DUO 雙重驗證 (2FA)

DUO 雙重驗證 (2FA)

根據以下政策,DUO雙重驗證(2FA)正實施以保護教職員及學生的帳戶 :

2FA是一種加強的身份驗證的機制,要求用戶提供以下其中兩項資料進行身份驗證:

  • 你知道的一些信息:例如密碼
  • 你擁有的東西:例如保安編碼器或一次性密碼
  • 只有你個人的:例如指紋,聲音

 

DUO 2FA是一種雙重身份驗證解決方案,要求用戶在連接帳戶之前進行身份驗證。2FA需要從指定設備(例如你的移動設備)提供雙重驗證,即Duo Push Response一次性密碼

DUO 2FA簡介影片

 

DUO 2FA適用於

教職員及學生

服務收費及申請

免費; 需要自行登記服務 (請參閱以下項目一 : 如何運作)

服務時間

24 X 7

支援

請於ITSC網上服務台, Get Help > Information Security > General Enquiry > 2FA 遞交問題

1. 如何運作

在一般情況下,我們登入帳戶時,只需要提供用戶名稱及密碼來確認身份。當使用DUO 2FA時,我們需要另外提供DUO Push Response 或一次性密碼來連接帳戶。

使用Duo 2FA的事前準備:

  1. 透過 Two-Factor Authentication (2FA) Self-Service User Portal. 登記你的帳戶及指定設備(例如你的移動設備)。
  2. 於已登記的指定設備下載及安裝 “Duo Mobile” 應用程式。

詳情請參閱 DUO 2FA用戶指南

雙重驗證 :

成功登記使用DUO 2FA後,在登入任何有關需要DUO 2FA的系統時,均需要提供雙重身份驗證進行系統登入。

雙重認證可以是(i) Duo Push Response或(ii)由 “Duo Mobile” 應用程式產生的一次性密碼

(i) Duo Push Response:
(ii) One-time Passcode:

當雙重驗證成功完成後,用戶即可登入系統。

 

2. 實施範圍

 

用戶群組

所有中大教職員及學生必須使用DUO 2FA:

 

應用

DUO 2FA用戶應用 實施日期 教職員 學生
CUHK VPN 2018年8月
O365 服務 2018年8月
SSL-VPN 2020年1月
MyCUHK 2020年3月11日
(網上登入)
不適用
CUSIS* 2020年3月11日
(網上登入)

(更新住址)
The  Staff Superannuation Scheme (1995) Enquiry System 2020年3月27日
(ORSO計劃)
不適用
PG Admission System*
(GS Platform (Division))
2020年6月16日 不適用
CUPIS* 2020年6月22日
(網上登入)
不適用
2020年7月8日
(Relevant updating functions under Employee Self-Service)
不適用
UG Admission System* 2020年6月23日 不適用

注意*: 四個主要管理系統(CUPIS, CUSIS, UG及PG Admission Systems) 必須使用2FA。

 

3. 實施時間表

 時間表  進度
2021年2月2日 所有教職員及項目帳戶強制使用
2020年11月3日 所有學生帳戶強制使用
2020年3月至2020年6月 四個主要行政系統之管理人員
2018年2月 ITSC測試運作
2018年3月 測試用戶
2018年第2季 服務推出

4. Duo 2FA Self-Service User Portal

你可以透過 Duo 2FA Self-Service User Portal 進行以下設定

  1. 自助服務用戶登記及設備註冊: 於DUO登記你的O365帳戶及指定移動設備。
  2. 設備管理: 登記額外移動設備或管理已登記移動設備
  3. 獲取 Bypass Code: 當你在緊急情況下使用,例如忘記攜帶移動設備、不正常運作、遺失或被盜等使你無法正常透過Duo應用程式產生雙重驗證。

 

5. Duo 2FA保安編碼器

若部門或個別用戶(學生或職員)有需要購買保安編碼器,ITSC已保留一定的存貨可供購買。有興趣請參閱以下資訊:

 

每個Duo 2FA保安編碼器定價: HK$100

 

訂購程序:

部門訂購:

  1. 部門先填寫Duo 2FA保安編碼器訂購表格 (部門)
  2. 交回已填寫訂購表格去資訊科技服務處(地址列明於表格內)
  3. 稍後你會收到電郵通知(透過表格上填寫的電郵)安排收取Duo 2FA保安編碼器。最長需要五個工作天
  4. 付款方法: 部門轉寄

 

個人用戶訂購:

  1. 用戶先填寫Duo 2FA保安編碼器訂購表格 (用戶)
  2. 稍後你會收到電郵通知(透過表格上填寫的電郵)安排收取Duo 2FA保安編碼器。最長需要五個工作天。
  3. 付款方法: 只限現金

 

 

6. 用戶指南

基本用途:

基本用途 支援 技術指引 用戶指南
透過 Duo 2FA Self-Service User Portal進行自助服務登記及設備註冊
  • iOS 12 或以上
  • Android 8 或以上

*更新:
由2020年12月1日起,iOS 11及Android 7將會不受支援。

Duo Push及Duo 移動設備產生的密碼於iOS 11及Android 7依然生效,用戶可以繼續使用認證。


透過Duo 2FA Self-Service User Portal獲取及使用Bypass Code

(只限於短暫及緊急使用,例如你忘記攜帶移動設備、不能正常運作、遺失或被盜等使你無法提供雙重認證)

  • 準備你的CU Link Card

應用:

應用 支援 技術指引 用戶指南
Windows clients login
  • .NET Framework 4.5 或以上
  • Win 8, 10
MyCUHK
CUHK VPN

Windows
()

Mac OS
()

O365 services 支援新式驗證包括:

  • Windows OS: Office 2016, Office 2013 新式驗證registry key updated
  • Mac OS: 預設電郵應用程式 (MacOS 10.14 或以上), Mac用Outlook 2016
  • iOS: iOS 12或以上 + 預設電郵應用程式 (iOS版本),
    iOS 12或以上 + Outlook (需要從App Store下載)
  • Android OS: Android 7 或以上 + Android 用Outlook
Android用Outlook
()

ADFS applications  即將推出
Windows servers
  • .NET Framework 4.5 或以上
  • Win Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016
  • 需要最新安全of Duo Mobile App
  • 需要擁有螢幕鎖定的移動設備
Unix/Linux servers
  • CentOS 5 或以上
  • Ubuntu 12.04 或以上
  • Linux 5 或以上

 

7. 簡介會及摘錄
8. 常見問題

(A) General Issues:

Q1: I have a mobile phone and a tablet, can I enroll both of them to use Duo 2FA?

A1: Yes, you can.

 

Q2: I received an unexpected Duo Push notification from my Duo Mobile App, what should I do?

A2: The Duo Push notification is a login request from your account, if it is not initiated by you or is unexpected, please tap ‘Deny’ to reject the request.

 

Q3: Can I use Duo Mobile on Windows Phone?

A3: As the application support for Duo Mobile on Windows Phone ended on 1 Jan 2019, and the app was removed from the Windows Store on 10 Mar 2020, you will not be able to download the app from this date.  For users who installed and activated the Duo mobile app before 10 Mar 2020, they will not be affected. Details can be found in Duo knowledge base website.<!–   Duo Mobile works with Apple iOS & Google Android devices, Palm, Windows Phone 7, Windows Mobile 8.1 and 10, and J2ME/Symbian. (Ref.: https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile)
You may find the latest version of Duo Mobile in the Microsoft Store. Supported Platforms: This version of Duo Mobile supports Windows Phone 8 and greater. Windows Phone 7 users should refer to legacy app documentation. (Ref.: https://guide.duo.com/windows-phone). –>

 

Q4: I try to login my PC with Duo Authentication, but it prompts “Invalid Certificate” on my mobile and cannot send a push to my mobile.

A4: Please turn off the wifi on your mobile and automatically switch to use your data service provider for network connection.  Then try to login again on your PC, a DUO Push should be sent again to your mobile for approval.  The error “Invalid Certificate” is most likely triggered by your Wi-Fi which certification is not trusted by DUO.

 

Q5: I found the following warning message when I login to Duo Portal, may I know what software it will check? If I skip to update the software, will it block us to login?

A5: Only the browser version will be checked and notify user if their browser is out-of-date. You may skip it first to continue and arrange for update according to your usual practice.

 

Q6: What should I do if I changed my mobile device?

A6: You need to login the Duo 2FA Self-Service User Portal to register your new mobile and manage (delete) your old mobile.

 

Q7: What can I do if my enrolled mobile device is malfunction?

A7: You need to generate a bypass code with your CU Link Card via Duo 2FA Self-Service User Portal, then use the bypass code to login the Duo 2FA Self-Service User Portal again, register your new mobile and manage (delete) your old mobile.

 

Q8: If I forgot to bring my enrolled mobile device, can I skip the 2FA?

A8: You need to generate a bypass code with your CU Link Card via Duo 2FA Self-Service User Portal, then use the bypass code to login the systems.

 

Q9: Will the Duo Push / SMS use my mobile data?

A9: We only enabled Duo Push and it requires Internet connection, so it will use your mobile data if you are receiving Duo Push while you are connecting with your Internet Service Provider.

 

Q10: When I tried to login O365, I did not receive any message from the Duo mobile app asking me to approve or deny the login.

A10: Sometimes the Duo push did not prompt in time, you may try to open the Duo Mobile app, ‘pull down’ the screen to force a refresh with server. This should trigger to prompt immediately.  Details can be found in Duo knowledge base website.

 

Q11: After I login the system/application with Duo 2FA, do I need to login with 2FA again if I access the system/application later?

A11: It depends on the system/application settings. Usually, the applications have time-out settings which will request users to re-login again.

 

Q12: Any information will be collected by Duo mobile app if it is installed on the mobile device?

A12: According to Duo’s Service Privacy Notice (https://duo.com/legal/privacy-notice-services), the information they will collect includes:

  • Device information, such as: device attributes (for example: hardware model; operating system; web browser version; as well as unique device identifiers and characteristics, including if your device is “jailbroken,” if you have a screen lock in place and if your device has full disk encryption enabled), connection information (for example, name of your mobile operator or Internet Service Provider, browser type, language and time zone, and mobile phone number); device locations (for example, internet protocol  (IP) addresses and Wi-Fi); and for some Services, whether a Public Key Infrastructure Certificate is installed on your device.
  • Log data, this includes information that your browser sends whenever you visit a website, included one of ours, or that your Duo mobile app sends whenever you are using it. This log data may include how you access the Services (including the device-specific information discussed above and type of integration – in other words, the application – being protected), the dates and times you access the Services, where you access the Services from (by IP address) and device event information such as crashes, system activity, and hardware settings.

 

Q13: How can I generate bypass code for my account?

A13: You can generate bypass code for your account via the Duo 2FA Self-Service User Portal.  Please follow the steps below:

  1. Login to Duo 2FA Self-Service User Portal using your account credentials.
  2. provide your CU Link Card information as the 2nd factor.
  3. If the account owner could be associated, a bypass code would be generated.
  4. After the bypass code is generated, a notification email will be sent out to notify the account owner.

 

Q14: I would like to know how can I generate bypass code for my Tier account?

A14: You can generate bypass code for your Tier account via the Duo 2FA Self-Service User Portal by login with your tier account’s credentials.

 

Q15: How can I get the bypass code if I don’t have any computer nearby?

A15: You can visit Duo 2FA Self-Service User Portal with your mobile device to generate the bypass code.

 

Q16: Do I need to generate a bypass code for each login?

A16: The validity of a bypass code is 20 times within 12 hours.  If the bypass code is expired, or you forgot the bypass code, you can generate another new bypass code via the Duo 2FA Self-Service User Portal.

 

Q17: How can I remove Duo 2FA from my account?

A17: Users cannot remove the Duo 2FA from their account by themselves.  If you attempt to delete the account in the Duo Mobile app on your mobile device, this will only remove the account from your Duo Mobile app but you will still be promoted for 2FA when you login those 2FA-integrated applications.

 

Q18: My android smartphone was bought in mainland China and there was no Google Playstore in it, how can I install the Duo mobile app?

A18: For those Android smartphones which cannot connect to the Google Play Store, user can download the Duo Mobile APK directly from official Duo website (update information can be reference from Duo knowledge base website).  *Please do not download and install untrusted APK files into your mobile since they may be altered by hackers for malicious purposes.

Then follow the steps in User Manual > under Section 2.1 (vii) for installation.

Please also note that, since Google Play Services is required in order to receive the Duo Push notification on Android devices, for Android devices without Google Play Services installed, you have to open the Duo Mobile app and “fetch” by swiping down in the mobile app (More details can be reference from above Duo knowledge base website and here).

 

(B) 2FA on VPN:

Q1: I would on leave soon and I would use another SIM card, may I know how i can access VPN with Duo 2FA?

A1: Provided that you are using the same mobile for Duo 2FA currently, no matter you changed a new SIM card or even unable connected to the Internet, you can still establish connection to CUHK VPN as usual with Duo 2FA given.

 Password Format Behavior after inputted password and clicked OK Condition applied
<Onepass> “DUO Push” will be triggered Same mobile as current and able to connect to the Internet
<Onepass>,<passcode> Authentication will be proceeded Unable to be connected to the Internet

 

Q2: What is the ‘comma’ in VPN password field used for?

A2: The ‘comma’ shows in answer of last question, i.e. Part (B) A1, is used to separate your VPN password and 2FA passcode.

 

(C) 2FA on O365:

Q1: Can I use my Android or iOS native mail client to access my O365 mailbox with Duo 2FA?

A1: Duo only work with mail clients which supports modern authentication.  For iOS, both native mail client on iOS 12 or above and Outlook app on iOS 12 or above are supported.  For Android, native mail client is NOT supported, you can only use the Outlook app for Android to access your mailbox with Duo 2FA, the User Manual for Setting up Outlook App for Android is available.  For more details about the supported clients, it can be found in Duo knowledge base website.

 

Q2: My native mail client which bundled in my iOS does not prompt for Duo 2FA, what can I do?

A2: For iOS, Duo only supports native mail client in iOS 12 or above, so please check and upgrade your iOS if you are using the lower version.  Afterwards, you also need to recreate your email account in order to update the authentication settings in your iOS from basic to modern authentication since Duo can only work with application which support modern authenticatoin.  Details can be found in Duo knowledge base website.

 

Q3: My Office 2016 Outlook application does not prompt for Duo 2FA login, when will it ask me to login with Duo 2FA?

A3: You need to clear the Windows Credential Manager in order to trigger Duo 2FA login, please follow the steps below:

  1. Quit all Office applications.
  2. Click Start > Control Panel > User Accounts > Credential Manager > Windows Credential.
    • Select each item whose type is MicrosoftOffice16_Data:ADAL:<GUID>, and then press Delete. Repeat this step to delete all items for your account.
  3. Close the Credential Manager window and restart the MS Outlook, it will redirect to CUHK Login page and request for DUO 2FA login.

 

Q4: My Office 2013 Outlook application does not prompt for Duo 2FA login, when will it ask me to login with Duo 2FA?

A4: Please make sure that you have updated the following Registry Key to enable the modern authentication for your Office 2013:

REGISTRY KEY TYPE VALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

Then, clear the Windows Credential Manager in order to trigger Duo 2FA login, steps can be referred to the answer of about question, Part (C) A3.

 

Q5: My Outlook 2016 for Mac app on my Mac OS does not prompt for Duo 2FA login, when will it ask for my login again?

A5: You need to clear the Keychain Access in order to trigger Duo 2FA login, please follow the steps below:

  1. Quit Outlook and all other Office applications.
  2. Start Keychain Access by using one of the following methods:
    • Select the Finder application, click Utilities on the Go menu, and then double-click Keychain Access.
    • In Spotlight Search, type Keychain Access, and then double-click Keychain Access in the search results.
  3. In the search field in Keychain Access, enter Exchange.
    • In the search results, select each item to view the Account that’s listed at the top, and then press Delete. Repeat this step to delete all items for your Exchange account.
  4. In the search field, enter adal.
    • Select all items whose type is MicrosoftOffice15_2_Data:ADAL:<GUID>, and then press Delete.
  5. In the search field, enter office.
    • Select the items that are named Microsoft Office Identities Cache 2 and Microsoft Office Identities Settings 2, and then press Delete.
  6. Quit Keychain Access and restart the Outlook 2016 for Mac, it will redirect to CUHK Login page and request for DUO 2FA login.

 

Q6: Can Gmail support Modern Authentication?

A6: No, Duo 2FA only works with email clients which support modern authentication. As Gmail doesn’t support it, please use the supported clients that listed at https://www.itsc.cuhk.edu.hk/all-it/information-security/two-factor-authentication-2fa/#tab_6 (O365 Services)

 

Q7: I cannot login my CUHK account in the Microsoft OneDrive app and Microsoft Teams app on my iPhone. After input the login ID and OnePass password, i can receive the Duo Push notification on my mobile device, but after I approve it, the login page prompts “Unknown error” and cannot continue.

A7: According to Duo, this occur recently for users running iOS 13.6 or older version, users are recommended to upgrade their iOS to the latest version 13.6.1 as this is known to resolve the issue.

 

(D) 2FA on Desktops / Servers:

Q1: During the Duo installation, is it a mandatory / optional to enable the “Bypass Duo authentication when offline (FailOpen)” if it is installed on servers?

A1: By default, Duo Authentication for Windows Logon will “fail open” and permit the Windows logon to continue if it is unable to contact the Duo service. You can set the fail mode during installation to “fail closed” by deselecting the “Bypass Duo authentication when offline” box during installation. This will deny all login attempts if there is a problem contacting the Duo service.

On server systems, you should consider whether security concerns overrides the need for access. For example, in case under man-in-the-middle / DNS spoofing intercepting traffic to *.duosecurity.com, should the server fall back to single factor authentication?

On the other hand, in case of troubleshooting and you have physical access to the system, the “fail closed” setting can be changed in Safe Mode via registry key HKLM\SOFTWARE\Duo Security\DuoCredProv\FailOpen (Set to 1 to allow “fail open” or 0 to restrict to “fail closed”. Default: Fail open.).

Therefore it depends on factors such as security concerns, service design, requirements on availability, accessibility, etc. it is recommended but not mandatory to use set the fail mode to “fail close” on server systems.

 

Q2: I installed other 2FA solution on my computer before, can I install Duo 2FA additionally?

A2: Please uninstall other 2FA solution on your system before you install the Duo 2FA solution.

 

Q3: If my notebook installed Duo 2FA, how can I login it when it is not yet connected to Wifi network?

A3: For desktop PC / notebook, if the setting “Bypass Duo authentication when offline (FailOpen)” is selected during the Duo 2FA installation, you can still login the system without 2FA when the system is offline.

 

Q4: I installed DUO application on my notebook, but after reboot, I cannot login my original Windows account.

A4: Please make sure to match the Windows login username as below:

  • For domain-joint systems: use UPN as username
  • For non domain-joint systems: use either University ID, sAMAccountName, or Computing ID as username

 

(E) Hardware Token for Duo 2FA:

Q1: How can I purchase the hardware token?  How long do I need to wait for getting the token?

A1: Please follow below steps to place order:

  1. Department fills in the Hardware Token for Duo 2FA – Order Form.
  2. Return the signed order form to ITSC (address can be found in the form).
  3. We will inform you by email (according to the email address provided in the order form) for collecting the hardware tokens.  The maximum lead time is 5 working days.

 

Q2: My office ordered and assigned a hardware token to me, what should I do next?  How should I register this token?

A2: You are not required to register the hardware token since ITSC would associate the hardware token to your account at the backend of Duo system in advance.  So once you have enrolled to Duo 2FA, you can start to use the token immediately to generate the passcode for 2FA login.

 

Q3: Can I share the hardware token with my colleagues in my department?

A3: No, each hardware token can only be associated to 1 person.

 

Q4: How long can the hardware token be used?

A4: According to the hardware specification provided by vendor, the battery life of OTP c100 hardware token is around 3-5 years.

 

Q5: What should I do if I lost the hardware token?

A5: Please report to ITSC immediately for disabling the hardware token.  Meanwhile, you can generate a bypass code via Duo 2FA Self-Service User Portal for temporary use, or you may consider to register your mobile device and install the Duo mobile app on your device if you don’t yet have it.  And you can order a new hardware token again if necessary.

 

Q6: How can I set my hardware token as the default device for 2FA?

A6: Sorry, the hardware token cannot be set as a default device if you have more than 1 device registered under your account, only mobile device can be selected as default device to receive the Duo Push notification.

 

Q7: I have a hardware token and a mobile device registered, which device should I use to generate the passcode for 2FA?

A7: For inputting the passcode as second factor, it is fine to input any passcode generated from your registered mobile device(s) or hardware token(s) assigned to you.

 

Q8: My office just bought a hardware token for me, why I still received the email reminder from ITSC about enrolling to Duo 2FA?

A8: .If you are the application administrator of the 4 major Admin Systems (CUPIS, CUSIS, UG and PG Admission Systems), you are mandatory to use 2FA to login these system according to the Security Policy for Handling Personal Data.  So, if you had been assigned with a hardware token, but you have not yet enrolled to Duo 2FA, ITSC will remind you to enroll Duo 2FA before the deadline.

 

Q9: Knowing that ITSC would register the hardware token that assigned to me in advance, and I didn’t registered any other mobile device via the Duo 2FA Self-Service User Portal, will I see my token registered in the portal?

A9: Yes, you can find all the devices registered, including mobile device(s) and hardware token(s), under your account by logging in Duo 2FA Self-Service User Portal.  Please also note that, by logging in Duo 2FA Self-Service User Portal, you are enrolled to Duo 2FA immediately if you have not yet enrolled before.

 

Q10: Can I register my mobile device via Duo 2FA Self-Service Portal even though my department has bought me a hardware token from ITSC?

A10: Yes, you can register your mobile device(s) if necessary.

 

Q11: Understand that a hardware token cannot be shared with multiple person, but can I use the same hardware token for multiple accounts of mine?

A11: Yes, the same hardware token can be associated to multiple accounts of same person.