In July 2025, the City University of New York (CUNY) began using multi-factor authentication (MFA) across all of its digital platforms, including sites like CUNYfirst, Brightspace, DegreeWorks and Microsoft Office 365 email.
This means that in addition to a password, logging in now requires a second factor, using a temporary code on one’s phone or a confirmation call to access accounts. This measure seeks to protect personal and academic information from the rising threat of cyberattacks.
Here’s how it works: When logging into an account on a new device or browser, the user enters their username and password as usual. The user will then be prompted for a second factor, such as a code generated by the Microsoft Authenticator app. This code changes every 30 seconds, so even if someone knows a previous code, they cannot use it to access your account. This ensures that your information should be protected even if your password has been stolen or guessed.
According to Queens College’s ITS, “Multi-factor authentication adds a second layer of protection that requires our email users to prove their identity before they are granted access to their email account.” Using MFA ensures that account security doesn’t just rely on passwords, which can be guessed or stolen.
MFA adds a layer that ensures only the account owner can log in. In practice, this means that even if someone has the password to an account, they cannot access that account without the second factor, making personal information much safer.
Microsoft’s support site explains the importance of MFA stating that, “compromised passwords are one of the most common ways that bad guys can get at your data, your identity, or your money. Using multi-factor authentication, sometimes known as two-step verification, is one of the easiest ways to make it a lot harder for them.”
Passwords alone aren’t enough, as hackers can use phishing, social engineering or stolen password databases to access accounts. MFA requires anyone trying to hack or steal an account to have something additional, such as the account holder’s phone, making unauthorized access significantly more difficult.
The CUNY Office of Technology Services’s Training and Documentation Resources tab shows that students, faculty and staff can decide how to receive the second factor. Options include a code through the Microsoft Authenticator app, a text message or a phone call. The system is flexible and can be adapted to each individual’s needs. This flexibility encourages more people to use multi-factor authentication, as they can choose the option that is easiest for them, whether it’s a code on their phone or a quick call.
Multi-factor authentication also helps reduce other risks, such as phishing attacks, internal spam, and unauthorized access to institutional emails. The cybersecurity page on Queens College’s website states that “Implementing multi-factor authentication will help the ITS department reduce the number of internal spam attacks on QC email accounts.” These additional benefits demonstrate that multi-factor authentication not only protects individual users but also protects the security of the entire CUNY community, making institutional email more reliable and less vulnerable to attacks.
Although it may seem to some as an extra step, MFA aims to keep personal accounts much safer and give students peace of mind knowing that academic and personal information is now better protected against cyberattacks.
By raising awareness of MFA’s purpose and its importance, students can see this tool’s potential benefits for not only individual users but the entire university, making it a critical component of CUNY’s digital security.
