Skip to main content

Social or OAuth signup is available

ab-002345 · saas-onboarding.signup-flow.social-signup-options
Severity: lowactive

Why it matters

Email-and-password-only signup forces users to generate another credential pair and commit to a password before trusting the product. OAuth signup cuts that friction to one click and typically lifts conversion 20-40% on consumer SaaS, while also improving the access-control posture by offloading password storage, credential rotation, and MFA to an identity provider the user already trusts. Skipping OAuth leaves conversion gains on the table and pushes you into the password-handling responsibilities the user-experience and access-control taxons warn against.

Severity rationale

Low because the product still functions without OAuth; the cost is conversion drag, not a broken flow.

Remediation

Wire at least one OAuth provider into your auth configuration and surface a button for it above the email/password form. Edit src/lib/auth.ts (or auth.config.ts depending on your auth library) and add a provider block, then render a "Continue with Google" button on the signup page.

providers: [
  GoogleProvider({ clientId: process.env.GOOGLE_ID!, clientSecret: process.env.GOOGLE_SECRET! }),
  GithubProvider({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
]

Detection

  • ID: saas-onboarding.signup-flow.social-signup-options

  • Severity: low

  • What to look for: Count all OAuth provider configurations in auth setup files. Enumerate the providers found: Google, GitHub, Microsoft, Apple, or similar. Check for buttons or links to each in the signup component.

  • Pass criteria: At least 1 social/OAuth provider is configured and a sign-in button for it exists in the signup UI. Report even on pass: "Found N OAuth providers configured: [list]."

  • Fail criteria: No OAuth providers are configured; signup is email-and-password only with no social options.

  • Skip (N/A) when: The application is an internal tool or enterprise product where SSO/OAuth is intentionally disabled, indicated by the absence of any social provider in auth configuration and no OAuth-related dependencies.

  • Detail on fail: "No OAuth providers detected. Only email+password signup is available. Social signup reduces friction and improves conversion for consumer-facing SaaS."

  • Remediation: In your auth configuration at src/lib/auth.ts or equivalent:

    // NextAuth example
providers: [
  GoogleProvider({ clientId: process.env.GOOGLE_ID!, clientSecret: process.env.GOOGLE_SECRET! }),
  GithubProvider({ clientId: process.env.GITHUB_ID!, clientSecret: process.env.GITHUB_SECRET! }),
]

    Even a single "Continue with Google" option can materially increase signup conversion.

Taxons

user-experienceaccess-control

History