> not.

I don’t think email works the way you seem to think it works.

~~~
bcrosby95
Email deliverability was part of my job for around 8 years. Providers will
absolutely send you a bounce message (via the return path email) if an inbox
does not exist. Or even if it is full.

The messaging is not standard so you have to do all sorts of special case
parsing because each provider can give a different message. And ignoring these
messages will hurt your ability to deliver email.

So if your plan is to hide your address from people, again, I don't see the
point.

~~~
sokoloff
I believe there's value to marketers to know "this email address somewhat
reliably hits a human's eyeballs" as evidenced by a click-to-unsubscribe or
click-to-refute action as a stronger signal than "well, we didn't get a
bounce".

"Email providers already tell people sending email when an address is real or
not." suggests a level of reliability of signal that simply doesn't exist. I
have an infinite number of email addresses that you could send to, which would
not give you a bounce, and none of which will reliably land in front of a
human's eyeballs.

------
rbritton
Know your target audience too. I'm not sure if I'm it, but reCAPTCHA gives me
enough friction that I often abandon pages with it. Simply using Firefox's
antifingerprinting feature plus some ad/tracker blocking is enough for it to
be miserable every time.

~~~
RonanTheGrey
Nobody here is talking about the elephant in the room where reCAPTCHA (and
hCAPTCHA has the same problem) is concerned:

The other day when Google was having issues (the same day that a bunch of
Android apps were crashing due to a bad map data push), I was unable to log
into my bank, unable to pay my electric bill, and a half dozen other things I
_needed_ to do that day.

Because Google's servers were down, core service providers were unable to do
anything either because they block access to their site without recaptcha
approving the entry.

To me, as a technologist, as a builder of software, this is absolutely and
entirely unacceptable. Captcha needs to be something you can self host.

I don't understand this habit of handing Google a knife and then telling them
where to stab you.

~~~
colinmorelli
I'm going to guess people aren't typically talking about it for a few reasons:

\- We started out with self generated and self hosted captcha. It was too easy
to beat. Complexity of the image generation turned up until eventually it was
easier to just outsource it to someone else. Going to throw out a guess here
that reCAPTCHA is far from simple, and likely exceeds what most teams would
want to run internally.

\- Google has an uptime that's significantly higher than most companies. I'm
not defending any of Google's habits or business practices, but I personally
wouldn't bet that most companies can run software more reliably than Google.

\- As someone else mentioned, fail open is an option in situations like these
(depending on the threats you're trying to protect against). For something
with a high probability of failure, this could make sense, but I would have a
hard time imagining a team allocating time to deal with the case "when Google
is down" unless it's truly life or death software (think: surgical robots,
autopilots, etc)

~~~
unnouinceput
Why was self-generated and self-hosted captcha easy to beat?

I found that generating math questions in a captcha style (curved / with other
noise drawing over) and requiring that questions to be answered in a box is
unbeatable. The bad actor would require very good OCR and after that also good
math parser to answer. Easy for human, very hard for automation. And the
script was like 50 lines long that did that.

~~~
colinmorelli
"easy for human" is very subjective. Users very regularly have a hard time
with all forms of image captcha for a whole bunch of different reasons: visual
acuity, color deficiency, learning disability, unclear instructions, visually
similar characters, etc. If you allow users to refresh the image until they
see an easy one they might be able to overcome it themselves but some
percentage of those users will get frustrated and leave. Not to mention
allowing regeneration of images also makes it easier for bots to cycle until
they find one they're confident in. Surely if there were a dead simple for
humans, difficult to beat for bots, 50 line script option for CAPTCHA
generation that could be self hosted it would be in wide use.

reCAPTCHA changed to its current model to try to significantly reduce friction
in the "hopefully normal" case (down to just a check box if all goes well)
because every ounce of friction you add to critical inflection points in your
product translates to meaningful lost opportunity.

Even if this wasn't a problem, and it were trivial to create something that's
easy for humans and hard for computers, it's just not worth most companies'
time. Would they rather spend a few days properly implementing and testing a
captcha solution, then whatever unknown time on future bug fixes and support,
or setup reCAPTCHA in 30 minutes and move on to things that produce value for
their customers?

~~~
unnouinceput
I see that as an absolute win. If you're having problems understanding simple
math questions then I won't want you as my user in the first place. Morons
out.

As for visual impaired ones, I agree this one is harder to crack. Usually you
do it by audio, which in itself is more then 50 lines of code, but here is my
personal approach. Absolutely none is stopping you to have, for visual
impaired ones, a separate step like the one described in OP, where you have
mail activated. You see visual impaired users have infinitely more patience
then normal "visual" ones. They are used for web to not be friendly, so they
won't mind going through extra hoops if they want your service. So a checkbox
saying "I am visual impaired and I want registration by e-mail" or something
equivalent and you're good to go.

------
gav
Sam at UserOnboard has teardowns of a bunch of onboarding flows. It's the
single best reference I can suggest around optimizing the process:

[https://www.useronboard.com/](https://www.useronboard.com/)

------
btbuildem
Asking for an email up front is already too much. Let the user use your
service, they'll create some "content" or "configuration" in it. Once they do
that, they'll want to preserve / persist it, and then you can ask for an email
address. They're much more likely to give you a real email address and
validate it, because they're already invested.

------
fuzzybear3965
I'm feeling a bit thick. Regarding the change to the sign-up process...

Originally:

> Users couldn’t get started on their own. They had to first leave their email
> address and then wait for me to send them an email with a link allowing them
> to register and start building their Cortado email.

Afterly:

> As soon as users click the submit button, they get an email verification
> message in their inbox, which they can click on to set a password and get
> started.

So, what changed? In both cases users have to submit their email address and
interact with a(n) (automated?) registration/sign-up email. In the second case
there's the added hurdle of a captcha (which sounds worse).

~~~
zomglings
With the first process, they would leave an e-mail and then author would reach
out to them maybe a few days later and maybe a few weeks later telling them
they could sign up.

With the new process, they go through the signup process immediately.

~~~
fuzzybear3965
Oh, "wait for me" doesn't refer to an automatically-generated signup email
("me" is not "server I provisioned").

"wait for me" literally means "wait for human to create email and send it to
new user".

Wow, yeah. That doesn't seem good.

~~~
zomglings
It's not that bad, actually.

When a product is really early - still being developed, basically - you want
to control the number of users you expose to it.

Every batch of users will improve the product but it is unlikely that users
will stick around beyond one or two uses.

So you drip it out to users in small batches, and "wait for me" really lends
itself well to this.

------
Reason077
I'm convinced one of the reasons Zoom is so successful (besides being a great
product) is that there is no sign up required at all.

Someone invites you to a conference and you just click the link, enter your
name and go.

~~~
kaetemi
That, and it basically just works even if you have huge connection jitter,
even if you switch networks during a call, etc. Simply put, using it never
annoys me. Reliability beats any fancy designer UX every time.

~~~
PascLeRasc
It helps that Zoom's UX is worlds better than Microsoft Teams. The persistent
sidebar is fantastic, so is the spacebar-to-unmute shortcut.

------
jedberg
> I sent registration instructions to all of them within 8 hours, but only 6
> people clicked the link in that email.

I think they drew the wrong conclusion from their data. I don't think it was
the double signup that was the problem, it was the delay between signing up
and getting the confirmation email.

I think the real lesson here is that confirmation emails need to be short
(addressed in the article) and quick.

I know that if I don't get the confirmation email within about a minute, I
give up.

~~~
chanmad29
100% agree. Spoken like a user and not a PM.

------
maltelandwehr
Also important:

• Let users use the product immediately after registration (if possible).
Don't make them wait for the verification email. Can haunt them with pop-ups
afterwards to get that verification and double-opt-in.

• Support single sign-on via Google, Facebook, Apple, Twitter, etc.

• When people try to login unsuccessfully (wrong password), send them an email
to login via a link. This was a big growth hack for Uber to increase
reactivation rates.

~~~
dukoid
+1 for single-sign on (opposed to a gazillion of passwords). Why is manual
signup still a thing at all? I'd expect people today to start with single
sign-on.

~~~
ValentineC
My problem with a website having _multiple_ SSO integrations is that sometimes
I forget which service I used to sign up with.

~~~
dukoid
I have a fixed priority order, but sometimes they add a higher priority
later.... :-/ I think it's typically just used as an authority to confirm the
email address, so one could be registered with multiple providers and should
still work?

------
Spooky23
I think the issue with the initial scenario was that verification emails were
kicked off manually and took a long, variable amount of time. Verification
wasn't the problem, the delay was imo.

I have a <common-name>@gmail.com account and get to see the shitshow that
happens when people signup for services don't validate email. _Many_ people
screw up email entry and end up with accounts outside of their control.

What I see, every year:

\- $50-200 of gift cards emailed to me from a guy in Australia.

\- Various memberships for gyms

\- Various loyalty programs.

\- An active airline points program, which sent a password request in
cleartext a few years ago.

------
muffinman26
A corollary to this, don't ask users for information that you don't need.

There are a number of popular web services (Spotify was the most recent) that
I haven't signed up for because they keep asking for information I don't want
to give them or had to think about, such as gender. Every time I'd start the
sign-up process, fill in some information, then be confronted with a question
where I wasn't sure what the answer was or why I needed to provide the
information, and give up. This even delayed me creating an email account by
about a year.

~~~
cheungyinglon
Is there any data on whether this information is even accurate when it's
filled out? I just fill out these kinds of fields randomly. Every. Single.
Time.

~~~
mtnGoat
every website i go to things i was born on Jan 1, 1980.

i thought everyone was giving junk info to all the websites. :)

------
skapadia
Ben - thanks for sharing what you learned.

I highly recommend reading "Don't Make Me Think, Revisited: A Common Sense
Approach to Web Usability". It doesn't take long to read but is packed with
wisdom. It covers the points that Ben makes in his blog post.

[https://www.amazon.com/Dont-Make-Think-Revisited-
Usability/d...](https://www.amazon.com/Dont-Make-Think-Revisited-
Usability/dp/0321965515)

------
demarq
> I was worried (unrealistically) that I’d get too many users too quickly

20 year old me after putting on some AXE body spray

------
XCSme
I don't really see the useful insights that the article tries to provide. Yes,
if the user wants to register and you send the confirmation email now instead
of 8 hours later it will be better. Yes, having more stepts to sign-up results
in lower conversion rates, as each new step is a new chance for the user to
drop. Keep in mind that you also have to convert relevant users otherwise you
would just end up with a bunch of inactive accounts, which is not good, at
least not if your goal is more than collecting emails.

------
godelski
One of the biggest mistakes I constantly see is that they require an email for
you to even see the product or what it does. All this leads to is me never
seeing your product. I'm sure you spent a lot of time on it, but I get too
much spam as it is. I don't need more just to figureout what you're trying to
sell me. I mean, that's your job: to sell to me.

It honestly amazes me how often I see this. No screenshots or even a
description. Maybe a line or two and the page looks mostly like an email
scraper. SELL ME YOUR PRODUCT.

------
vehemenz
For future reference, don't host images from your blog on Google images. None
of them are loading.

PNG/8 or any decently compressed JPEG format will work if you have bandwidth
limitations.

------
leonroy
The best signup experience I’ve seen is at nextdns:
[https://nextdns.io/](https://nextdns.io/)

I clicked on _Try it free_ expecting to go from a typical startup Wordpress
site to a JavaScript signup form where I’d fill in an email, password etc.

Instead, bam, I’m in the app with an anonymous account and ready to roll. A
big button up top lets me add my email and password later if I like what I’m
seeing. Really nice work.

------
scarface74
Isn’t he kind of missing the obvious answer?

Use federated login. Almost everyone has an account somewhere - Facebook,
Amazon, Apple, Google, Github, Twitter, Microsoft etc.

~~~
rhacker
That depends on his audience probably. I hate it when I have to give
permission to things in my Gmail account.

[https://www.bart.com.hk/why-you-need-to-be-very-careful-
abou...](https://www.bart.com.hk/why-you-need-to-be-very-careful-about-google-
authorization-oauth/)

~~~
scarface74
I’m always very careful about the permission I give when using third party
logins.

------
davidajackson
Sites that make you create an account and then re route you to login drive me
nuts. Can't imagine it helps with conversions either.

------
pmarreck
The third lesson might be:

Don't pick a name for your service that when googling it results in a full
page of links to the coffee style and not to your service. (So how do I
actually visit Cortado??)

EDIT: Found it after clicking around to your About page:
[https://cortadomail.com/](https://cortadomail.com/)

And what's the stack?? :)

------
kion
> Only 38% of people did this. If I had instead captured everyone as soon as
> they showed enough interest to leave an email address, I could’ve increased
> my conversion rate by 250%.

How many of these were real losses and how many were people who put the wrong
email address in the box, only to realize when they didn't get the
verification email?

I have a very early gmail address, first initial + last, name. I can't tell
you how many verification emails I get that I never signed up for. Those
aren't the bad ones though, the bad ones are when I get emails about Kay's
upcoming surgery and follow-up appointments, Kim's yarn orders and Ken's
mortgage documents. (All of these are real examples).

Strong email verification flows aren't just anti-bot. They're a level of
defense against clumsy users.

------
Causality1
You can add "don't require a user to be more interested in order to get more
interested." For example, it's annoying when I'm trying to decide where to eat
and a restaurant's website won't show me a menu until I select a location and
start an online order.

~~~
londons_explore
The flip side of that is your annoyance when you've just settled on what to
eat tonight, but then it says "Sorry, you're in Alaska. All menu items cost
50% more, and the exact thing you wanted isn't available in Alaska"

------
musicale
Cortado seems like an OK service, and I get that it wants an email address
since it works over email.

But regarding "signup friction" – the best way to reduce signup friction is to
eliminate the need for signups.

I'd like a version of Cortado that was hosted and just used a URL rather than
sending junk into my inbox. Maybe call it Cortado Reader or something.

Or better yet, some sort of syndication protocol (we could call it RSSS for
Ridiculously Simple Syndication System) for the web.

------
njhaveri
I had the exact same experience on my app's website
([https://mimestream.com](https://mimestream.com)) as well. I think initially,
I was nervous about offering a beta download, so I wanted to manually vet each
subscriber and manually send invites. Of course, even a 2 or 3 hour gap
resulted in very poor conversion. Presenting the beta download link
immediately after a user provided an email, obviously, has resulted in a world
of difference.

------
mkchoi212
From a mobile developer's perspective, I feel like a lot of these problems can
be solved by using "Sign in with [Blah]" buttons. It requires a 1-2 taps for
the user the sign in and almost always requires no email verification. Seeing
that Sign in With Apple is also available on Safari, maybe this trend will
slowly creep into the web and eliminate some of the problems the author was
talking about.

------
aroberge
Please, keep the confirmation email. I get tons of email sent to one of my
account because people register for some mailing list or other service and
enter MY email address as theirs. If I get an email to confirm, I can safely
ignore it and be done with it. Otherwise, it is a major annoyance.

ReCaptcha may be seen as useful to cut down on the number of bots but it
screws things up royally when trying to navigate in private mode, or using a
VPN.

~~~
ValentineC
> _Please, keep the confirmation email. I get tons of email sent to one of my
> account because people register for some mailing list or other service and
> enter MY email address as theirs. If I get an email to confirm, I can safely
> ignore it and be done with it. Otherwise, it is a major annoyance._

Seconding this. As a holder of firstname at a-mainstream-email-service, I've
had to unsubscribe to mailing lists far too often.

If a service doesn't offer me a way to unsubscribe, sometimes I have to
recover the offending account's password and request for the account to be
deleted.

~~~
searchableguy
Why not use an obscure email?

I have never had to deal with that.

------
chrisMyzel
We implemented a random fake client-HED34A@mycompany.io account being
automatically created upon a user hit's our 'Get Started' Button. The user can
then lateron decide to create a real account. If our client wants to come back
later they can either write down their fake & random email@mycompany.io &
login just with that (it's only known by them) or enter their real address

------
pmarreck
I would love this browser experience when visiting a new website: "<name of
site> would like to create an account for you with your (previously vetted)
profile data and email. Shall I create a random password and save it to your
secure Google account before agreeing?"

And then hitting "Yes" does just that, and I'm in.

The same workflow could be used for shipping info and CC info.

~~~
etrabroline
Is oauth that?

------
drivers99
Speaking of lessons, the site is down for me right now, but here's an archive:
[https://web.archive.org/web/20200513153013/https://bbirnbaum...](https://web.archive.org/web/20200513153013/https://bbirnbaum.com/two-
lessons-on-reducing-sign-up-friction/)

------
29athrowaway
Gitlab requires you to sign up using your real name, Github doesn't. I would
use gitlab if it was not for that.

------
paulcnichols
This is true, but I think there's something to be said about the strength of
your product market fit if users put up with really shitty user experience.

------
barell
Definitely missing a proper CTA (call to action) button in the welcome email.
It should stand out clearly in the center of the email.

~~~
__d
Also, it says "Click to register" ... which I feel like I've already done. I
think the wording should be revised to say something more like "Confirm your
registration".

------
swyx
good read! also got me interested in the app :)

------
itsArtur
Is it a satire?

~~~
gholap
Ah! Eop's law!

~~~
mwexler
Clever.
[https://en.wikipedia.org/wiki/Poe%27s_law](https://en.wikipedia.org/wiki/Poe%27s_law)

