What you might not know about conversion rate optimization

Conversion rate optimization (CRO) is such an important topic for today’s marketers that a Google search for the subject delivers an endless stream of results, with web companies big and small offering everything from short overviews to “ultimate” step-by-step guides.

However, we believe almost all of these results overlook a crucial contributor to CRO: the role of Identity flows within conversion funnels.

The basics of CRO

In this post, we’ll quickly run through the basics of CRO before spending most of our time on Identity. Then we’ll wrap up with a few things to keep in mind as you undertake your own CRO efforts. Let’s start with a quick overview of CRO.

What is a conversion rate?

A conversion rate is the rate at which a user performs a desired action, like:

  • Clicking on a call-to-action (CTA)
  • Registering an account
  • Filling out a form
  • Downloading a content asset
  • Signing into an account (versus proceeding as a guest)

Calculating the conversion rate (as a percentage) for any given action is simple:

  1. Count the number of conversions (i.e., number of times the desired action was taken)
  2. Count the number of opportunities (e.g., web page visits, email opens) for the conversion to occur
  3. Divide the number of conversions by the number of opportunities, and multiply by 100

For example, let’s say a particular landing page is visited 500 times in a given measurement period, and during that period the “Book a demo!” CTA button was clicked 30 times. The conversion rate for this CTA is equal to 30 divided by 500, multiplied by 100 — which works out to 6%.

What is CRO?

CRO is simply the process of attempting to maximize your conversion rates. Most conversion rate discussions focus on websites, but the concept also applies to emails, social channels, ads, apps, and any other media through which a user can interact with your brand or its products.

What are the benefits of CRO?

Presumably, the actions you wish your users to take are all in support of some larger goal or outcome for your organization, like:

  • Driving revenue (e.g., via sales of products or services) or donations
  • Increasing awareness (e.g., of an important subject)

Very generally, optimizing your conversion rates allows you to achieve these goals more efficiently — that is, at a lower cost to your organization.

More specifically — and depending on the organization — CRO may contribute to these outcomes by:

  • Delivering more leads
  • Delivering better leads (e.g., closer to a purchase decision, premium buyers, etc.)
  • Providing actionable user insights
  • Lowering the customer acquisition cost (CAC)
  • Sharing messages more widely

In fact, because most organizations have many different potential conversion points or actions, CRO typically contributes to simultaneous improvements throughout the marketing and sales funnels.

What are some common ways to optimize conversion rates?

Sometimes, the CRO’s focus on numbers can distract from the human element. That is, optimizing conversions requires understanding why users are or aren’t doing what you want them to do, and then systematically identifying and addressing barriers.

CRO is usually achieved through quantitative and qualitative analysis of how users interact with your website (or email, app, social media channel, etc.), which informs modifications to structure and content.

The effectiveness of these modifications can then be evaluated via a wide range of tools — e.g., split testing, website heat maps, feedback forms, session recording/playback — and, of course, measuring the impact on conversions. The lessons learned from evaluation feed back into the process of continuous improvement.

Some of the most common “levers” organizations use within CRO activities are:

  • Website or UI navigation and structure to make it easier for users to find what they’re looking for while being exposed to important messages
  • Landing page design to direct visual attention to calls to action
  • Page (or email) structure using components like headings, lists, and tables to convey information to skimmers and readers alike
  • Page (or email) copy to increase readability and to motivate users to take a desired action
  • CTA appearance and language to attract the eye and motivate the user to click
  • Form design to encourage users to share zero-party data (ZPD), which is becoming more critical as third-party cookies near retirement
  • Page loading speed because longer load times (even by fractions of a second) cause users to bounce before they even have the opportunity to convert

Most CRO guides (and, consequently, most organizations) focus on the approaches listed above and completely overlook how important Identity is as an enabler of and a direct contributor to CRO.

What is Identity’s role in CRO?

Put simply, Identity flows (shown in dark blue in the example funnel, below) are fundamental parts of the user journey — and this means that Identity flows are conversion flows.

This reality has important implications for CRO.


Identity Flows Chart


Identity friction harms conversion rates

In the physical world, friction is the force that resists the relative motion of solid surfaces, fluid layers, and material elements sliding against each other. In the digital world, friction refers to anything that slows down or otherwise impedes a user’s interactions with your service.

And, in an Identity context, these interactions may include (but are not limited to) a user

  • Signing up for your service / registering an account with your organization
  • Logging in to their existing account
  • Providing you with consent to collect and use their ZPD and first-party data (FPD)
  • Updating their information and preferences
  • Checking out (i.e., completing a purchase)
  • Resetting their password

While some amount of friction during these interactions is necessary — to establish trust and provide security controls — the more friction involved in an interaction, the greater the user’s frustration.

And the more frustrated a user becomes, the more likely they are to abandon the interaction itself — dragging down your conversion rates.

For business-to-consumer (B2C) and business-to-business (B2B) companies alike, friction is a major obstacle to conversions.

  • Does your account creation process require too much information or too many steps to complete? If so, your sign-up rates are likely not where they could be. And you may be dealing with a lot of junk data. 
  • Is signing in too tedious or time consuming? If so, fewer customers will re-engage with your service in a known quantity.
  • Is creating or resetting the password too cumbersome? In the short term, customers who encounter this issue during critical moments, like trying to log in to your service or checking out, may abandon the whole process. 
  • And, speaking of checkout, is it too complicated? If so, items will sit in the cart, unpurchased — possibly forever.
  • Also, finally, does the context of the consent checkbox give users pause or cause for concern? You may be unable to collect the ZPD and FPD that’s so crucial for personalization efforts.

Too few organizations understand this fundamental truth or have visibility into how these flows affect conversion rates. Essentially, the more friction users encounter across key engagement points with your services, such as Identity flows, the lower your overall conversions. Fortunately, the opposite is also true.

Improving conversion rates in Identity flows

Let’s look at a handful of examples illustrating how optimizing Identity flows can optimize conversion rates for some very important actions.

Increasing registrations by simplifying the sign-up process

In general, the easier it is for a user to register with your website, app, or service — that is, the lower the friction of the registration process — the higher your registration rate.

And for most organizations, registration is a critical step because it represents user identification (e.g., what creates the record) via the collection of FPD and ZPD. This FPD and ZPD strongly informs personalization, which drives higher conversions in a virtuous cycle. 

But before getting into specific approaches to reducing friction at this critical entry point, we must point out that the number of separate sign-up processes across your loyalty program(s), apps, and other customer-facing channels should be reduced. This siloed approach creates an inconsistent brand experience for customers and an incomplete and often unactionable picture of your customers.

Convenience and ease of use are the goals, as fast and simple sign-up processes are less susceptible to abandonment. One way to make it easier for a user to register is to avoid asking for too much information upfront with a long and (unintentionally) invasive form. Another is to avoid forcing them to create a password — since password creation is one of the most universally despised activities associated with signing up for a new service.

To underscore this point, Okta’s Customer Identity Trends Report revealed that customers ranked “filling up long login or sign-up forms” and “creating passwords” as the most frustrating factors when registering for or logging in to a service.

Two ways to reduce frustration and lower entry barriers are to:

  1. Provide one-field sign-up experiences using a magic link sent to the user’s email address or mobile device
  2. Use social login (e.g., “Sign in with Google”) to enable users to use their existing social accounts — an approach open-source giant Arduino used to triple user conversions, contributing to 20% month-over-month growth

For many users, either approach is an attractive alternative to completing multiple fields and being asked for information upfront. Plus, many Identity providers — like Facebook or Google — allow websites to automatically obtain basic details users have consented to share.

Raising sign-in rates by using passwordless authentication

At some point, customers who signed up in the past may need to sign in by re-authenticating with your service.

Effective authentication should be fast and easy for the user, while providing sufficient security so

  • You can be confident that each user is who they say they are
  • Each user is confident that their account is protected

An overly tedious or time-consuming authentication process can cause users to proceed anonymously / as guests or — even worse — to abandon your service entirely. By making it easy for users to authenticate, you increase your sign-in conversion rates, which will in turn increase the volume of data tied to known, engaged, and converted customers.

Unfortunately, passwords remain the number one form of authentication today, even though they are insecure — 49% of breaches involve compromised credentials — and fraught with user experience issues.

The good news is passwordless options such as passkeys provide strong authentication while enabling users to sign in to applications the same way they unlock their phones or laptops — for example, by using device biometrics such as Face ID or fingerprint.

Notably, we aren’t the only ones saying this: Google showed logging in with a passkey is 50% faster than using a password. In fact, their belief in passkeys is so strong that, as of October 10, 2023, Google offers passkeys as the default option across personal Google Accounts.

But, since one size doesn’t fit all (the crux of personalization), it’s best practice to offer choice. In the interim, continue to offer passwords while considering adding additional layers of security in addition to lower-friction methods.

Raising sign-in rates by making password resets fast and easy

Since password authentication is very much at play, password reset is a necessity for any app or online service. If your password reset process makes life harder for your customers, you’ll give them a reason to stop using your service. The ultimate goal should be reducing passwords as much as possible, but in the interim, good password reset processes do two things.

  • They minimize friction for the customer. It shouldn’t take your customer more than a minute to reset their password, and the process should only require information they are comfortable entering, like an email address.
  • They ensure the customer’s information is secure, for example, by providing safeguards against multiple failed logins and only sending information via secure channels.

One-time passcodes (OTP) sent to the customer’s registered email or phone number are the most commonly used forms of authentication for password resets. Both are more convenient than security questions (e.g. ”What’s the name of your first pet?”). However, an OTP sent via an SMS provides a higher level of assurance that the user is who they say they are because it’s tied to the device. 

However, given that the password reset flow is a common target for account takeover attacks, the best approach is reducing passwords wherever possible and, for high-risk transactions, consider layering multi-factor authentication (MFA) (e.g., requiring the user to use an additional factor before being able to complete the reset flow) for added security.

Reducing fraudulent signups and sign-ins without sacrificing conversion 

Besides using MFA to secure password resets, implementing MFA and other security controls such as Captcha challenges may be a security imperative, depending on your use case (high-risk transaction) and industry. They provide an added level of assurance that the user is who they say they are to reduce account takeovers and fraudulent signups. But on the flip side, these additional security mechanisms add friction, especially when always on – working to keep legitimate users and bots out. 

Another way to improve the authentication experience (without sacrificing security) is to use adaptive security techniques that leverage machine learning, such as:

  • Adaptive MFA that triggers an MFA challenge only when the login is deemed risky, for example, when a login attempt happens from a new computer or IP address
  • Advanced Bot Detection that triggers a Captcha challenge only when an anomaly is detected, such as IP reputation, location, and more

Securing customer data and your brand assets is essential to building trust. And in turn, trust is a CRO prerequisite. In fact, a recent Deloitte study found that 88% of customers who trust a brand will buy again and that trusted companies outperform their peers by up to 400% in terms of market value.

Improving consent rates by building trust

In the privacy-conscious age, establishing trust is key to building loyalty and customer lifetime value. With privacy regulations requiring customer consent on how their data is collected and used, campaigns and personalized experiences won’t be powered by third-party data but by ZPD and FPD that users have consciously consented to share.

But users take their privacy very seriously. For example, Okta’s Customer Identity Trends Report revealed that 80% of all consumers (in a survey spanning 14 countries) considered control over their data important.


Customer Identity trends data control graph


So, how do you persuade customers to part with their data in the first place? The key is trust. Customers will only share data and opt in to marketing programs if they feel confident that their data is safe, being used in the way they’ve agreed to, and will benefit them by providing more personalized and convenient interactions — regardless of the channel they are using to engage with your brand.

Companies will need to be sensible when asking for data, mindful of the type of data they are asking for while drawing a clear line to consent. 

CRO is an ongoing activity

CRO isn’t a “set it and forget it” one-time activity.

Rather, it requires a kaizen approach of continuous improvement within the broader domain of marketing operations. Implementing such an approach requires (very broadly) two things.

  • First, it all starts with having access to accurate, zero- and first-party omni-channel data. Without access to quality data, CRO strategies may be stifled or miss the mark.
  • Second, the data needs to be accessible across the MarTech stack to monitor, extract, and activate insights. 

This can be boiled down to: collect, activate, improve, and repeat. 

Building trust and increasing conversions with Customer Identity

Customer Identity and Access Management (CIAM) is how your customers sign up and sign in to your digital properties. As such, it plays a significant role in building trust and securing consent, for example, by:

  • Providing low-friction registration options (social login, email, and phone number as identifiers) that enable them to engage with your services in an identified manner
  • Offering stronger and easier-to-use forms of authentication (passwordless biometrics and passkeys) that make it clear to users that you care about protecting their accounts and the data those accounts hold
  • Integrating with specialized consent management tools and publishing a clear and straightforward opt-in notice so customers can readily understand which data they’ve agreed to share and for which purposes
  • Profile enrichment leveraging low-friction methods like social connections and progressive profiling, which facilitates the collection of ZPD contextually during moments of re-engagement
  • Offering your user the ability to manage the data they’ve consented to share. If they’ve decided they want greater privacy, they can remove information. If their email address has changed, they can update it. And if they’d like to share more details about their current needs and preferences, they can.

Essentially, at its core, CIAM is customer data, plus the tooling to protect, respect, and connect that data across the MarTech stack to drive omnichannel personalization and boost conversions. For example:

  • To build and continuously enrich customer profiles in CDPs and CRM systems
  • To trigger adding a customer to a marketing automation or email marketing campaign based on login frequency or context
  • To tie Identity to anonymous profiles and to identify areas of friction and opportunities for segmentation through integration with web analytics systems 

Understanding customers with Identity

For marketers, understanding customers through data is the fuel that enables their efforts, including CRO. With third-party data sources on the verge of extinction, FPD and ZPD collection and activation need to be closely examined and prioritized. 

So, if there’s one thing we hope you take away, it’s the message that CIAM is access to accurate, complete, and consented customer data and that Identity flows are conversion flows. In fact, they’re the flows that enable access and usability of this data across the MarTech stack.

To learn more about how Identity enables marketers to better understand customers, check out our eBook.

These materials and any recommendations within are not legal, privacy, security, compliance, or business advice. These materials are intended for general informational purposes only and may not reflect the most current security, privacy, and legal developments nor all relevant issues. You are responsible for obtaining legal, security, privacy, compliance, or business advice from your own lawyer or other professional advisor and should not rely on the recommendations herein. Okta is not liable to you for any loss or damages that may result from your implementation of any recommendations in these materials. Okta makes no representations, warranties, or other assurances regarding the content of these materials. Information regarding Okta's contractual assurances to its customers can be found at okta.com/agreements.