What is Multi-Factor Authentication (MFA)?
Multi-factor authentication (MFA) is an enhanced logon process. After entering your password, you will need to confirm your access by using a designated device (e.g. your mobile). This prevents unauthorized access to sensitive data even if your password is stolen. In HKUST, we employed Duo MFA previously and are in a transition to Microsoft Entra multifactor authentication as the default MFA solution since May 2025. All below information refer to Microsoft Entra MFA unless specified and you may refer to the end of this page for Duo MFA information.
How it works
When access to applications supporting MFA e.g. HKUST SSO Service
- Enter your email address and password
- Use your physical device to verify your identity e.g. your mobile phone or tablet
- You are securely logged in
After you have enrolled for multi-factor authentication and access to applications supporting MFA, you will need to login using your Email Address / password and then use your device to verify your identity. Microsoft Entra MFA will issue automatic push to your mobile or you can select "I can't use my Microsoft Authenticator app right now" if applicable.
[Under circumstances when you cannot access your mobile device, you can also obtain a one-time TAP Code (not the one-time passcode) to access MFA protected application.]
Getting Started
Application Readiness (enabled with MFA in either Duo or Microsoft Entra)
| For Student | For Staff |
|
1. Remote Access Tools
2. Teaching and Learning Resources
3. Research IT Resources
4. Administrative Systems
5. Collaboration and Productivity Tools |
1. Remote Access Tools
2. Teaching and Learning Resources
3. Research IT Resources
4. Administrative Systems
5. Collaboration and Productivity Tools |
When accessing the above MFA supported applications, please remember to have your mobile device around to respond the Microsoft Authenticator - notification sent to your mobile device. In case there is no network connection, you can use one-time passcode (obtain from your Microsoft Authenticator App).
Log in to the Microsoft Entra MFA Enrollment Portal for first-time MFA enablement.
After MFA enablement, please visit the Microsoft Entra MFA Self-Service Portal to manage your MFA device.
Refer to Enrollment for Microsoft Entra MFA (or view video) for the details.
Please response to the Push Notification using your mobile device when you need to access applications supporting MFA e.g. VPN, OWA etc. Besides, you can use Temporary Access Pass (TAP) in case you cannot receive the Push due to network connection issues.
You can obtain a TAP Code in case you cannot access to your mobile device (e.g. no battery, lost / change mobile):
For Duo MFA Users only
Please response to the Push Notification using your mobile device when you need to access applications supporting MFA e.g. VPN, OWA etc. Besides, you can use one-time passcode in case you cannot receive the Push due to network connection issues.
You can obtain a Duo Bypass Code in case you cannot access to your mobile device (e.g. no battery, lost / change mobile):
FAQs
- Modern Duo Universal Prompt
- What should I do if I have changed my mobile phone / reinstalled the Duo Mobile app?
- Cannot receive Duo's Push notification?
- How to logon if I forgot to bring my mobile or loss of it?
- Can I use Duo Mobile for 2FA with Multiple Accounts?
- Can I use Duo from overseas?
- What should I do if I receive an unexpected Duo notification?
- Where can I find Duo Privacy Policy?
- Any known issues when using 2FA?