---
url: 'https://www.corbado.com/kpi/total-authentication-success-rate'
title: 'Total Authentication Success Rate'
description: 'Total Authentication Success Rate measures how often login attempts end in a completed, authenticated session, including failures and abandonments.'
lang: 'en'
---

# Total Authentication Success Rate

## What is the Total Authentication Success Rate?

**Total Authentication Success Rate (TASR)** measures the share of authentication attempts
that end with the user reaching the intended authenticated state, regardless of which
authentication method was used. It aggregates all login attempts across all methods,
whether passkeys, passwords, OTPs, magic links, or any other method. It is the fastest way
to answer, at scale, whether users can actually get into the product, and whether the
authentication layer is helping or blocking growth.

> **Key facts on Total Authentication Success Rate**
> 
> - **What it captures**: Completed authentications divided by started authentications
>   across all methods, including implicit abandonments
> - **Primary use**: Quantify how much access friction and auth failure reduces successful
>   sign ins
> - **Interpretation**: Higher is better, large drops usually indicate incidents, UX
>   regressions or provider outages

## Where does the Total Authentication Success Rate fit in the login funnel?

We measure **Total Authentication Success Rate** from the moment a user clearly signals
intent to authenticate, for example they submit an identifier or tap Sign in until they
either reach an authenticated session or they fail or abandon. Measurement boundary, we
start at the first attempt start event, and we end at either a success event or an attempt
timeout that we classify as abandonment.

The funnel applies to any authentication method. Whether the user authenticates with a
passkey, enters a password, receives an OTP, or uses a magic link, the flow is the same:
offer, start, complete on client, verify on server, succeed. The **Total Authentication
Success Rate** aggregates all these method paths into a single metric.

```mermaid
flowchart LR
    OA(("Offer<br/>Auth"))
    OM(("Offer<br/>Method"))
    SM(("Start<br/>Method"))
    CM(("Complete<br/>Method<br/><i>client</i>"))
    VM(("Verify<br/>Method<br/><i>server</i>"))
    SuM(("Success<br/>Method"))
    SuA(("Success<br/>Auth"))

    OA --> OM --> SM --> CM --> VM --> SuM --> SuA

    OA -. "ENGAGEMENT RATE" .-> SM
    OM -. "METHOD CONVERSION" .-> SM
    SM -. "COMPLETION RATE" .-> CM
    CM -. "VERIFICATION RATE" .-> VM
    SM -. "METHOD SUCCESS RATE" .-> SuM
    SM -. "AUTH SUCCESS RATE" .-> SuA
```

## How to calculate the Total Authentication Success Rate?

We calculate **Total Authentication Success Rate** per attempt, where we count one attempt
once per session, even if the user retries multiple times or switches methods before
succeeding. If a user starts with a password, fails, then succeeds with a passkey, that
counts as one started attempt and one successful attempt. All methods contribute to the
same aggregate metric.

> $$\text{TASR}=\frac{\text{Auth Attempts succeeded}}{\text{Auth Attempts started}}$$

- `Auth Attempts started` is the count of deduped sessions that entered the authentication
  flow, regardless of method.
- `Auth Attempts succeeded` is the count of those sessions that reached the authenticated
  state within the attempt window, regardless of which method ultimately succeeded.

Typical ranges vary by audience and method mix.

| Segment              | Typical range | Top performers | Minimum acceptable | With passkeys |
| :------------------- | :-----------: | :------------: | :----------------: | :-----------: |
| Overall              |  80% to 87%   |   94% to 97%   |     75% to 78%     |  92% to 98%   |
| Banking and fintech  |  85% to 90%   | 95% or higher  |   80% or higher    |  95% to 98%   |
| Ecommerce and retail |  78% to 83%   |   90% to 94%   |     72% to 78%     |  90% to 95%   |
| B2B and SaaS         |  88% to 92%   |   94% to 97%   |   85% or higher    |  95% to 98%   |
| Social and media     |  80% to 85%   |   92% to 95%   |     75% to 80%     |  92% to 96%   |

### Numerator: Auth Attempts succeeded

Count an attempt as succeeded when the user reaches the intended authenticated session,
including completion of any required step up such as MFA. The method used does not matter
for this metric, a success via passkey, password, OTP, or magic link all count equally. If
a user tries one method, fails, then switches to another method and succeeds, the session
is still one success.

Do not count sessions that only verify an email, issue a reset link or pass an
intermediate checkpoint without granting authenticated access.

### Denominator: Auth Attempts started

Count an attempt when the user enters the auth flow with clear intent, such as submitting
an identifier, launching a passkey prompt, or submitting credentials. All method entry
points count: password form submissions, passkey ceremonies, OTP requests, or magic link
clicks.

Exclude known automated testing, health checks and detected bot flows. Deduplicate rapid
retries within a short window so a single struggling session does not inflate the
denominator.

### How to use Total Authentication Success Rate to improve outcomes

Use **Total Authentication Success Rate** to connect authentication quality directly to
growth, cost and risk outcomes.

- **More successful sign ins**: Diagnose which segment drops first, then simplify the
  highest volume path, then validate via sustained lift by segment for at least a full
  business cycle.
- **Fewer user abandonments**: Diagnose long time to complete or confusing prompts, then
  reduce steps and clarify recovery, then validate via higher success with stable attempt
  volume.
- **Lower support contacts**: Diagnose spikes in lockouts, resets, and error messages,
  then improve recovery UX and reduce false lockouts, then validate via fewer contact
  reasons tied to access.
- **Lower fraud and abuse exposure**: Diagnose high failure with high risk enforcement,
  then move to [phishing](https://www.corbado.com/glossary/phishing) resistant methods and better risk signals,
  then validate via fewer compromised accounts with stable success.

### Blindspots and common pitfalls of Total Authentication Success Rate

- **Intent and selection bias**: If you start counting only after a user chooses a method,
  you can miss users who bounce earlier and you will overstate success.
- **Missing telemetry**: If abandonments are not logged consistently, TASR can look
  healthy while users silently give up.
- **Method mix shifts**: A shift in which methods users attempt can change TASR even if no
  single method regressed. For example, more users trying passkeys on unsupported devices
  will lower the aggregate rate.
- **Mix shifts across segments**: A shift toward harder cohorts, such as new devices or
  new geographies, can drop TASR even if nothing broke.
- **Retries counted as new attempts**: If every retry is counted, TASR can fall due to
  counting artifacts rather than real access problems.