General FAQ for MFA

Q1. Who can use MFA?

A1. Starting from Apr 30, 2023, all CityU staff accounts will be protected by MFA, except for the secondary accounts.
Students can also enroll for the MFA through the Service Portal.
The University does not provide the MFA for the alumni accounts.

Q2. What systems will be required to log on with MFA?

A2. Please refer to the CityU MFA page.

Q3. When will you be asked to log on with MFA?

A3. Please refer to the CityU MFA page.

Q4. What MFA methods are supported?

A4. For staff, Okta Verify (a mobile app) and SMS are the default options. For students, It is Okta Verify. We also recommend you to set up other alternative options such as Google Authenticator, CityU email, and voice call so that you can use these methods in some situations.

Q5. If you can't get through your MFA and need to login to the system in a hurry, what can you do?

A5. You can go to the IT Service Desk and they will suspend the MFA for your account for one day.

Q6. What platform does Okta Verify support?

A6. Okta Verify supports the most recent major releases of specific operating system platforms and web browser combinations. Please refer to this link for the latest information.
Time-sync in your mobile device is required for Okta Verify to work.

Q7. How can you use MFA in an environment where both mobile network and WIFI are unavailable?

A7. Okta Verify (6-digit code mode) and Google Authenticator are both time-based MFA methods which don't need network access. It is recommended that you set up either one method in advance to prepare for this situation.

Q8. Do I need to pay when SMS codes are sent to me?

A8. No, the costs will not be charged to you, but we recommend users to use Okta Verify push notification rather than SMS as it's more secure and convenient.

Q9. How can you use MFA when you are travelling overseas?

A9. Okta Verify will be recommended because you don't need to change to another SMS number in your system profile.

Q10. What do I have to do if I forget to bring my mobile phone to the campus or working location?

A10. If you forget to bring a mobile phone to the campus or working location, and you haven't registered for any MFA methods like email or voice call that don't require your mobile phone, you can use the Service Portal self-service function to temporarily disable your MFA for that day. Alternatively, you can contact the IT Service Desk for help. The support staff will ask you to prove your identity with your staff/student ID card and then temporarily disable the MFA for your account for that day.
However, if you have registered for email or voice call as alternative MFA methods, you can use them.

Q11. What do I have to do when I have a new phone?

A11. Okta Verify can't be registered on two mobile phones at the same time. Please refer to this link for the instruction to transfer Okta Verify to a new phone.

Q12. My mobile phone can't access Google Play, how can I download and install Okta Verify?

A12. You can download it from this link. After installing it, please follow the staff or student user guides to do the setup.

Q13. Does MFA work in China?

A13. There are limitations in the mobile or WiFi network in China. Okta Verification with push notification and access to Google services are unavailable.
When you are in China, if you are an iPhone user, you can still download and install Okta Verify from Apple App Store.
Users using Android/Harmony OS platform have to download the setup apk file from this link.
For both cases, you have to switch to using Okta Verify 6-digit code rather than push notification.
MFA with SMS should be fine in China.

Q14. If you are an MFA pilot user or already using Remote Desktop with MFA, do you need to enroll?

A14. Yes, you still need to enroll for the MFA through the Service Portal, because pilot users don't have Okta Verify set and Remote Desktop users don't have SMS set, while both methods are required when MFA is enforced.