Why We Killed Passwords for Job Candidates (And What Replaced Them)
Most ATS platforms lose 57% of applicants at the login screen. Kit uses magic links instead of passwords, cutting candidate friction to zero. Here's the data behind that decision.
Ernest Bursa
More than half of candidates who start a job application never finish it. According to a LiveCareer study, 57% abandon specifically because of complex processes and lack of transparency. The single biggest source of that complexity? Creating an account and setting a password. We removed passwords entirely from Kit’s candidate experience, replacing them with magic links. This article explains why, with the data that made the decision obvious.
The password tax on hiring
Every ATS that forces candidates to “Create an Account” before applying is running a conversion experiment. The result of that experiment has been consistent for over a decade: you lose most of your applicants at the login screen.
When applications take more than 15 minutes (which happens quickly once you add email verification, password rules, and failed resume parsing), completion rates drop from 12.5% to 3.6%, according to Appcast’s 2026 Recruitment Marketing Benchmark Report.
Think about what that means in dollars. You spent money on job board postings, employer branding, maybe even programmatic ads. You got a candidate interested enough to click “Apply.” Then your ATS asked them to invent a 12-character password with a special symbol for a system they will use exactly three times. They closed the tab.
Reducing application time to five minutes or less boosts conversion rates by up to 365%, according to Appcast. That is not a marginal improvement. That is the difference between hiring someone and not.
What candidates actually experience
If you have not applied for a job through Workday recently, try it. The experience is clarifying.
The legacy wall: Workday, Taleo, iCIMS
Workday requires a brand-new account for every company. There is no centralized candidate identity. Candidates on Reddit’s r/recruitinghell routinely describe the experience as turning a one-minute task into a ten-minute ordeal. Others say they skip any job listing that routes to a Workday login page.
Oracle Taleo is worse. The multi-page workflows, rigid password requirements, and frequent session timeouts are so hostile that candidates report closing the browser the instant they see “taleo” in the URL. Industry analysts have noted the product “pretty much fails at everything” regarding user experience.
iCIMS asks you to upload a resume, then immediately re-type the same information into separate form fields. Their own 2025 State of Frontline Hiring Report acknowledges a 68% application abandonment rate in hospitality alone.
The better middle: Greenhouse, Lever, Ashby
Modern platforms recognized this problem. Greenhouse lets you apply without an account, though its optional “MyGreenhouse” portal still uses passwords. Lever relies on Google/LinkedIn SSO, which candidates generally prefer. Ashby goes further with a native “Sign in with a Magic Link” option.
The trajectory is clear. The market is moving away from passwords. The only question is how fast.
| Platform | Account required? | Auth method | Steps to apply | Candidate sentiment |
|---|---|---|---|---|
| Workday | Yes | Password (per company) | 10-15 | Highly negative |
| Taleo | Yes | Password | 10+ | Highly negative |
| iCIMS | Often yes | Password + data re-entry | 8-12 | Negative |
| Greenhouse | No | Optional password portal | 3-5 | Positive |
| Lever | No | SSO (Google/LinkedIn) | 3 | Positive |
| Ashby | Varies | SSO + magic link | 2-4 | Positive |
| Kit | No | Magic link | 2 | Frictionless |
Why mobile makes passwords unacceptable
Over 65% of job applications now start on mobile devices, according to Appcast. In hospitality and gig economy roles, that number exceeds 80%.
Typing a complex password on a phone keyboard is slow and error-prone. Switching to a mail app for a verification code often kills the session. Returning to the browser means starting over. These are not edge cases; they are the default experience for most applicants.
This means organizations with password-gated portals are systematically filtering out mobile-first candidates. That includes most Gen Z professionals, frontline workers, and passive candidates scrolling LinkedIn on their phone. You are not just losing applications. You are losing an entire demographic.
How magic links work
A magic link replaces the password with something the candidate already controls: their email inbox.
- Candidate enters their email address. One field. No “choose a username” or “confirm your password.”
- The system generates a cryptographic token. This is a single-use, time-limited string (typically 5-15 minutes TTL) tied to the candidate’s profile.
- The token arrives as a clickable link. Delivered via email, it opens the candidate’s authenticated session instantly.
- One click, they are in. The token is invalidated after use. No replay attacks, no stored credentials.
The key insight is access frequency. Passwords were designed for systems you use daily: your email, your bank, your work laptop. A candidate interacts with an ATS maybe three times over a 45-day hiring cycle: once to apply, once to schedule an interview, once to review an offer.
Asking someone to create and remember a password for three lifetime logins is an anti-pattern. By the time they return two weeks later for an interview, they have forgotten it. They click “Forgot password.” The reset flow sends an email with a one-time link. That is literally a magic link with five extra steps of frustration.
Magic links just make the recovery path the primary path.
Security without the theater
The most common pushback we hear from enterprise buyers is security. “Don’t you need a password to be secure?” No. In practice, passwords are the weakest link in most systems.
Passwords are the vulnerability
85% of consumers reuse passwords across platforms, with 41% doing so frequently, according to LastPass’s Psychology of Passwords report. When candidates use the same password for your ATS portal and a compromised hobby forum, your candidate data is exposed through credential stuffing attacks. This is not theoretical. It happens constantly.
Magic links vs. passkeys
In 2026, the two main passwordless options are magic links and passkeys (FIDO/WebAuthn). Passkeys use public key cryptography stored on the user’s device, secured by biometrics. They are cryptographically stronger and ideal for high-frequency access.
But for candidates, passkeys are overkill. Requiring a transient user to generate, store, and sync a passkey for a 45-day relationship adds complexity for no practical benefit. The threat model matters: an ATS candidate profile contains resumes and contact information, data that is largely public on LinkedIn anyway. The risk of targeted magic link interception is negligible compared to the daily automated credential stuffing that plagues password systems.
Magic links can be hardened with short expiration windows, browser-session binding, and strict one-time-use policies. For recruiting, they hit the right tradeoff: high security, zero friction.
Password reset costs add up
Password resets account for 20-50% of all IT help desk tickets, according to Gartner. Each reset costs roughly $70 in labor, per Forrester estimates. For recruiting teams, this translates to talent acquisition professionals troubleshooting login issues instead of sourcing candidates.
The measurable impact of going passwordless
Conversion lifts
Appcast’s data shows that reducing friction in the application process (fewer fields, fewer steps, no account creation) yields the largest gains on mobile, where form completion rates are lowest. Their benchmark data consistently shows that mobile-optimized, low-friction applications convert 2-3x better than traditional multi-step flows.
The pattern holds across industries: remove barriers, and completion rates rise. The largest gains come from mobile users, who face the most friction from password entry.
Re-engagement transforms
Here is a number that should change how you think about your talent pool. Slack shared publicly that teams using magic link invitations completed onboarding 2.3 days faster than those with traditional password flows, correlating with 31% higher annual contract values. Video platform Money Alive reported a 75% reduction in support time after switching from passwords to temporary access codes.
These are not recruiting-specific examples, but the pattern transfers directly. Low-frequency, high-intent access is exactly the profile of a job candidate. When you send a returning candidate a magic link instead of asking them to remember a password from six months ago, more of them actually click through.
How Kit handles passwordless candidate access
When we built Kit, we made a deliberate architectural decision: candidates never see a registration form, a password field, or an account creation screen. Whether they are applying for a role, picking an interview time, submitting a code assignment, or reviewing an offer letter, the flow is the same.
They enter their email. They click the link. They are in.
This is not a feature. It is a philosophy. If you believe that candidates are people you are trying to attract, not suppliants who should be grateful for the chance to apply, then every interaction should respect their time. Passwords do the opposite.
What this enables downstream
Removing friction at the top of the funnel has compounding effects. When it is effortless to enter the process, more qualified candidates complete their applications. That means your pipeline has better signal. Better signal means your team spends less time screening and more time interviewing people who actually fit.
The same magic link architecture powers every candidate touchpoint in Kit. Interview scheduling, code assignments, offer reviews, and status checks all use the same one-click access pattern. Candidates never wonder which password they used, because they never set one.
The bottom line
Passwords in recruiting are a solved problem. The solution is to remove them.
The evidence points one direction. Passwords cause 57% of application abandonment (LiveCareer). They fail on mobile, where most candidates apply (Appcast). They create security vulnerabilities through credential reuse (LastPass). And they send a clear message to candidates: your time does not matter to us.
Magic links fix all of this. They are faster, more secure for the recruiting use case, and they respect the reality of how candidates interact with hiring systems: infrequently, on their phones, with zero interest in managing another password.
We killed passwords for candidates because the data left us no other honest choice. If your ATS still asks candidates to create an account, you are losing talent before they even get through the door.
Try Kit free and see what a passwordless candidate experience looks like.
Related articles
How to Write Job Descriptions That Attract Top Candidates
A practical guide to writing job descriptions that convert: ideal word count, salary transparency data, bias-free language, and SEO markup for startup hiring.
How to Structure Code Assignments Candidates Don't Hate
Design take-home coding tests that predict job performance without alienating top talent. A practical framework for time limits, rubrics, and evaluation.
How to Hire a Product Designer: A Practical Guide for 2026
How to hire a product designer: role definitions, portfolio evaluation in the age of AI, structured interview loops, sourcing channels, and 2026 compensation benchmarks.
Ready to hire smarter?
Start free. No credit card required. Set up your first hiring pipeline in minutes.
Start hiring free