Strategy 4 min read · · Last updated:
By Mark Ashworth · Founder, ChurnTools

Silent Authentication Expiry: The Pseudo-Churn Hiding in Your SSO

A customer types in your URL, sees a login page, gets a cryptic auth error, and leaves. Your metrics record this as inactivity. It looks like disengagement. It is really SSO tokens expiring silently. Most SaaS lose customers this way without knowing.

📊

Want a personalized score for your situation?

Take the free 60-second Churn Health Check

Score me →

A customer types in your URL, sees a login page, gets a cryptic "authentication error" message, and leaves.

Your metrics record this as inactivity. Sessions dropped. Engagement declining. Looks like churn.

It is really their SSO token expiring silently, and most SaaS lose customers this way without knowing.

The problem

Modern SaaS authentication has multiple failure modes that create pseudo-churn:

  • SSO tokens expiring on schedules the user does not control
  • OAuth refresh tokens becoming invalid after policy changes on the customer side
  • MFA cookies clearing when browser storage resets
  • Directory sync failures quietly removing users from access lists
  • Cert rotation on the customer's IdP breaking your integration

Each of these produces a customer who thinks your product is broken. They do not file a ticket. They just stop coming.

Why this looks like churn

Your engagement metrics track:

  • Days since last session
  • Session count over time
  • Feature adoption

A user locked out of authentication produces all the same signals as a user who lost interest. Session count goes to zero. Engagement metrics tank. Your churn prediction model flags them as at-risk.

Except the fix is not a save flow or a re-engagement email. The fix is telling them how to log in again.

Signals that you have auth-related pseudo-churn

1. Authentication failure spikes preceding "disengagement"

A customer with 6 auth failures in a week followed by 30 days of no sessions probably tried to log in and could not, then gave up. This pattern is invisible unless you log auth failures separately.

2. Customers who "return" after a support intervention

If customers you thought were disengaged come back active after a CS call, they were not disengaged. They were locked out. The CS call helped them log in. Your health scoring should catch these earlier.

3. Higher pseudo-churn among SSO customers

Customers using SSO have more authentication failure surface than customers using email/password. If your SSO cohort has worse retention than your password cohort with everything else controlled, auth issues are the likely cause.

4. Support tickets you never received

The customers who file tickets get help. The customers who do not file tickets churn silently. If your product has auth complexity but a low volume of auth-related tickets, it does not mean auth is working. It means broken auth customers are leaving without complaining.

How to detect it

Log authentication failures as first-class events:

  • SSO callback failures
  • OAuth token refresh failures
  • MFA timeout events
  • Directory sync errors that affect specific users

Correlate these with session data. Any account showing declining sessions AND a spike in auth failures is probably locked out, not disengaged.

Alert your CS team when this pattern fires so they can proactively reach out and help. This is one of the highest-conversion CS outreaches you can do - the customer wants to use the product; they just cannot.

How to fix it

1. Better error messages

When auth fails, tell the user what happened and what to do. "Authentication error" is useless. "Your SSO session expired. Please contact [IT admin] to renew access, or use magic-link login as a temporary workaround" tells them what to do.

2. Longer session lifetimes where security allows

Some auth expiry policies are stricter than the customer's security policy actually requires. Check whether your defaults match customer needs. A 24-hour session is often better than an 8-hour session for most B2B use cases.

3. Proactive expiry notifications

Email the user before their token expires: "Your SSO session expires in 7 days. Click here to refresh, or contact your IT admin." This alone eliminates 60-80% of silent auth expiry churn.

4. Alternate authentication paths

If SSO breaks, provide a fallback: magic link, backup password, or IT admin recovery path. Users locked out with no alternative always leave. Users with an alternative come back.

5. Auth failure monitoring as a first-class SLO

Track authentication success rate alongside uptime. A 99% uptime with 90% auth success rate is a broken product from the user's perspective. Auth is part of the product.

The lesson

Some of your churn is not customers leaving. It is customers being locked out and giving up. The signals look identical in engagement metrics. The fixes are completely different.

Before you invest more in save flows or retention emails, check whether authentication is quietly bleeding your customer base.

Related concepts

To score whether your engagement setup can distinguish real churn from authentication problems, take the 60-second Churn Health Check.

Free interactive tool

Score your retention setup in 60 seconds

8 questions. Get your tier (Critical to Best-in-Class), your weakest spots, and 3 specific things to fix next.

Take the Health Check

Frequently asked questions

Answers to the questions I get most often about this topic.

What is silent authentication expiry?

Silent auth expiry is when a customer's SSO token, OAuth session, or MFA cookie expires and they get a login error trying to reach your product. Instead of a helpful reauthentication flow, they see a cryptic error and leave. The disengagement looks like churn in your metrics but is actually a fixable authentication problem.

How much churn is actually pseudo-churn from auth issues?

Estimates vary but 5-15% of "engagement decline" in SaaS is often auth-related friction that customers walk away from rather than resolve. This is particularly high in B2B where SSO tokens expire on unpredictable schedules and users cannot self-serve to fix them. Enterprise customers with strict security policies see even higher rates.

How do you detect auth-related pseudo-churn?

Track authentication failures as a first-class event. Log SSO callback failures, OAuth token refresh failures, and MFA timeout events. Any customer with declining sessions AND a spike in auth failures is probably not disengaging - they are locked out. Alert your CS team when this pattern fires so they can proactively help.

How do you fix auth-related pseudo-churn?

Three fixes: (1) improve error messages so users know what happened and can self-serve. (2) Extend session lifetimes where security policies allow. (3) Build proactive email alerts before token expiry ("your SSO token expires in 7 days, click here to refresh"). The email fix alone can reduce this problem by 60-80%.
MA

Written by Mark Ashworth

Founder of ChurnTools. I spend my time studying how SaaS companies lose customers and building tools to help them stop. Previously worked in SaaS growth and retention across multiple B2B products. I also write about growth and answer-engine optimization (AEO) at growthpigeon.com.

Ready to run your first retention experiment?

Browse 30+ proven playbooks for reducing churn across every stage of the customer lifecycle.

Browse Experiments →