DUO Multi-Factor Authentication (MFA)

Traditionally, access to University IT resources requires you to provide username and password. While it is an effective way to protect your data, protection with password only is increasingly easy to be compromised. It can often be stolen, guessed or hacked – you may not even know someone is accessing your account.

Multi-Factor Authentication adds a second layer of security to your accounts. Verifying your identity using a second factor (e.g. your smartphone with an app) to approve authentication requests prevents anyone but you from logging in, even if they know your password.

After inputting your login information, you will be asked to either respond to a push message OR enter a one-time passcode to verify your identity – both can be done via your mobile device.

You are now securely logged in

Getting Started

Register your mobile device starting 4 January 2018 by following the simple instruction given in the User Guide (refer to ‘Policies & Guidelines’ tab).

It will guide you through for a self-enrollment process to get your mobile device registered as the second authentication factor. The process is very simple and should take only 2 minutes. Please feel free to contact our Customer Service Call Centre if you need further assistance.

If you get a new phone or have reinstalled Duo Mobile app, you will need to re-activate Duo Mobile.
To re-activate your account, please refer to the user guide: ‘Re-activate a Mobile Device’

You may try generating a passcode to access your account instead. If you fail to access your account using the generated passcode, please re-activate your mobile device by following the instructions given in the User Guide.

To get Duo Push Notification working, please try the following :

1. If you have registered multiple devices, verify that you have selected the correct one at account verification screen. In addition, if you have set up automatic Duo Push, make sure that you are using the correct device to receive Duo Push.

2. Make sure the Internet connection from your mobile device is stable. For example,
a. Switch the mobile device to airplane mode and back to normal operating mode again
b. Turn off WiFi connection on your device and use cellular data connection

3. Check the time and date on your phone and make sure they are correct.

4. If you still cannot receive Duo Push Notification, please Re-activate your Mobile Device by following the instructions given in the User Guide.

Certainly, and below are a few reminders before you travel abroad:

1. Update your device and make sure everything works

2. Duo Push can function using Wi-Fi connection. That means if you have a pocket WiFi connected, you can receive Duo Push.

3. Duo Mobile app can be used to generate passcodes in remote regions where Duo Push (which requires Internet connection) may not work.

4. Contact ITO Service Call Centre ASAP if you have lost your mobile device.

5. See also ‘Emergency Account Access without a Mobile Device’ section in the User Guide.

Please see Emergency Account Access without a Mobile Device in the User Guide. Please also report to ITO immediately if you have lost your mobile device.

You may rename your mobile devices to more recognizable names. Refer to the relevant section in user guide to get started.

Yes, please refer to ‘Add Additional Mobile Device(s)’ section in user guide for detailed instructions.

Yes. Also, after registering your mobile devices, you are recommended to rename the accounts shown on Duo Mobile app for easier recognition. For example:

To begin, tap ‘Edit’ button on the top left hand corner of the app (iOS) / tap and hold at the name of the account (Android).

No need. Duo NEVER knows your password.

In some cases, after changing SSOid password users may have problem re-activating even they have entered the correct password in Duo Mobile for verification. In this case, please remove account and add it back again.

If you get a Duo Push notification while you are not intending any account access, your password may have been compromised.

• For personal account: decline the request and change your SSOid password immediately.

• For shared account (e.g. departmental account, project account): decline the request, check with colleagues and determine if they have sent out the request by error. Change the account’s password if in doubt.

No. Duo Mobile has no more access to your phone than most other apps. Duo Mobile cannot read your contacts, track your location or see your browser history. It will expressly ask for your permission if access to your camera is needed (just for scanning QR code during activation). Likewise, your permission is needed to send you notifications.

You can simply remove your account from Duo Mobile app and then uninstall the app altogether.

You may borrow a physical "One Time Password Token" from ITO Service Centre at RRS303 with a deposit of HK$200 which will be refunded to you when it is returned to ITO.

Whenever you are trying to log in to any system protected by Duo, after you have already entered your SSOid/password and are then prompted for a second factor:

• Choose "Enter a Passcode"

• Press the button on your One Time Password Token to generate a new passcode

• Type in the passcode as the second factor and you will be able to log in

Almost negligible. Five hundred pushes to your device will use 1 MB of data in total, which is roughly equivalent to loading one webpage on your smartphone.