A customer types in your URL, sees a login page, gets a cryptic "authentication error" message, and leaves.
Your metrics record this as inactivity. Sessions dropped. Engagement declining. Looks like churn.
It is really their SSO token expiring silently, and most SaaS lose customers this way without knowing.
The problem
Modern SaaS authentication has multiple failure modes that create pseudo-churn:
- SSO tokens expiring on schedules the user does not control
- OAuth refresh tokens becoming invalid after policy changes on the customer side
- MFA cookies clearing when browser storage resets
- Directory sync failures quietly removing users from access lists
- Cert rotation on the customer's IdP breaking your integration
Each of these produces a customer who thinks your product is broken. They do not file a ticket. They just stop coming.
Why this looks like churn
Your engagement metrics track:
- Days since last session
- Session count over time
- Feature adoption
A user locked out of authentication produces all the same signals as a user who lost interest. Session count goes to zero. Engagement metrics tank. Your churn prediction model flags them as at-risk.
Except the fix is not a save flow or a re-engagement email. The fix is telling them how to log in again.
Signals that you have auth-related pseudo-churn
1. Authentication failure spikes preceding "disengagement"
A customer with 6 auth failures in a week followed by 30 days of no sessions probably tried to log in and could not, then gave up. This pattern is invisible unless you log auth failures separately.
2. Customers who "return" after a support intervention
If customers you thought were disengaged come back active after a CS call, they were not disengaged. They were locked out. The CS call helped them log in. Your health scoring should catch these earlier.
3. Higher pseudo-churn among SSO customers
Customers using SSO have more authentication failure surface than customers using email/password. If your SSO cohort has worse retention than your password cohort with everything else controlled, auth issues are the likely cause.
4. Support tickets you never received
The customers who file tickets get help. The customers who do not file tickets churn silently. If your product has auth complexity but a low volume of auth-related tickets, it does not mean auth is working. It means broken auth customers are leaving without complaining.
How to detect it
Log authentication failures as first-class events:
- SSO callback failures
- OAuth token refresh failures
- MFA timeout events
- Directory sync errors that affect specific users
Correlate these with session data. Any account showing declining sessions AND a spike in auth failures is probably locked out, not disengaged.
Alert your CS team when this pattern fires so they can proactively reach out and help. This is one of the highest-conversion CS outreaches you can do - the customer wants to use the product; they just cannot.
How to fix it
1. Better error messages
When auth fails, tell the user what happened and what to do. "Authentication error" is useless. "Your SSO session expired. Please contact [IT admin] to renew access, or use magic-link login as a temporary workaround" tells them what to do.
2. Longer session lifetimes where security allows
Some auth expiry policies are stricter than the customer's security policy actually requires. Check whether your defaults match customer needs. A 24-hour session is often better than an 8-hour session for most B2B use cases.
3. Proactive expiry notifications
Email the user before their token expires: "Your SSO session expires in 7 days. Click here to refresh, or contact your IT admin." This alone eliminates 60-80% of silent auth expiry churn.
4. Alternate authentication paths
If SSO breaks, provide a fallback: magic link, backup password, or IT admin recovery path. Users locked out with no alternative always leave. Users with an alternative come back.
5. Auth failure monitoring as a first-class SLO
Track authentication success rate alongside uptime. A 99% uptime with 90% auth success rate is a broken product from the user's perspective. Auth is part of the product.
The lesson
Some of your churn is not customers leaving. It is customers being locked out and giving up. The signals look identical in engagement metrics. The fixes are completely different.
Before you invest more in save flows or retention emails, check whether authentication is quietly bleeding your customer base.
Related concepts
- Silent churn - a related invisible problem
- AI health scores - how to detect real vs pseudo disengagement
- What causes customer churn
To score whether your engagement setup can distinguish real churn from authentication problems, take the 60-second Churn Health Check.