The five-step audit we run on every SaaS signup flow
A complete walk-through of the friction audit we run for every new engagement, the tooling it takes to run it yourself in an afternoon, and the patterns that recur in roughly nine out of ten SaaS funnels we look at.
Most signup flows lose 60–80% of the people who start them. The teams shipping those flows rarely know where the loss happens — only that the conversion rate is “low.” This piece walks through the exact audit we run on every new SaaS engagement, what it costs us in time, and the three findings that show up in roughly nine out of ten audits.
Fig 1 is from a real audit we ran in Q1 2025 for a B2B analytics company. Notice the verification step: it loses 71% of the people who reached it. That single step costs the company more than the previous three steps combined. Every audit we run finds at least one of these.
Why funnels leak in predictable places
A signup funnel is not one decision — it’s a sequence of micro-decisions, each with its own cognitive cost. People don’t drop because the product is bad; they drop because the next step is more expensive than the perceived reward at that moment. The job of the audit is to find the steps where cost outruns reward.
Why funnels leak in predictable places
A signup funnel is not one decision — it’s a sequence of micro-decisions, each with its own cognitive cost. People don’t drop because the product is bad; they drop because the next step is more expensive than the perceived reward at that moment. The job of the audit is to find the steps where cost outruns reward.
Fig 1 is from a real audit we ran in Q1 2025 for a B2B analytics company. Notice the verification step: it loses 71% of the people who reached it. That single step costs the company more than the previous three steps combined. Every audit we run finds at least one of these.
“The biggest leak is almost never the step the team thought it was. It's the one nobody instrumented because "of course people complete it."
The five-step audit
1. Instrument every step (not just the funnel summary)
If your analytics only tracks "signup_completed", you're flying blind. You need an event for every transition: step_viewed,step_submitted, andstep_errored with the field name.
2. Map cognitive load, not screen count
Two-screen signups can outperform one-screen signups if the one-screen version asks for nine things at once. Score each field by how much thought it requires (1–5), then plot
it
In this map, the two terracotta nodes — password rules and email verification — account for 84% of total drop-off in the funnel above. They're also the two steps the team had flagged as "easy" in their internal review.
3. Watch ten session recordings, end-to-end
Not summaries, not highlights. Ten complete sessions, with your phone face-down. You will notice three patterns the numbers can't tell you: hesitation before specific fields, the moment someone reaches for help, and the field people retype.
4. Read the support tickets from the last 30 days
Filter for the word "signup", "sign up", "register", or "can't get in". The volume here is a direct measure of friction — and the language people use tells you which mental model broke down at which step.
5. Compare to your own re-signup test
Sign up for your own product in an incognito window, on a 4G connection, on a phone you don't normally use. Time it. If it takes you — the person who built it — more than three minutes, it takes a cold user more than ten.
Running a friction audit on your own signup?
We do these for clients every week — book a free 30-minute consultation and we’ll look at yours together.
No deck, no pitch.
The three findings we see every time
After running this audit on more than forty companies, three findings recur with almost comic regularity. We now flag them in the kick-off call before we look at the data.
Finding 1: The verification step is the silent killer
Email or SMS verification routinely loses 40–70% of users. The fixes are well-known — magic links instead of codes, deferring verification until after first value, sending from a domain that doesn't trip Gmail's promo tab — and yet most teams have not implemented them. This is the single highest-ROI change we recommend
Finding 2: Password rules are written for the wrong threat model
"Must contain a number, a symbol, a capital, and a haiku" is theatre. Modern guidance (NIST SP 800-63B, 2020 onward) recommends length over composition. Replacing your password rules with "12+ characters, anything you want" typically recovers 8–15% of started signups
Finding 3: The "tell us about your company" step belongs after activation
Asking for company size, role, and use case before the user has seen the product is a classic value-before-cost inversion. Move these questions to a profile prompt after the first successful action. We've seen completion rates jump 20+ points from this change alone.
