Skip to content
  • There are no suggestions because the search field is empty.

Auth0 for Clarity Human Services: Toolkit

A new authentication foundation for Clarity, rolling out in waves between June and July 2026.

Table of Contents

Overview

Clarity Human Services is moving its authentication foundation to Auth0, a modern, SOC 2–compliant identity platform. Clarity users will notice a change in how they log into Clarity Human Services.

The change introduces:

  • A new login screen
  • Required multi-factor authentication

The change will be rolled out to customers in waves between June 23, 2026, and July 30, 2026. Customers will receive direct communication about their particular wave and what to expect.

When is the Auth0 rollout happening?

Auth0 rolls out in eight waves, twice per week on Tuesdays and Thursdays. If a community has a training environment, Auth0 will be rolled out to that training instance two weeks before the production instance assigned rollout.

There is no opt-out for an assigned wave. In the event of a significant configuration or timing issue, contact the Bitfocus Support Team.

Why we’re making this change

A stronger security foundation: Authentication is one of the most critical parts of any SaaS platform, and this change gives Clarity a more modern foundation for managing it. While most customers will experience only a modest change to the login flow, moving authentication to Auth0 helps us better support modern security standards and creates a stronger long-term foundation for protecting access to Clarity.

A simpler, more scalable path to SSO and MFA: Our previous home-grown approach could be time-consuming to configure and difficult to scale, often requiring a high level of support effort. Auth0 provides a more consistent and supportable way to deliver these capabilities.

A more unified access experience: Some customers will be able to access their data through Snowflake using the same login they use for Clarity, reducing the need for separate authentication patterns across the platform.

How to Prepare Users

System administrators should prepare before the change occurs.

  • Audit staff list for valid email addresses. Confirm every active user has a valid, unique email on file. Inactive users do not require attention.
  • Decide on a user-facing communication. A short message ahead of the rollout wave reduces help desk volume on day one. 
  • Brief your help desk. Make sure your internal support team knows about the new login flow, what MFA enrollment looks like, and where to direct users who encounter any issues.
  • Add the Recovery Email to Allowlist(s): Ask your IT team to allowlist the email address noreply@bitfocus.com.

Universal MFA Enrollment

Every user will be required to enroll in multi-factor authentication on their first sign-in after migration. This applies regardless of whether the user had 2FA enabled in Clarity previously. Supported authentication methods at launch include:

  • One-time password via authenticator app (Google Authenticator or Microsoft Authenticator for iOS and Android devices are two popular options).
    • Note: If users cannot use their phones to authenticate, they can use a desktop-based authenticator like Proton.
  • Push notification via the Auth0 Guardian app
  • Phone (SMS or voice)
  • Email
    • Note: Email is only available as a secondary factor. Users must enroll in at least one other authentication method first.

Users can manage their enrolled factors directly from their Clarity account settings after migration. 

Note: Users who already have 2FA/MFA set up in their existing Clarity instance will be prompted to reenroll their authentication method with Auth0.

MFA Enrollment Steps

Step 1: Users enter their email address on the Clarity sign-in page:

Clarity Login Page

 
 

Step 2: Users are redirected to the Auth0 login page, where they enter their Bitfocus account password:

Auth0 Login Page

 
Step 3: Upon first SSO login with Auth0, the user will be prompted to select their authentication method:
 
Authentication Methods
Authentication Methods
 
Phone Authentication
Phone Authentication
 
Auth0 Guardian App Authentication
Auth0 Guardian App Authentication
 
Other Authenticator Apps Authentication
Other Authenticator Apps Authentication
 

Step 4: Once the authentication method is set up, users will be prompted the next time they need to re-authenticate when they login:

Re-Authenticate Page

 
 

If the Remember this device for 30 days option is checked, an MFA challenge will only be presented after a 30-day grace period. If the Remember this device for 30 days option is not checked, you will be challenged every time you log in.

Clarity Shield Users

Users with existing, custom SSO configurations will be contacted by Bitfocus support to schedule their migration. Once migrated, users will continue to authenticate with their current SSO workflow.

Remember this device setting is now a 30-day window

A single Remember this device for 30 days option replaces the legacy 7/14/30/90-day Trusted Device selector.

Invalid Email Addresses

Email can be used as a backup recovery method if the phone or the authenticator app is first set up as a primary method. If, for any reason, a user’s primary authentication method fails, it’s important that the email address they’re using to log in is valid so they can reset their password.

System administrators still have the ability to manually reset a user’s password from the MODIFY THE STAFF page in Clarity Human Services if all other recovery methods fail

Frequently Asked Questions for Users

Why do I use my email to sign in now?

Email is globally unique and doesn't require users to invent or remember a separate identifier. It also enables built-in account recovery via password reset links sent to your inbox.

What is this new login screen? Why was I redirected to another website?

Users now enter their email on the Clarity sign-in page, which has the same URL as before. They’ll then be temporarily redirected to Auth0, which handles the rest of the sign-in process. Once authentication completes, users are automatically sent back to Clarity.

Why am I being asked to register an MFA device?

MFA is now required for all users authenticating to Clarity Human Services and approved third-party applications. On first sign-in after migration, users will be prompted to enroll.

Where did the 2FA toggle in my user settings go?

The per-user 2FA enable/disable option has been removed. MFA is managed centrally through Auth0 now, and users can manage their enrolled factors from their Clarity account settings.

What if I’ve already set up 2FA in Clarity?

Users who had 2FA enabled with Clarity prior to the change will need to set up their MFA again with Auth0.

What if the phone number on my Clarity user profile is different than the number I use for MFA?

This will not be an issue. Auth0 does not look at the Clarity user profile and only sees the phone number the user provides during login.

How long does "Remember this device" last?

30 days. The previous 7/14/30/90-day selector has been replaced by a single 30-day option.

Does the new Clarity interface require a separate login?

No. The new Clarity interface continues to authenticate via Clarity, sharing a single Auth0 session, so customers won't see two logins.

Can I use my email address for MFA?

Email can only be used if another authentication method is set up first, and the user does not have access to the phone or authenticator app they set as their primary recovery method. Email cannot be the only/primary authentication method.

Frequently Asked Questions for System Administrators

Can my instance's rollout be delayed?

No, there is no opt-out for an assigned wave. In a true emergency, Auth0 can be temporarily disabled for a single instance by contacting the Bitfocus Helpdesk. This should be treated as a last resort.

Can I customize the display name shown on our login page?

Yes, the organization's display name can be customized. Contact the Support Team at support@bitfocus.com to request a change. Note that updating your System Name later will not automatically update the login display name.

Can admins enroll a user in MFA on their behalf?

No, users enroll themselves on first sign-in.

Can I still manually set a password for a user?

Yes, if a user’s email address is invalid, system administrators can set the user’s password on the Setup page in Clarity.

What if my users don’t have cell phones or can’t use their personal phones for work?

Users who don’t have cell phones or who can’t use their personal phones for work have a couple of options:

  • If they have access to a direct, landline phone number, they can use that and select the option to receive the authentication code via voice call.
  • They can use a desktop authentication app like Proton.

If I can’t create accounts with fake email addresses, how can I test features under different access roles?

Rather than creating separate accounts to test access roles, we recommend using Additional Agency Access. During the process of granting additional agency access, system administrators can specify which access role should be used for the additional access. Then, when the user switches to that agency, they will experience Clarity Human Services as if they had that access role and can test features accordingly.

What if I need more help?

If a question isn't covered here, contact the Support Team at support@bitfocus.com.

Published: 05/26/2026