The following one-time procedure provides instructions on setting up CUNY Login MFA for use with the Microsoft Authenticator mobile app. If you already set up MFA for VPN access, you can continue using your existing One-Time Password (OTP) method. Once MFA is enabled for all apps using CUNY Login, you will be just prompted to enter the OTP code.

Download a PDF of these instructions

Important Note: The following steps assume the user is setting up MFA using both a computer and a mobile device. If you must complete the setup using only a mobile device, refer to page 10 of this guide: CUNY Login MFA User Guide.

Before You Begin

1. On your mobile device, download and install the Microsoft Authenticator App from the AppStore or PlayStore.

Important Note:

• Most CUNY students, faculty, and staff already have Microsoft Authenticator installed on their mobile device to access Microsoft 365 applications. Although the MFA procedures that follow refer to Microsoft Authenticator, the same general steps still apply if you use the Google Authenticator or Oracle Mobile Authenticator app instead.
• Please be aware and install the proper authenticator app. Do not install any 3rd party authenticator app.
• If possible, you should configure and maintain separate CUNY Login MFA authentication factors on different devices—such as your mobile phone and tablet— to ensure continued access in case one is replaced or lost.

2. Open the Microsoft Authenticator App on your mobile device and pause. We will return to this later on in this article.

3. In your browser window, go to the CUNY Login MFA Self Service (https://ssologin.cuny.edu/oaa/rui). If you receive a login error using a regular browser window, try using a private/incognito window instead. Instructions for accessing private/incognito windows are provided at the end.

Important Note: For security purposes, if you visit the CUNY Login MFA Self-Service page more than three times without successfully setting up at least one MFA factor, your account will be locked. If this happens, you will need to contact the Help Desk.

4. At the CUNY Login page, enter your CUNY Login username and password, then click Login:

5. Click OK on the next page:

6. Click Allow on the next page:

7. On the next page under My Authentication Factors click on Manage:

8. Click on Add Authentication Factor and then click on Mobile Authenticator - TOTP:

9. Next enter a Friendly Name, for example CUNY_Login_MFA.

Note: Be sure to use a unique name to avoid confusion with other MFA accounts.

10. A QR Code is visible on the same page, click on Verify Now

Pause and return to the Microsoft Authenticator App on your mobile device.

11. In the Microsoft Authenticator App, click on the "+"

and choose Work or school account.

12. Click on Scan QR Code. Note: If your mobile device prompts for camera access during this step, please click on Allow.

13. Point your mobile device to your computer screen to capture the QR Code. When successful you will see an entry added to the Microsoft Authenticator App displaying a 6 digit code and the same Friendly name (CUNY-Login-MFA) you entered earlier. Enter the 6 digit code in the Verification Code field and click Verify and Save.

Note: Please be aware a 6-digit code is randomly generated every 30 seconds.

14. You should automatically be brought back to the My Authentication Factors page and will see an Enabled Mobile Authenticator - TOTP entry with the Friendly name.

Congrats, the CUNY Login MFA is setup, you can now utilize it to access CUNYfirst, CUNYbuy, Brightspace, Navigate, Zoom, Campus VPN, Lehman 360, Lehman Electronic Forms (ePAF, ePRF, iDeclare, etc.)

Important Note: Do not confuse CUNY Login MFA with Microsoft 365 MFA (M365 MFA), which is used exclusively to verify access to Microsoft 365 applications such as Outlook, Teams, and others.

Using Private/Incognito Browser Windows

Please utilize your default web browser's Private Browser Window to complete this process:

Chrome - New Incognito Window:

Firefox - New Private Window:

Edge - New InPrivate Window: