What is two-factor authentication? Why do I need it?


Traditionally, access to University IT resources requires you to provide username and password. While it is an effective way to protect your data, protection with password only is increasingly easy to be compromised. It can often be stolen, guessed or hacked – you may not even know someone is accessing your account.


Two-factor authentication adds a second layer of security to your accounts. Verifying your identity using a second factor (e.g. your smartphone with an app) to approve authentication requests prevents anyone but you from logging in, even if they know your password.



Register your first mobile device
Login to Gmail with Duo 2FA enabled
Emergency Account Access without a Mobile Device


If you get a new phone* or have reinstalled Duo Mobile app, you will need to re-activate Duo Mobile. Otherwise you may not be able to receive Duo Push notifications. Specifically, you may see ‘GET WORKING’ text showing next to your account in Duo Mobile app.

To reactivate your account, please go to Device Management Portal and refer to the ‘Re-activate a Mobile Device’ section in the User Guide.

* Tips: keep the Duo Mobile app on your existing device until you complete the re-activation. Otherwise, you need to get a Bypass Code first from Bypass Code Portal in order to re-activate Duo Mobile.

You may try generating a passcode to access your account instead. If you fail to access your account using the generated passcode, please re-activate your mobile device by following the instructions given in the User Guide.

To get Duo Push Notification working, please try the following :

1. If you have registered multiple devices, verify that you have selected the correct one at account verification screen. In addition, if you have set up automatic Duo Push, make sure that you are using the correct device to receive Duo Push.

2. Make sure the Internet connection from your mobile device is stable. For example,
a. Switch the mobile device to airplane mode and back to normal operating mode again
b. Turn off WiFi connection on your device and use cellular data connection

3. Check the time and date on your phone and make sure they are correct.

4. If you still cannot receive Duo Push Notification, please Re-activate your Mobile Device by following the instructions given in the User Guide.

Certainly, and below are a few reminders before you travel abroad:

1. Update your device and make sure everything works

2. Duo Push can function using Wi-Fi connection. That means if you have a pocket WiFi connected, you can receive Duo Push.

3. Duo Mobile app can be used to generate passcodes in remote regions where Duo Push (which requires Internet connection) may not work.

4. Contact ITO Service Call Centre ASAP if you have lost your mobile device.

5. See also ‘Emergency Account Access without a Mobile Device’ section in the User Guide.


Please see Emergency Account Access without a Mobile Device in the User Guide. Please also report to ITO immediately if you have lost your mobile device.

You may rename your mobile devices to more recognizable names. Refer to the relevant section in user guide to get started.

Yes, please refer to ‘Add Additional Mobile Device(s)’ section in user guide for detailed instructions.

Yes. Also, after registering your mobile devices, you are recommended to rename the accounts shown on Duo Mobile app for easier recognition. For example:

To begin, tap ‘Edit’ button on the top left hand corner of the app (iOS) / tap and hold at the name of the account (Android).

No need. Duo NEVER knows your password.

In some cases, after changing SSOid password users may have problem re-activating G Suite apps (such as Gmail and Google Drive) even they have entered the correct password in Duo Mobile for verification. In this case, please remove G Suite account from the G Suite apps and add it back again.

If you get a Duo Push notification while you are not intending any account access, your password may have been compromised.


• For personal account: decline the request and change your SSOid password immediately.

• For shared account (e.g. departmental account, project account): decline the request, check with colleagues and determine if they have sent out the request by error. Change the account’s password if in doubt.

No. Duo Mobile has no more access to your phone than most other apps. Duo Mobile cannot read your contacts, track your location or see your browser history. It will expressly ask for your permission if access to your camera is needed (just for scanning QR code during activation). Likewise, your permission is needed to send you notifications.

You can simply remove your account from Duo Mobile app and then uninstall the app altogether.

You may borrow a physical "One Time Password Token" from ITO Service Centre at RRS303 with a deposit of HK$200 which will be refunded to you when it is returned to ITO.


Whenever you are trying to log in to any system protected by Duo, after you have already entered your SSOid/password and are then prompted for a second factor:

• Choose "Enter a Passcode"

• Press the button on your One Time Password Token to generate a new passcode

• Type in the passcode as the second factor and you will be able to log in

Almost negligible. Five hundred pushes to your device will use 1 MB of data in total, which is roughly equivalent to loading one webpage on your smartphone.

Once Duo is launched:

1. Gmail will no longer ask you for a verification code, and you will not be able to change the ‘2-Step Verification’ setting at the Google ‘My Account’ page.

2. You should register your device in Duo so that you will be protected by Duo’s two-factor authentication.

3. Verification code generated by Google Authenticator app will not work for Duo identity verification. Similarly, backup codes generated from Google will not work either.

4. App password created previously for third party applications (such as Outlook) will keep working. It is not necessary to update / regenerate app password for them.