Authentication Admin FAQs

Category: SSO Authentication - Admin Guide | Type: FAQs

What sign-in options does Hive support?

How do I enable or change my organisation's sign-in methods?

Can my team use more than one sign-in method?

What's the difference between SSO and SAML SSO?

What happens to employees who don't have an email address?

Are my employees' responses still confidential when using SSO?

Do I need to involve my IT team?

What is Domain Whitelisting and should I use it?

What if an employee can't sign in?

Useful Information

1. What sign-in options does Hive support?

Hive supports several sign-in methods, and admins can enable any combination from the account settings:

1. SSO with Google or Microsoft — one-click sign-in using your existing work account
2. Magic Links — a secure one-time link sent to your inbox
3. Passkeys — sign in with Face ID, fingerprint, or a device PIN
4. Email and Password with 2FA — traditional login with a second verification step
5. SAML SSO — full identity provider integration (available as a paid add-on)

For most organisations, SSO with Google or Microsoft is the simplest setup. You can mix and match methods depending on what suits your team.

2. How do I enable or change my organisation's sign-in methods?

Sign-in methods are managed in your account settings, under Authentication. You can toggle individual methods on or off, add domain whitelisting, or enforce 2FA — all without IT involvement. Changes apply immediately. Full step-by-step instructions are in our Authentication Setup Overview.

3. Can my team use more than one sign-in method?

Yes. If you've enabled multiple methods, your team will see all available options on the sign-in page and can choose whichever suits them. For example, an employee might prefer SSO on their work laptop and a passkey on their phone — both will work.

The only exception is SAML SSO. When SAML is enabled, it replaces all other methods.

4. What's the difference between SSO and SAML SSO?

Both let your team sign in using existing work accounts. The difference is in how the connection is set up:

1. SSO with Google or Microsoft uses your existing workspace accounts — no IT setup, switched on from your account settings in a few clicks
2. SAML SSO is a deeper integration with your identity provider (Entra, Okta, Workspace, etc.) — designed for IT teams that want centralised control, requires technical setup on both sides, and sits in our paid tier

For most customers, standard SSO covers everything they need. SAML is typically the right call only when IT specifically asks for it.

5. What happens to employees who don't have an email address?

On the sign-in page, there's a "No email address?" option that takes them through a simple verification process - name and a few identifying fields.

If they later receive an email address, they can switch to one of the standard sign-in methods and unlock the full employee experience.

6. Are my employees' responses still confidential when using SSO?

Yes, nothing about how feedback is handled changes. Responses are still aggregated, still confidential, and managers still only see team-level results. Signing in is just how employees access Hive; it isn't connected to what they say once they're there.

If your team has questions about this, they can read more in our help centre or ask their HR team.

7. Do I need to involve my IT team?

For standard SSO with Google or Microsoft, no — it's a setting you can switch on yourself. The same applies to magic links, passkeys, and email and password. Default options are admin-managed, no IT tickets required.

Your IT team only needs to be involved if you choose SAML SSO, which requires a technical setup on both sides.

8. What is Domain Whitelisting and should I use it?

Domain whitelisting restricts sign-in to your approved company email addresses (for example, @yourcompany.com). When it's switched on, only people with an approved email can access Hive - even if their account exists in the system.

We recommend enabling it alongside SSO if all your users have a company email. It adds a layer of centralised control without any extra effort from your team.

9. What if an employee can't sign in?

A few quick checks for the most common cases:

1. They tried SSO but it didn't work — check that SSO is enabled in your account settings, and that the user's email matches one of your approved domains (if you've enabled domain whitelisting)
2. They didn't receive a magic link — ask them to check their spam folder; if it's still missing, they can try again from the sign-in page
3. They've lost access to their 2FA device — admins can reset 2FA from the user's profile in the dashboard

🎓 Useful Information

• Authentication Setup Overview (SSO)
• Passkeys
• Email & Password with Enforced 2FA
• Secure Magic Links
• Single Sign-On (SSO) with Domain Whitelisting

Require further technical assistance? Contact Our Support Team