Authentication and Single Sign-On

What is this?

Clue uses two-factor authentication (2FA) by default. No passwords to remember or reset. When you sign in, you enter your phone number and receive a verification code via SMS. That is it. Simple, secure, and no IT tickets for forgotten passwords.

For enterprise accounts, Clue also supports Single Sign-On (SSO) so your team can log in with their existing company credentials.

How default authentication works

Every Clue account uses phone-based 2FA:

• Open Clue and enter your phone number
• Receive a one-time code via SMS
• Enter the code. You are in.

No passwords. No password resets. No password policies to manage. The phone number is your identity, and the SMS code proves you have the phone.

Single Sign-On for enterprise

If your company uses Azure Active Directory, Okta, or another identity provider, Clue can connect to it. Your team signs in with the same credentials they use for email and other company tools.

What SSO gives you

• One login for everything. Your team uses their company credentials. No separate Clue password.
• Centralized user management. When IT disables an account in your identity provider, that person loses Clue access automatically.
• Compliance. SSO meets enterprise security requirements for SOC2, ISO 27001, and similar frameworks.

Supported protocols

• SAML 2.0 - The most common enterprise SSO standard. Works with Azure AD, Okta, OneLogin, and most identity providers.
• OIDC (OpenID Connect) - A newer standard supported by Azure AD, Google Workspace, and others.

How to enable SSO

SSO is available for Enterprise accounts. Contact your Clue account manager to set it up. The process takes about an hour:

• Your IT team provides the identity provider metadata (entity ID, SSO URL, certificate)
• Clue configures the connection on our side
• Both teams test with a few users
• Roll out to the full team

The full details

• Default auth: Phone-based 2FA via SMS. No passwords. Available to all accounts.
• SSO: SAML 2.0 and OIDC. Available for Enterprise accounts.
• Mobile app: Same authentication method. Phone 2FA or SSO depending on your setup.
• Session duration: Sessions stay active for an extended period. You do not need to re-authenticate every day.
• No extra cost: SSO is included in Enterprise plans. No per-user SSO fees.

Tips

• Phone-based 2FA works for most teams. It is simpler than passwords and more secure. Only consider SSO if your IT policy requires it.
• If you enable SSO, test with 2-3 users first. Verify that roles and permissions map correctly before rolling out company-wide.
• Lost phone? Contact your Clue admin or support. They can re-verify your identity and update your phone number.