Benchmarks aggregated from Baymard, Auth0, Mixpanel, NN/g and published company data; verified June 2026. Your mileage will vary; run your own A/B tests. See all sources.

signupdrop.com

Last verified June 2026 · 8 min read

Magic link vs password vs passkey: what actually happens to conversion

+15-30pp

Magic-link lift on signup conversion

Auth0, Slack, Notion disclosed

-5 to -15pp

Repeat login speed penalty

Users must switch to email per session

90%+

Passkey browser support in 2026

FIDO2/WebAuthn rollout data

What a magic link is

A magic link is a one-time, time-limited URL emailed to the user at signup or login time. The user enters their email, receives the link, clicks it, and is signed in without ever choosing or typing a password. Slack popularised the pattern at consumer scale. Notion, Medium, and Substack use it as their primary auth method.

The conversion math is simple: no password field means no password-creation friction, no password complexity rejection, no confirm-password field, and no password typo. Every one of those eliminated friction points contributes to the 15-30pp lift.

The decision matrix

FACTOREMAIL + PASSWORDMAGIC LINKPASSKEY
Signup conversionBaseline (35-55%)+15-30pp (50-85%)+15-25pp (depends on browser UX)
Repeat login speedFast (stored in manager)Slow (must check email)Fast (biometric tap)
Security levelLow-medium (depends on strength)Medium (link expiry, TLS)High (phishing-resistant, WebAuthn)
Phishing resistanceNone (password can be phished)Medium (link can be forwarded)High (origin-bound credential)
Cross-device UXGood (password manager)Good (email on all devices)Good (synced keys via iCloud/Google)
Recovery UXPassword reset emailRe-request linkAccount recovery + passkey re-enrol
Implementation complexityLowLow-mediumMedium-high (WebAuthn)

Passkeys for 2026

Passkeys (WebAuthn/FIDO2 credentials) are now production-ready. They use public-key cryptography bound to the device and origin, which makes them phishing-resistant by design - a phishing site cannot intercept a passkey because the credential is tied to the origin URL. iCloud Keychain syncs passkeys across Apple devices. Google Password Manager handles Android. 1Password, Bitwarden, and Dashlane all support passkeys as of 2025.

The signup UX for a passkey is typically: enter email, biometric prompt (Face ID, fingerprint, or PIN), done. No password field. On first-time devices, the user is walked through passkey creation. The conversion lift is comparable to magic link without the repeat-login email-check penalty.

The honest complexity caveat: passkey implementation is harder than email+password. Fallback paths (what if the user is on a new device with no passkey?) must be carefully designed. Auth vendors (Auth0, Clerk, Stytch) have abstracted most of this, but it still requires more thought than a standard email+password form.

When password still wins

Shared accounts (a team shares one login), kiosk environments (public terminals without reliable email access), and users with poor email deliverability all benefit from a persistent password. The password is still the most universally accessible credential. Never remove it entirely - always offer it as a fallback even if magic link or passkey is the primary.

The NIST caveat

A common misconception is that NIST recognises email magic links as an AAL1 authenticator. It does not. NIST SP 800-63B-4 (the final 2025 revision) states that "email SHALL NOT be used for out-of-band authentication" because it can be accessed with only a password and intercepted in transit. An emailed magic link is therefore not an approved NIST authenticator at any AAL (email confirmation and recovery codes are a separate, permitted use and are unaffected). Passwords and passkeys are recognised authenticators: a password meets AAL1, passkeys meet AAL2, and AAL3 requires a hardware authenticator with verifier-impersonation resistance. The practical takeaway for product teams: most consumer SaaS is not bound by NIST AALs and can use magic links freely, but if you operate under a NIST-aligned framework (federal systems, or sectors that adopt it), a magic link cannot be your sole login factor - pair it with or graduate users to a password or passkey. See NIST 800-63B for product teams.

Frequently asked questions

Do magic links increase signup conversion?+

+15-30pp over email+password per Auth0 case data and Slack and Notion's disclosed patterns. The lift comes from removing password-creation friction entirely.

What is the downside of magic links?+

Repeat login requires checking email every session. The hybrid pattern - magic link at first signup, offer password or passkey setup inside the product - captures the conversion lift without the repeat-login penalty.

Are passkeys ready to use in 2026?+

Yes. 90%+ browser support, mature auth vendor tooling (Auth0, Clerk, Stytch), iCloud Keychain and Google Password Manager sync. Implementation is harder than email+password but the abstractions are good.

RELATED READING

RELATED IN THIS PORTFOLIO

Updated 2026-06-09