How do I assist patrons with multi-factor authentication for CUNY Login?
In June 2025, CUNY began implementing multi-factor authentication (MFA) in CUNY Login, the university's single sign-on (SSO) system. This affects patron access to OneSearch and library e-resources along with major CUNY systems (such as CUNYfirst, Brightspace, Zoom, and so on)—basically, any service using CUNY Login. While campus help desks handle issues like lost phones and login problems, libraries will likely field the initial "What is this?" questions, especially when it comes to library services.
Setting Up MFA for the First Time
To set up CUNY Login MFA for the first time, patrons need:
- CUNY Login username and password
- Smartphone with Microsoft Authenticator app installed
- Computer/laptop
- About 10-15 minutes
Setting up CUNY Login MFA TOTP (Time-based One-Time Password) for use with the Microsoft Authenticator mobile app is a one-time process.
- In a new web browser window, open CUNY MFA Self-Service (https://ssologin.cuny.edu/oaa/rui).
The CUNY Login page displays.
- Enter your CUNY Login username and password, then click Log in.
⚠️ If you are also prompted to share your location with ssologin.cuny.edu, click Allow.
An Oracle Access Manager page is displayed with a confirmation message with the instruction to click OK to continue.
- Click OK to acknowledge the message.
An Oracle Identity Management page is displayed asking you to grant access to continue.
- Click Allow to continue.
The Hi, what are you managing today? page is displayed.
- Click Manage in the "My Authentication Factors" tile.
The CUNY Login Advanced Authentication – My Authentication Factors page is displayed.
- Click on Add Authentication Factor to display the list of authentication factor methods.
- Choose Mobile Authenticator - TOTP (Time-based One-Time Password).
The CUNY Login Advanced Authentication - Setup Mobile Authenticator page is displayed.
- In the Friendly Name field, type a name (such as “CUNY Login MFA”) to easily distinguish CUNY Login MFA from any other accounts in Microsoft Authenticator.
- If you are using Microsoft Authenticator on an iPhone, consider using hyphens or underscores instead of spaces in the Friendly Name field. Some older iPhones may replace the spaces in the friendly name with %20 when the Friendly Name is added to the Microsoft Authenticator mobile app.
- Open Microsoft Authenticator on your mobile phone.
- Tap Verified IDs at the bottom of the page or the circular button above it.
The Microsoft Authenticator Verified IDs page is displayed.
- Tap Scan a QR code.
The Microsoft Authenticator Scan QR Code page is displayed.
- Use the camera window on the Scan QR Code page to capture the QR code displayed on the CUNY Login Advanced Authentication - Setup Mobile Authenticator page on the computer.
This sets up a new MFA account in Microsoft Authenticator having the friendly name you entered with a time-based one-time password (TOTP) code that changes every 30 seconds. A count-down timer indicates how much longer the password code remains valid for authentication.
- On the CUNY Login Advanced Authentication - Setup Mobile Authenticator page on the computer, click Verify Now.
A Verification Code field is added to the CUNY Login Advanced Authentication - Setup Mobile Authenticator page.
- In the Verification Code field, type the password code from the Microsoft Authenticator app on the phone.
- Click Verify and Save.
The My Authentication Factors page displays showing the Mobile Authenticator - TOTP MFA account just added.
- Click on your CUNY Login username in the top right corner of the page, choose Logout, and close your browser.
Your CUNY Login MFA TOTP method has been set up and the corresponding MFA account is now in your mobile phone’s Microsoft Authenticator app.
Responding to MFA Prompts
Entering the password code from Microsoft Authenticator when CUNY Login MFA prompts you to enter a TOTP (time-based one-time password) takes seconds.
- In the CUNY Login window, enter your CUNY Login username and password, then click Log In.
⚠️ If you are also prompted to share your location with ssologin.cuny.edu, click Allow.
A window is displayed prompting you to choose your MFA login method from the displayed list of your previously established CUNY Login MFA authentication factors.
Note:
If you do not see a window prompting you to choose your MFA login method, your CUNY Login MFA setup may be incomplete. Clear the browser cache, close the browser window, and then follow the instructions in “Setting Up MFA for the First Time.” - Click on the Enter OTP from device link corresponding to the friendly name you set up for CUNY Login MFA.
- Open the Microsoft Authenticator app on your mobile phone to display the one-time password code.
- Make sure to open the account you set up for use with CUNY Login MFA.
- Consider waiting for the one-time password (OTP) code to refresh if the count-down timer gets close to zero.
- In the Enter OTP from the registered phone field, enter the one-time password code from Microsoft Authenticator.
- Click Verify. The CUNY application or service opens for your use.
Troubleshooting Common Issues
"I don't see the MFA prompt when logging in"
- Setup may be incomplete - have them clear browser cache and retry setup
- Ensure they've allowed to share their location with ssologin.cuny.edu
- Their campus may not have implemented MFA yet
- Check if they're using the correct CUNY Login URL
"The code doesn't work"
- Codes expire every 30 seconds - wait for a fresh code if timer is low
- Ensure they're using the CUNY Login MFA account in Authenticator
- Check for typos in the 6-digit code
"I already have Microsoft Authenticator for [something else]"
- This creates a separate account within the same app
- They'll now have multiple accounts in Authenticator
- Make sure they select the correct account when logging in
"I lost my phone" or "I got a new phone"
- Refer to campus help desk immediately - this requires administrative reset
- Cannot be resolved at library level
"I can't install apps on my phone"
- This may be a device policy issue (work phones, etc.)
- Refer to campus help desk for alternative solutions
- Some campuses may have backup authentication methods
Knowing When to Refer to Campus Help Desk
Library staff should refer patrons to campus IT/help desk for:
- Lost or replaced mobile devices
- Inability to install Microsoft Authenticator due to device restrictions
- Persistent login failures after successful setup
- Account lockout issues
- Questions about campus-specific MFA policies
Library staff can typically assist with:
- Basic setup guidance
- Explaining differences between MFA systems
- Simple troubleshooting (fresh codes, browser cache clearing)
- Directing patrons to correct setup URLs
Explaining MFA to Patrons
Setting Expectations for Help
"I can walk you through the setup process, but if we run into technical issues, I'll connect you with our campus IT team who can provide more specialized support."
Explaining Why This Is Necessary
"CUNY is implementing this additional security measure to protect access to library databases and campus systems. It's similar to banking apps that send codes to your phone."
Addressing "Why Now?" Questions
"Universities nationwide are implementing stronger security measures due to increased cyber threats targeting educational institutions and student data."
Addressing Patron Frustration
"I understand this is an extra step. Once you set it up, though, it only takes a few seconds each time you log in, and it helps protect your academic records and library access."
Reassuring About Technical Difficulty
"I know it seems complicated, but most people find it becomes automatic after using it a few times. Think of it like learning to use a new key card - awkward at first, then second nature."
Clarifying Relationship to Other MFA
"If you already use Microsoft Authenticator for [something else], this adds a separate CUNY account to the same app. You'll see both accounts listed."