Security Tips on Using HKU Portal

Quick Links

Quick Links

Secure Your PIN

Each staff members and student is uniquely identified by an HKU Portal UID (User Identification) and PIN (Personal Identification Number).  As HKU Portal contains personal and departmental information, some of which is limited for access by authorized persons, you are advised to keep your PIN secure and safe from leaking to others. You must not disclose your PIN to others. If you suspect someone knows your PIN, you should change your PIN immediately by clicking here

Your HKU Portal PIN must consist of at least one letter (a-z, A-Z) and one digit (0-9) in the length of 10-18 characters, and we highly recommend a password at least in length of 14 characters. You can’t use an old password that has been used in the last 3 password changes.  You will receive an email notification whenever your HKU Portal PIN is changed.

Verify the Authenticity of the HKU Portal Web Site before Login

HKU Portal is authenticated and secured by a digital certificate. To verify the authenticity of HKU Portal,

  1. Click the “Security Lock” button in your browser (for example lock in Chrome). 
  2. Click “More Information > “View Certification” (Firefox)/”Certificate Information” (Chrome)/”Show Certificate””(Safari).
    browser certificate setting
  3. Check if “Issued To” shows “*” and the validity date to confirm the certificate is valid and does not expire.

    the SSL certificate details

    Important: You must not enter your HKU Portal UID/PIN in any website which you suspect to be a fake website, or if the “Security Lock” icon cannot be found, or information in the certificate is invalid.  You should not enter your personal credentials when you see the following warning messages at websites.

    browser showing the site is not private

Do Not Store Your HKU Portal UID/PIN in the Browsers

Remember to disable the auto-fill function in your browser as this will make your HKU Portal UID/PIN available to anyone having access to your PC/mobile device. To turn this function off in Google Chrome, click the Chrome menu icon (3 dots on the top right) > Settings > Autofill > Passwords > turn off Auto Sign-in.
browser auto fill

browser auto sign option off

Keep Me Sign In (KMSI)

When you log in to Portal Session through Microsoft Azure AD, you have the option to select Stay Sign In, which means that you will remain logged in to the login session for up to 90 days, unless you manually sign out or change your password. This can be convenient if you use HKU Portal frequently and want to avoid entering your credentials every time, but it also makes your account vulnerable if someone else uses the same PC. That’s why you should select “No”, never choose Stay Sign In on a public or shared PC, and always sign out when you are done with Azure.

How to response Stay Sign In?

How to response Stay Sign In?

Keep Me Sign In (KMSI) – YES

Keep Me Sign In (KMSI) – NO

90 days upon the login session is refreshed within the validity period

24 hours upon the login session is refreshed within the validity period

Sign in with an individual or personal device

Sign in with a public or shared workstation

Protect Your Personal Information

The most secure way to protect your personal and confidential information under HKU Portal is to logout and close ALL browsers every time after using HKU Portal or before leaving your PC unattended.

Do not leave an HKU Portal session unattended at any time. If you do not logout, others can access your information using the same computer you used or even change or delete your personal or confidential information under the active Portal session left behind.

Protect Your Computer

Install and update anti-virus software regularly to ensure your PC is having the latest protection. Do not open any suspicious or unknown emails and attachments to reduce the vulnerability to computer malicious codes such as virus and trojan.

Please note that each HKU staff and student can register for one Sophos Home account to install the Sophos Home Commercial Edition. Please visit the installation guide for more information.

Avoid Using Public PC to Login HKU Portal

Since HKU portal login session is saved as browser cache, and in case that you have forgotten to logout from the last login session, it will allow user in the next session to access your HKU portal without the second authentication.

In this case, please avoid using public or shared PCs login to HKU portal. If logging in HKU portal from public or shared PC is unavoidable, please start the internet browser with “In-Private” or “Incognito” option, and don’t use the Keep Me Sign In (KMSI).  After you have completed your work, remember to logout and close ALL browser sessions.

Last but not least, please avoid using public Wi-Fi, particularly with an unencrypted transmission, to login HKU portal.



Multi-Factor Authentication

February 2024
February 2024

Mandatory for all staff accounts

May 2024
May 2024

Mandatory for all student accounts