DUO Two Factor Authentication (2FA)

DUO Two Factor Authentication (2FA)

According to the following IS policies, a 2FA solution, DUO 2FA, is implemented for protecting our accounts:


2FA is an enhance authentication mechanism which requires users to provide any 2 of below factors for identity verification:

  • Something you know: e.g. password
  • Something you have: e.g. token, one-time passcode
  • Something you are: e.g. fingerprint, voice


DUO 2FA is a two-factor authentication solution which requires users to provide the 2nd factor, i.e. Duo Push Response or One-time Passcode, from a designated device (e.g. your mobile device), when they are logging in to those 2FA integrated applications for identity verification before the access is granted.


Available to

Staff & students


Service Charge and Application

Free; Self-Service Enrollment is required (please refer to tab 1: How It Works below.)


Service Availability

Office hours



Please submit to ITSC Service DeskInformation Security > General Enquiry > 2FA


1. How It Works

Traditionally, we need to provide our username and password for identity verification.  With DUO 2FA, an additional piece of information, i.e. a Duo Push Response / One-time Passcode, is needed before you can get access to the applications.

What you need to do (Prerequisities for use Duo 2FA):

  1. Enroll your account and designated mobile device (e.g. your mobile phone, tablet) via the Two-Factor Authentication (2FA) Self-Service User Portal.
  2. Download the ‘Duo Mobile’ and install it to the above enrolled mobile device.

Details steps can be referred to DUO 2FA User Guide.

2nd Factor for Authentication:

Once you had enrolled for using the DUO 2FA, whenever you are logging in to those DUO 2FA integrated applications, you are required to provide the 2nd factor for authentication.

The 2nd factor could be (i) a Duo Push Response, or (ii) an One-time Passcode generated from your ‘Duo Mobile’ app.

(i) Duo Push Response:
(ii) One-time Passcode:

Once the correct 2nd factor is provided to the the application, the access to the application would be granted.


2. Implementation Scope

User Group

All staff and student users are eligible to use the DUO 2FA:


Applications to be integrated with DUO 2FA: Tentative Schedule
 –  Windows clients/servers login (for staff only) Mar 2018
 –  CUHK VPN Mar 2018
 –  O365 services Mar 2018
 –  SSL VPN Nov 2019
 –  4 major applications including CUSIS, CUPIS, UG and PG Admission Systems Feb 2020 – May 2020
 –  Some AD Federation Service (ADFS) applications coming soon


3. Implementation Timeline

 Tentative Schedule  Phase
Feb 2018  ITSC Pilot Run
 Mar 2018  Pilot Users
 Q2 2018  Implementation for CUHK Staff

4. Duo 2FA Self-Service User Portal

You can perform the following tasks via the Duo 2FA Self-Service User Portal:

  1. Self-Service User Enrollment & Device Registration:  Enroll your O365 account and designated mobile device in DUO.
  2. Device Management:  Enroll additional mobile device(s) for getting DUO 2nd factor or manage the enrolled mobile devices.
  3. Bypass Code Generation:  For emergency & temporary use in case you encounter any problems with your mobile, e.g. forgot to bring, malfunction, lost or stolen, etc. and you cannot generate the 2nd factor from the Duo mobile app on your mobile device.


5. Hardware Token for Duo 2FA

ITSC also keeps some stock of hardware tokens for Duo 2FA for departments’ purchase if they find it necessary. Departments who are interested to purchase the hardware token may find the information below for placing order:


Price of each hardware token for Duo 2FA: HK$100

Steps to place order:

  1. Department fills in the Hardware Token for Duo 2FA – Order Form.
  2. Return the signed order form to ITSC (address can be found in the form).
  3. We will inform you by email (according to the email address provided in the order form) for collecting the hardware tokens.


6. User Manuals

For General Usage:

General Usage Prerequisites / Supported Clients Technical Deployment Guide User Manual
Self-Service User Enrollment & Device Registration via Duo 2FA Self-Service User Portal
  • iOS 10 or above
  • Android 6 or above
Self-Generate & Use of Bypass Code via Duo 2FA Self-Service User Portal

(for temporary & emergency use, in case you have problems with your mobile, e.g. forgot to bring, malfunction, lost or stolen, etc. and you cannot provide the 2nd factor)

  • Have your CU Link Card ready

For Applications:

Applications Prerequisites / Supported Clients Technical Deployment Guide User Manual
Windows clients login
  • .NET Framework 4.5 or later
  • Win 8, 10
download download
CUHK VPN download
O365 services  Clients which support modern authentication including:

  • Windows OS: Office 2016, Office 2013 with modern authentication registry key updated
  • Mac OS: native mail app in MacOS 10.14 or above, Outlook 2016 for Mac
  • iOS: iOS 11 or above + native mail client (bundled in iOS),
    iOS 10 or above + Outlook app (to be downloaded from App Store)
  • Android OS: Android 6 or above + Outlook app for Android
Outlook app for Android download
ADFS applications  coming soon 
Windows servers
  • .NET Framework 4.5 or later
  • Win Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016
  • Require up-to-date security patch of Duo Mobile App
  • Require mobile device with screen lock
Unix/Linux servers
  • CentOS 5 or above
  • Ubuntu 12.04 or above
  • Linux 5 or above


7. Briefing Sessions and Notes
8. FAQ

(A) General Issues:

Q1: I have a mobile phone and a tablet, can I enroll both of them to use Duo 2FA?

A1: Yes, you can.


Q2: I received an unexpected Duo Push notification from my Duo Mobile App, what should I do?

A2: The Duo Push notification is a login request from your account, if it is not initiated by you or is unexpected, please tap ‘Deny’ to reject the request.


Q3: Can I use Duo Mobile on Windows Phone?

A3: Duo Mobile works with Apple iOS, Google Android, Palm, Windows Phone 7, Windows Mobile 8.1 and 10, and J2ME/Symbian. (Ref.: https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile)
You may find the latest version of Duo Mobile in the Microsoft Store. Supported Platforms: This version of Duo Mobile supports Windows Phone 8 and greater. Windows Phone 7 users should refer to legacy app documentation. (Ref.: https://guide.duo.com/windows-phone).


Q4: I try to login my PC with Duo Authentication, but it prompts “Invalid Certificate” on my mobile and cannot send a push to my mobile.

A4: Please turn off the wifi on your mobile and automatically switch to use your data service provider for network connection.  Then try to login again on your PC, a DUO Push should be sent again to your mobile for approval.  The error “Invalid Certificate” is most likely triggered by your Wi-Fi which certification is not trusted by DUO.


Q5: I found the following warning message when I login to Duo Portal, may I know what software it will check? If I skip to update the software, will it block us to login?

A5: Only the browser version will be checked and notify user if their browser is out-of-date. You may skip it first to continue and arrange for update according to your usual practice.


Q6: What should I do if I changed my mobile device?

A6: You need to login the Duo 2FA Self-Service User Portal to register your new mobile and manage (delete) your old mobile.


Q7: How can I generate bypass code for my account?

A7: You can generate bypass code for your account via the Duo 2FA Self-Service User Portal.  Please follow the steps below:

  1. Login to Duo 2FA Self-Service User Portal using your account credentials.
  2. provide your CU Link Card information as the 2nd factor.
  3. If the account owner could be associated, a bypass code would be generated.
  4. After the bypass code is generated, a notification email will be sent out to notify the account owner.


Q8: I would like to know how can I generate bypass code for my Tier account?

A8: You can generate bypass code for your Tier account via the Duo 2FA Self-Service User Portal by login with your tier account’s credentials.


Q9: What can I do if my enrolled mobile device is malfunction?

A9: You need to generate a bypass code with your CU Link Card via Duo 2FA Self-Service User Portal, then use the bypass code to login the Duo 2FA Self-Service User Portal again, register your new mobile and manage (delete) your old mobile.


Q10: If I forgot to bring my enrolled mobile device, can I skip the 2FA?

A10: You need to generate a bypass code with your CU Link Card via Duo 2FA Self-Service User Portal, then use the bypass code to login the systems.


Q11: How can I get the bypass code if I don’t have any computer nearby?

A11: You can visit Duo 2FA Self-Service User Portal with your mobile device to generate the bypass code.


Q12: Will the Duo Push / SMS use my mobile data?

A12: We only enabled Duo Push and it requires Internet connection, so it will use your mobile data if you are receiving Duo Push while you are connecting with your Internet Service Provider.


Q13: When I tried to login O365, I did not receive any message from the Duo mobile app asking me to approve or deny the login.

A13: Sometimes the Duo push did not prompt in time, you may try to open the Duo Mobile app, ‘pull down’ the screen to force a refresh with server. This should trigger to prompt immediately.


Q14: After I login the system/application with Duo 2FA, do I need to login with 2FA again if I access the system/application later?

A14: It depends on the system/application settings. Usually, the applications have time-out settings which will request users to re-login again.


Q15: Can I share the hardware token with my colleagues in my department?

A15: No, each hardware token can only be associated to 1 person.


Q16: Any information will be collected by Duo mobile app if it is installed on the mobile device?

A16: According to Duo’s Service Privacy Notice (https://duo.com/legal/privacy-notice-services), the information they will collect includes:

  • Device information, such as: device attributes (for example: hardware model; operating system; web browser version; as well as unique device identifiers and characteristics, including if your device is “jailbroken,” if you have a screen lock in place and if your device has full disk encryption enabled), connection information (for example, name of your mobile operator or Internet Service Provider, browser type, language and time zone, and mobile phone number); device locations (for example, internet protocol  (IP) addresses and Wi-Fi); and for some Services, whether a Public Key Infrastructure Certificate is installed on your device.
  • Log data, this includes information that your browser sends whenever you visit a website, included one of ours, or that your Duo mobile app sends whenever you are using it. This log data may include how you access the Services (including the device-specific information discussed above and type of integration – in other words, the application – being protected), the dates and times you access the Services, where you access the Services from (by IP address) and device event information such as crashes, system activity, and hardware settings.


(B) 2FA on VPN:

Q1: I would on leave soon and I would use another SIM card, may I know how i can access VPN with Duo 2FA?

A1: Provided that you are using the same mobile for Duo 2FA currently, no matter you changed a new SIM card or even unable connected to the Internet, you can still establish connection to CUHK VPN as usual with Duo 2FA given.

 Password Format Behavior after inputted password and clicked OK Condition applied
<Onepass> “DUO Push” will be triggered Same mobile as current and able to connect to the Internet
<Onepass>,<passcode> Authentication will be proceeded Unable to be connected to the Internet


Q2: What is the ‘comma’ in VPN password field used for?

A2: The ‘comma’ shows in answer of last question, i.e. Part (B) A1, is used to separate your VPN password and 2FA passcode.


(C) 2FA on O365:

Q1: Can I use my Android or iOS native mail client to access my O365 mailbox with Duo 2FA?

A1: Duo only work with mail clients which supports modern authentication.  For iOS, both native mail client on iOS 11 or above and Outlook app on iOS 10 or above are supported.  For Android, native mail client is NOT supported, you can only use the Outlook app for Android to access your mailbox with Duo 2FA, the User Manual for Setting up Outlook App for Android is available.  For more details about the supported clients, it can be found in Duo knowledge base website.


Q2: My native mail client which bundled in my iOS does not prompt for Duo 2FA, what can I do?

A2: For iOS, Duo only support native mail client in iOS 11 or above, so please check and upgrade your iOS if you are using the lower version.  Afterwards, you also need to recreate your email account in order to update the authentication settings in your iOS from basic to modern authentication since Duo can only work with application which support modern authenticatoin.  Details can be found in Duo knowledge base website.


Q3: My Office 2016 Outlook application does not prompt for Duo 2FA login, when will it ask me to login with Duo 2FA?

A3: You need to clear the Windows Credential Manager in order to trigger Duo 2FA login, please follow the steps below:

  1. Quit all Office applications.
  2. Click Start > Control Panel > User Accounts > Credential Manager > Windows Credential.
    • Select each item whose type is MicrosoftOffice16_Data:ADAL:<GUID>, and then press Delete. Repeat this step to delete all items for your account.
  3. Close the Credential Manager window and restart the MS Outlook, it will redirect to CUHK Login page and request for DUO 2FA login.


Q4: My Office 2013 Outlook application does not prompt for Duo 2FA login, when will it ask me to login with Duo 2FA?

A4: Please make sure that you have updated the following Registry Key to enable the modern authentication for your Office 2013:

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

Then, clear the Windows Credential Manager in order to trigger Duo 2FA login, steps can be referred to the answer of about question, Part (C) A3.


Q5: My Outlook 2016 for Mac app on my Mac OS does not prompt for Duo 2FA login, when will it ask for my login again?

A5: You need to clear the Keychain Access in order to trigger Duo 2FA login, please follow the steps below:

  1. Quit Outlook and all other Office applications.
  2. Start Keychain Access by using one of the following methods:
    • Select the Finder application, click Utilities on the Go menu, and then double-click Keychain Access.
    • In Spotlight Search, type Keychain Access, and then double-click Keychain Access in the search results.
  3. In the search field in Keychain Access, enter Exchange.
    • In the search results, select each item to view the Account that’s listed at the top, and then press Delete. Repeat this step to delete all items for your Exchange account.
  4. In the search field, enter adal.
    • Select all items whose type is MicrosoftOffice15_2_Data:ADAL:<GUID>, and then press Delete.
  5. In the search field, enter office.
    • Select the items that are named Microsoft Office Identities Cache 2 and Microsoft Office Identities Settings 2, and then press Delete.
  6. Quit Keychain Access and restart the Outlook 2016 for Mac, it will redirect to CUHK Login page and request for DUO 2FA login.


Q6: Can Gmail support Modern Authentication?

A6: No, Duo 2FA only works with email clients which support modern authentication. As Gmail doesn’t support it, please use the supported clients that listed at https://www.itsc.cuhk.edu.hk/all-it/information-security/two-factor-authentication-2fa/#tab_6 (O365 Services)


(D) 2FA on Desktops / Servers:

Q1: During the Duo installation, is it a mandatory / optional to enable the “Bypass Duo authentication when offline (FailOpen)” if it is installed on servers?

A1: By default, Duo Authentication for Windows Logon will “fail open” and permit the Windows logon to continue if it is unable to contact the Duo service. You can set the fail mode during installation to “fail closed” by deselecting the “Bypass Duo authentication when offline” box during installation. This will deny all login attempts if there is a problem contacting the Duo service.

On server systems, you should consider whether security concerns overrides the need for access. For example, in case under man-in-the-middle / DNS spoofing intercepting traffic to *.duosecurity.com, should the server fall back to single factor authentication?

On the other hand, in case of troubleshooting and you have physical access to the system, the “fail closed” setting can be changed in Safe Mode via registry key HKLM\SOFTWARE\Duo Security\DuoCredProv\FailOpen (Set to 1 to allow “fail open” or 0 to restrict to “fail closed”. Default: Fail open.).

Therefore it depends on factors such as security concerns, service design, requirements on availability, accessibility, etc. it is recommended but not mandatory to use set the fail mode to “fail close” on server systems.


Q2: I installed other 2FA solution on my computer before, can I install Duo 2FA additionally?

A2: Please uninstall other 2FA solution on your system before you install the Duo 2FA solution.


Q3: If my notebook installed Duo 2FA, how can I login it when it is not yet connected to Wifi network?

A3: For desktop PC / notebook, if the setting “Bypass Duo authentication when offline (FailOpen)” is selected during the Duo 2FA installation, you can still login the system without 2FA when the system is offline.


Q4: I installed DUO application on my notebook, but after reboot, I cannot login my original Windows account.

A4: Please make sure to match the Windows login username as below:

  • For domain-joint systems: use UPN as username
  • For non domain-joint systems: use either University ID, sAMAccountName, or Computing ID as username