Documentation

Getting Started with One-Time Code MFA

Written by Cirrus Customer Success | Oct 21, 2025 2:41:02 PM

Overview

Base Configuration

Test

Overview

The Cirrus One-Time Code product is designed for customers who need a lightweight option for step-up MFA. An example use case is a proxy customer who is using the Cirrus Proxy for applicant logins to Slate, financial aid, and housing applications prior to full admission. This product relies on an email assertion from your identity provider(s)  to know where to send a validation code.  Scenarios where the IdP-asserted email may not be accurate (e.g., old alumni records that may be long out of date) are not a good candidate. The Cirrus Bridge does not currently support this product.

Requirements:

  • You are running a Cirrus Proxy.
  • Your identity provider(s) must be able to assert an email address as OID (urn:oid:0.9.2342.19200300.100.1.3) to use this solution. 
  • Email must be an acceptable method of MFA for your campus.

This product is an add-on to augment identity provider behavior. You can require MFA for any SAML identity provider(s) implemented for the Proxy. When signing in from a MFA-enabled IdP, Cirrus emails a code to the email asserted by that IdP and has the user verify it.

Base Configuration

Gather Configuration Information

First you will need to collect the following information:

  • List of identity provider(s) that you would like to enable with One-Time Code MFA
  • Custom from email address for your institution
  • (optional) Custom help url if you would like to guide users to help tailored for your institution 

Configure the Email Handler

To implement a custom from address for your institution, you will need to configure an email handler. Follow the instructions at Configure the Email Handler.

Schedule the Go Live

One-Time Code MFA is live once our team configures it. To schedule the go live, send the configuration information to your Technical Implementation Lead and they will coordinate a go live time with you.

Test

You will need to test with an email account that is part of your domain and an external email address. Additionally, you will want to test on campus and off-campus to ensure your email server settings are correct. 

Step 1 - Login to an Application Through a MFA-Enabled IdP

First you will navigate to one of your applications through an IdP that is configured to use One-Time Code MFA. You will reach a screen to enter the MFA code.

 

Step 2 - Retrieve the Code from Email

Check your email and retrieve the MFA code from your email.

Step 3 - Enter the MFA code 

Return to the screen from Step 1 and enter the code to complete sign-in.

Step 4 - Continue on the Application

Verify that your login to the application was successful.

Logs for Troubleshooting

Logs for One-Time Code MFA are available via the LogAPI with a logType of emailMFA. Details can be found at One-Time Code MFA Log Elements.
View full post