Overview
Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication, 2FA, 2SA or TFA is a security enhancement for user accounts. MFA is mandatory for all users.
Multi-Factor authentication is an extra layer of security in which users will be prompted for their password (the first factor—what they know), and for a security code (the second factor—what they have), making it more difficult for unauthorised people to access your data.
Why is MFA mandatory for Simple Fund 360?
MFA will be mandatory for all users to ensure that Simple Fund 360 is compliant with the Australian Tax Office’s (ATO) Digital Service Provider Operational Framework.
What options are supported for MFA in Simple Fund 360?
The MFA security code can be received using an:
- Authentication app e.g. Google Authenticator
- SMS Text Message
Method | Description |
---|---|
Authentication App |
|
SMS Text Message |
|
The use of an authentication app is the recommended method. The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA.
-
Download and install an authentication app.
Device Authentication App Phone - iPhone — Google Authenticator, Microsoft Authenticator, Authy
- Android — Google Authenticator, Microsoft Authenticator, Authy
- Windows Phone — Microsoft Authenticator, LastPass Authenticator, Duo Mobile
Computer - Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).
- Under the Authentication App option, select Set Up. Simple Fund 360 will display a QR code on the screen.
- Open your phone and select your new authenticator app. Within the app, select the Add + icon.
- Scan the QR code generated by Simple Fund 360 using your phone, or enter the on-screen code into the authenticator app. This will add BGL as an option and present a verification code.
- In Simple Fund 360, input the verification code generated in the authentication app (ensure there are no spaces) and select Next.
- Input your mobile phone number. Note: If you have not set up the SMS Text option for MFA, your mobile number will only be used for account recovery purposes to identify yourself. We do not send Text Messages to your phone for this purpose.
- Select Finish to complete the MFA set up.
- Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).
- Under the SMS Text Message option, select Set Up. Simple Fund 360 will display a QR code on the screen.
- Input your mobile number and select Next. (Please note this must be a mobile/cell phone which can accept SMS text messages. Do not enter a landline phone number)
- A six-digit verification code will be sent to the mobile device. Input the code in the MFA configuration page (ensure there are no spaces) and select Finish.
- Select Finish to complete the setup.
-
Can MFA be set up using both methods?
Yes. Both methods can be set up in your user profile. -
Does MFA affect the Reset Password option?
Yes. The reset password process will involve an authentication code sent to a mobile via SMS, or email where no valid mobile number exists for the user.
-
Head to the BGL 360 login page and select Forgot your password
- You will be directed to the Forgot your password? screen. Enter your Email before clicking Request Verification Code button.
- A 'Reset Password' verification code will be sent to you via SMS if a verified phone number exists. If no verified phone number exists, the code will be sent to your email.
-
Select RESET MY PASSWORD. Enter the code received and then enter your new password and select CHANGE MY PASSWORD to activate the new password.
Passwords in BGL now have the following minimum requirements
- Minimum 10 characters
- Contain at least one lowercase letter (a-z)
- Contain at least one uppercase letter (A-Z)
- Contain at least one number (0-9)
You are restricted from re-using one of your last 3 passwords.
-
-
I didn't receive an SMS notification via text? What could cause this?
If you chose to receive codes by text message (SMS), make sure your service plan and mobile device support text message delivery.
Delivery speed and availability may vary by location and service provider. Also, make sure you’ve got adequate mobile coverage when you’re trying to receive your codes.
-
The verification codes generated by my authenticator app are not working?
Ensure that your mobile's time zone settings are correct. -
Can I remove computers and other devices from my trusted list?
Please contact BGL on 1300 654 401 for further assistance. -
What if my workplace does not allow access to mobile phones?
If you cannot or do not want to use a mobile phone, a few other authentication options that can be used include:
- USB tokens. An example is YubiKey. Plug in the YubiKey to a USB port enter the number displayed on screen.
- Desktop App. If you prefer to keep your MFA verification code generation separate from your browser, you can install a standalone desktop app such as winauth
- Chrome Browser extensions. Using a Chrome extension will work on any device that runs the desktop version of the browser. Authenticator for Chrome, for example, works in Linux, on Google's Chromebook laptops, as well as on Mac and Windows PCs.
-
As an administrator, can I disable MFA for a user?
No.MFA is controlled by the individual user.
- Navigate to the BGL login page. Input your username and password and select Sign In.
- You will be asked to input a security code found in the authenticator app or received via SMS text. Input the six-digit verification code (ensure there are no spaces).
- (Optional) If you want to identify your computer as trusted, select the remember this device for 30 days check box. This only applies when using the same computer with the same browser.
- Select Submit.
- Sign into Simple Fund 360 and turn off MFA by Navigating to the Profile Management screen.
- Based on the Active authentication which was setup select Disable.
- If you disable MFA but then decide to re-enable, you will need to set it up again.
If your phone was lost or stolen, we strongly recommend that you change your BGL 360 password. This will help prevent others from accessing your BGL Account from your phone.
- From the BGL 360 login page, input your username and password and select Sign In.
- From the Enter Security Code page, select Lost my device or click here to access the Disable my MFA page.
- Input your email address, mobile phone number, and the on-screen captcha code. Select DISABLE MY MFA.
- You will receive an email. Select the link contained within the email. This will direct you to a message on the login page confirming the MFA has been disabled on your account.
- You can now log in to Simple Fund 360 without MFA.
Alternatively, Account Owners can turn off MFA for users in their BGL subscription.
- This can be completed via the User Manager page:
Once completed, the user receives an email notifying them that their MFA has been disabled by the Account Owner. They can then proceed to login and set up their MFA again.