Every Onboarding UX Audit check

Every required field past email and password measurably lowers signup completion. Consumer SaaS funnels typically lose 10-30% of users per additional required field, and fields like phone number or company name trigger abandonment from users who resent handing over data before seeing the product. The user experience taxon captures this: friction at the account-creation step is the highest-leverage conversion point in the funnel, and asking for data you do not need yet is pure leakage.

Why this severity: Medium because the impact is conversion loss rather than a security or data-integrity failure.

Email-and-password-only signup forces users to generate another credential pair and commit to a password before trusting the product. OAuth signup cuts that friction to one click and typically lifts conversion 20-40% on consumer SaaS, while also improving the access-control posture by offloading password storage, credential rotation, and MFA to an identity provider the user already trusts. Skipping OAuth leaves conversion gains on the table and pushes you into the password-handling responsibilities the user-experience and access-control taxons warn against.

Why this severity: Low because the product still functions without OAuth; the cost is conversion drag, not a broken flow.

Blocking access behind email verification is the fastest way to kill activation. Users who sign up expecting to try the product and instead land on a 'check your email' dead end abandon at dramatically higher rates — and most never return. CWE-284 covers improper access control, and this is exactly that: treating unverified users as unauthorized when the threat model doesn't justify it. Every hour a new user spends waiting for a verification email is an hour your competitor keeps them active.

Why this severity: Medium because the failure mode is revenue loss through activation drop-off, not a direct security vulnerability — the access being blocked is the user's own account.

A dead-end screen — an OAuth error page with no retry, a "check your email" view with no resend link, a terminal success screen with no link into the app — is a silent funnel killer. Users who hit one cannot recover without hunting through browser history or abandoning the session entirely, and the user-experience taxon treats unreachable states as first-order defects. Every dead-end state on a signup or onboarding path directly equates to accounts that were created but never activated, or users who gave up mid-signup.

Why this severity: Critical because a dead end permanently strands the user mid-funnel and destroys conversions that cannot be recovered.

When signup succeeds silently, users cannot tell whether the click worked. Some retry the form and create duplicate attempts that the backend must deduplicate; others assume failure and leave entirely. The user-experience taxon treats acknowledgement of state changes as foundational: the moment an account is created is the single most important transition in the funnel, and a redirect with no toast, welcome screen, or onboarding handoff makes that transition invisible to the user who just completed it.

Why this severity: Medium because the account exists and the user is logged in, but confusion and duplicate-submission attempts erode the first-session experience.

New users dropped directly into the same dashboard as veteran users face a cold-start problem: no context on what the product does, what to click first, or what success looks like. The user-experience taxon flags this as an activation failure — without a welcome screen, guided tour, or first-run flag distinguishing new from returning users, activation rates collapse and most new accounts never return for a second session. The cost of a missed first-run experience compounds: these users churn before they ever experience the product's core value.

Why this severity: Medium because the product works for returning users, but new-user activation — the metric that drives retention — breaks silently.

If the UI does not point new users at the core value action, most will not find it. They will open the navigation, poke at settings, possibly create an empty project, and leave without experiencing what the product actually does. The user-experience taxon treats this as the activation gap: a product that works perfectly is worthless if first-session users cannot locate the feature that delivers the value they signed up for. Unguided empty dashboards are the single most common cause of first-session churn.

Why this severity: High because unguided first sessions directly cause activation failure, the dominant driver of early-stage SaaS churn.

A brand-new account with zero content looks broken. Users cannot evaluate the product when every screen is empty, so they abandon before creating enough data to see value — the cold-start problem the user-experience taxon warns about. Sample data or starter templates short-circuit that: a new account lands with 1-2 example projects already populated, the UI immediately looks alive, and the user can explore real workflows before committing the effort to create content from scratch.

Why this severity: High because the empty-state cold start is the most common cause of first-session abandonment on content-based SaaS products.

An empty list view that shows only "No results" or a bare table with headers gives users no signal about what the space is for or how to fill it. The user-experience taxon treats empty states as prime teaching surface: they are the first thing new users see on every major view, and a generic empty state wastes that surface entirely. A good empty state names what belongs there, explains why it matters, and provides a direct action to create the first item — which is often the fastest path from signup to activation.

Why this severity: High because empty states are the default view for every new user across every feature, and generic empty states block activation at scale.

New users who land in a broken default state — blank required fields, null configuration, a settings page they must complete before anything works — don't file bug reports. They churn silently. ISO 25010 functional suitability covers exactly this failure: the software doesn't do what a new user reasonably expects it to do on first run. Missing defaults also create data integrity hazards: if a default timezone is never set, date math silently breaks on the first query that needs it.

Why this severity: Medium because blank defaults cause silent functional failures and early churn, but don't expose user data or create a security boundary violation.

Time-to-first-value is the activation metric that predicts retention. Users who experience value within the first 5 minutes return; users who are still configuring at minute 10 churn. The user-experience taxon treats every blocking step between signup and first value — mandatory email verification, required external connections, long profile forms, unguided configuration — as a direct activation tax. Products that take more than 5 minutes to deliver a value moment lose the majority of new signups before they ever see what the product does.

Why this severity: Critical because time-to-first-value is the single strongest predictor of whether a new user will return for a second session.

Users who hit an error during signup or onboarding abandon at much higher rates than users further along in the lifecycle, because they have not yet invested enough to push through friction. Raw error codes, generic "Something went wrong" toasts, or error messages with no recovery action leave the user guessing whether their email is already registered, whether their password was too short, or whether they should retry — and most will not bother. The user-experience taxon treats error-state clarity as a first-session conversion lever, not a polish item.

Why this severity: High because errors concentrate at the most fragile point of the funnel, where the user has the least commitment and the highest propensity to abandon.

More than half of web traffic is mobile. A signup or onboarding flow that overflows on a 375px screen doesn't just frustrate users — it locks out a majority of potential customers before they ever see the product. WCAG 2.2 SC 2.5.5 sets a 44px minimum touch target to prevent mis-taps; Section 508 §502.3.3 requires platform accessibility. A fixed-width onboarding form isn't a cosmetic issue: it's a conversion failure that compounds every day it ships.

Why this severity: Medium because broken mobile onboarding blocks a significant portion of users from completing signup, directly cutting conversion without creating a security exposure.

A submit button with no loading state invites double-clicks that create duplicate accounts, double-charge users, or race against each other to corrupt state. A post-signup redirect that shows a blank white screen for 1-2 seconds leaves the user wondering whether something broke and occasionally triggers a browser back button press that aborts the flow. The user-experience taxon flags both as foundational: any asynchronous operation without visible feedback degrades perceived reliability and invites user behavior that causes real bugs.

Why this severity: Low because the flows still complete, but double-submit races and blank screens erode trust and occasionally produce duplicate-account bugs.

Users who don't know how many steps remain in an onboarding flow abandon earlier and report higher frustration scores. WCAG 2.2 SC 2.4.8 (Location) requires that users know where they are within a set of pages — a multi-step onboarding without a step counter violates this directly. Beyond compliance, absence of a progress signal is one of the top controllable causes of onboarding abandonment: users quit because they don't know when it will end, not because the steps are too hard.

Why this severity: Low because the failure degrades conversion and user experience but does not expose data, break functionality, or create a security gap.

A buried or broken invitation flow directly limits expansion revenue in any multi-user SaaS. If an invited user clicks an email link and sees a 'User not found' error instead of a signup prompt, that seat is lost — and the inviter loses confidence in the product. CWE-284 (improper access control) applies when the invite acceptance route fails to redirect non-users to registration, effectively creating a dead end that prevents legitimate account creation through a valid access path.

Why this severity: Medium because a broken invite acceptance flow causes direct seat loss and inviter trust damage, but doesn't create unauthorized access — the failure is exclusion, not intrusion.

Users who get stuck during onboarding and cannot find help in-context either email support (expensive for you, slow for them) or give up entirely. The user-experience taxon treats contextual help access as onboarding-tier support, not a polish item: a "Need help?" link in the corner of the signup screen, a tooltip on a confusing step, or an embedded chat widget deflects support load and rescues conversions that would otherwise be lost to silent abandonment. The cheapest support ticket is the one the user answers themselves by clicking a link.

Why this severity: Low because most users complete onboarding without needing help, but the absence amplifies churn and support cost for the subset that gets stuck.

Mandatory onboarding that cannot be skipped traps users who already know the product, already have an account elsewhere, or simply want to look around first. The user-experience taxon treats skippability as a respect-for-user-autonomy issue: forcing every new user through a linear wizard raises bounce rates among exactly the high-intent users who would otherwise activate quickly. Equally, onboarding that disappears forever once completed or skipped gives users no way to rediscover features they missed, turning onboarding into a one-shot tutorial instead of a persistent reference.

Why this severity: Low because users who complete the wizard still reach the product, but trapping and unreachability cost activations at both ends.

If navigating back to a previous onboarding step wipes out the data the user already entered, any attempt to correct an answer on an earlier step forces the user to re-enter every subsequent field. The user-experience taxon treats form-state preservation as table stakes for multi-step wizards: state loss on back navigation converts a typo-correction into a full restart, and a meaningful fraction of users simply abandon rather than redo five minutes of typing. This is especially punishing for users on mobile or flaky connections.

Why this severity: Low because the flow technically completes, but state loss on back-navigation silently churns users mid-wizard.

Inaccessible signup and onboarding flows violate WCAG 2.2 SC 1.3.1 (Info and Relationships), 2.1.1 (Keyboard), 2.4.3 (Focus Order), 2.4.11 (Focus Not Obscured), and Section 508 §502.3 — and expose the company to ADA Title III litigation risk in the US. Form fields without labels are unusable with a screen reader; missing `role="alert"` means error messages are invisible to assistive technology. These aren't cosmetic gaps: they legally and functionally exclude users with disabilities from your product at the first interaction.

Why this severity: Critical because inaccessible onboarding is both a legal exposure under ADA/Section 508 and a hard blocker for users who rely on screen readers or keyboard navigation to complete signup.