Information security is a major challenge to the IT sector. There is no exception to the University. To cope with this challenge in the digital era, ITS has been doing a lot to increase the information security protection of the University in the past few years. A few to name includes the Data Leakage Prevention (DLP) Project, Server Compliance Project, extension of HKU Portal PIN length to 10-18 characters, etc.
In the past two years, we observed there is a growing trend of account intrusion among University members and staff/students’ HKU Portal UID and PIN are stolen or leaked resulting in unauthorized account access and other hacking activities, such as sending of spam. The sources of these intrusions can be through phishing and virus-bearing emails, access to malicious websites, brute-force password guessing attacks and other kinds of growing and varying hacking activities.
To mitigate the risks arising from the increasing trend of stolen or leakage of HKU Portal UIDs/PINs, a new authentication mechanism, Two-Factor Authentication (“2FA”) will be put in place to enhance the security protection of the authentication process in using HKUVPN (HKU Virtual Private Network) and HKU Portal services. By means of 2FA, a One-Time-Password (“OTP”) will be sent to the staff/student's alternate email address which will be used as the second "key" for authentication on top of their HKU Portal PIN. The 2FA mechanism will be launched in 2 phases. Phase 1 will be kicked off and implemented on HKUVPN service starting from January 2016 and Phase 2 will be extended to HKU Portal access outside campus network starting from June 2016. After the 2FA implementation, users of HKUVPN and HKU Portal outside campus network have to go through 2FA for using these two services.
To enable the implementation of this 2FA project, staff and students using HKUVPN service and requiring HKU Portal access outside the campus network are requested to register their alternate email address with ITS. On top of alternate email address, we are also collecting mobile phone no. for upcoming implementation of using alternate email address/mobile phone no. to reset HKU Portal PIN and sending security alerts when users’ HKU email addresses cannot be reached.
Staff and students will be invited to register their alternate email address and mobile no. with ITS in November 2015 for the above purposes. More details about the 2FA implementation will be provided in the next issue of ITS News.
Information Security Team
Tel: 3917 5952