Your Authentication Flow Sucks (And It's Killing Your Growth)

Published on 12 December 2025

I just churned from a product before I even saw the dashboard.

We are living in a golden age of "vibe coding" - an era where anyone with an LLM and a dream can ship software. Don't get me wrong, I love the energy. I love that the barrier to entry has collapsed. But there is a dark side to this speed: we are seeing a massive regression in UX.

People with no background in design (and seemingly no desire to learn it) are letting AI generate their critical user flows, ditching best practices and common sense in the process. The result? Authentication flows that feel like bureaucratic torture.

Vibe coded nightmare

Here is the exact flow I just experienced with a new platform I wanted to try. Keep in mind, I was a motivated lead. I wanted to give them my money.

  1. Landed on the landing page.
  2. Clicked Sign In.
  3. Realized I don't have an account, so I had to find and click Sign Up.
  4. Redirected to a separate sign-up form.
  5. Entered my email and password.
  6. Hit submit, only to get a wall of text: "Please verify your account via email."
  7. Switched tabs, opened Gmail, waited for the email.
  8. Clicked the "Verify Account" button in the email.
  9. Landed on a "Verification Successful" page.
  10. Clicked a "Continue to Login" button.
  11. Redirected back to the login page.
  12. Had to enter my email and password again.

At step 12, I closed the tab. I do not want your product anymore.

If you are asking a user to prove they own an email address, and they click a unique link sent to that address, they are authenticated. Forcing them to log in again immediately after verification is not security; it's incompetence.

UX is optional?

In the rush to ship, "vibe coders" often forget that software is used by humans. Humans have limited patience and high expectations.

When you rely entirely on AI to scaffold your auth, you often get the default, rigid implementation of a library that was designed for maximum security configurability, not user conversion. AI doesn't feel frustration. It doesn't know that switching context from a browser to an email client is a high-friction event.

Your authentication flow is the front door to your digital house. If the door is jammed, nobody cares how nice the furniture is inside.

The passwordless future

I'm done with passwords. They are a security liability for me as a developer and a friction point for me as a user.

For all my upcoming products, I am making a hard rule: No password functionality.

We are moving exclusively to magic links, a core part of my 2026 Rails Stack.

Why magic links:

  1. Zero friction: The user enters their email. They get a link. They click it. They are in.
  2. No "Forgot Password" flows: You can't forget what you never had. This eliminates an entire class of support tickets and code maintenance.
  3. Security: I don't have to worry about hashing, salting, or leaking password databases. If a user's email is secure, their account is secure.
  4. Context awareness: If you click a magic link on your phone, you are logged in on your phone. It just works.

Fix your flow

If you are building a product right now, stop adding features and audit your sign-up process.

Go through it as a brand new user. Use a private window. Use a temporary email. If you find yourself sighing, rolling your eyes, or typing your password more than once, you have a problem.

We need to stop vibe coding our way into bad UX. Respect your user's time, or they won't give you any of it.

← Back to all posts