Toss logged people in with a 10-step process, the standard for a financial app. I asked why each step existed, removed the ones that did not need to be there, and shipped Korea's first no-login for finance.
While monitoring Toss's growth, I noticed the curve starting to flatten. Reading it through carrying-capacity theory, which weighs new-user acquisition against revisit frequency and churn, the signal was clear: acquisition stayed steady, but the growth rate kept decelerating. The leak was not at the top of the funnel. It was people leaving.
I ran user research with 3,256 people and two findings stood out. People who change phones every two years have to log in to Toss all over again, and half of them churned at that step because it felt too complex. And half of Toss's users are between 50 and 60, with most of them uninstalling and reinstalling the app repeatedly because of storage, hitting that same login wall every single time.
Login was ten steps. Most financial apps ran ten to fifteen, all of it justified in the name of security. So I broke registration down into what it actually requires: identity (CI) verification, device-possession authentication, and a PIN.
Device authentication and the PIN are real security floors, and they stay. But identity verification asks the same person for the same information every time, and that answer does not change for the same user. If I could confirm who someone was another way, none of that re-entry needed to happen. The friction everyone treated as fixed was not load-bearing.
A cloud-based login that uses authentication tokens to recognize a returning user without making them log in at all: the first no-login in Korean finance. The same security guarantees, almost none of the friction. I owned the legal and compliance research and the back-end system design that made it defensible to ship in a regulated sector.
Product-led growth is not bolting growth loops onto a product. It is removing the reasons people leave. The largest lever here was hidden inside a step everyone assumed was mandatory. Question the defaults, ground the change in first principles and the actual law, and let the data point you at the leak.