Multi-Factor Authentication (MFA)

Print Friendly and PDF



Multi-Factor Authentication (MFA), sometimes known as Two-Factor Authentication, 2FA, 2SA or TFA is a security enhancement for user accounts.  MFA is mandatory for all users. 

Multi-Factor authentication is an extra layer of security in which users will be prompted for their password (the first factor—what they know), and for a security code (the second factor—what they have), making it more difficult for unauthorised people to access your data.

Why is MFA mandatory for Simple Fund 360?

MFA will be mandatory for all users to ensure that Simple Fund 360 is compliant with the Australian Tax Office’s (ATO) Digital Service Provider Operational Framework.


What options are supported for MFA in Simple Fund 360?

The MFA security code can be received using an:

  • Authentication app e.g. Google Authenticator
  • SMS Text Message 

Can Multi-Factor Authentication (MFA) be set up using an email address to receive authentication codes?


Method Description
Authentication App
  • This multi-factor authentication method uses a time-limited one-time PIN provided via a mobile app as a second factor.
  • These apps rely on the creation of a key that’s unique to your device, which is then stored by the app. Then, the app automatically generates login codes for your BGL Account that will allow you to log into your account.
  • The phone does not need to be connected to a network or internet for the app to generate a code. 

SMS Text Message

  • This multi-factor authentication method uses a time-limited one-time PIN  provided via an SMS message to a device as a second factor
  • The phone needs to be connected to a network or internet to receive the code. 

The use of an authentication app is the recommended method. The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA. 

Set up MFA with Authentication App
  1. Download and install an authentication app.

    Device Authentication App


  2. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).

  3. Under the Authentication App option, select Set Up. Simple Fund 360 will display a QR code on the screen.

  4. Open your phone and select your new authenticator app. Within the app, select the Add + icon.

  5. Scan the QR code generated by Simple Fund 360 using your phone, or enter the on-screen code into the authenticator app. This will add BGL as an option and present a verification code.

  6. In Simple Fund 360, input the verification code generated in the authentication app (ensure there are no spaces) and select Next.

  7. Input your mobile phone number. Note: If you have not set up the SMS Text option for MFA, your mobile number will only be used for account recovery purposes to identify yourself. We do not send Text Messages to your phone for this purpose. 

  8. Select Finish to complete the MFA set up. 
Set up MFA with SMS
  1. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).

  2. Under the SMS Text Message option, select Set Up. Simple Fund 360 will display a QR code on the screen.

  3. Input your mobile number and select Next. (Please note this must be a mobile/cell phone which can accept SMS text messages. Do not enter a landline phone number) 

  4. A six-digit verification code will be sent to the mobile device. Input the code in the MFA configuration page (ensure there are no spaces) and select Finish.

  5. Select Finish to complete the setup.

  1. Can MFA be set up using both methods?

    Yes. Both methods can be set up and in your user profile, you can set a default MFA method.
  2. Does MFA affect the Reset Password option?

    Yes. The reset password process will involve an authentication code sent to a mobile via SMS, or email where no valid mobile number exists for the user.
    1. Head to the BGL 360 login page and select Forgot your password 

    2. You will be directed to the Forgot your password? screen. Enter your Email before clicking Request Verification Code button.

    3. A 'Reset Password' verification code will be sent to you via SMS if a verified phone number exists. If no verified phone number exists, the code will be sent to your email.
    4. Select RESET MY PASSWORD. Enter the code received and then enter your new password and select CHANGE MY PASSWORD to activate the new password.

      Passwords in BGL now have the following minimum requirements

      • Minimum 10 characters
      • Contain at least one lowercase letter (a-z)
      • Contain at least one uppercase letter (A-Z)
      • Contain at least one number (0-9)

      You are restricted from re-using one of your last 3 passwords.

  3. I didn't receive an SMS notification via text? What could cause this?

    If you chose to receive codes by text message (SMS), make sure your service plan and mobile device support text message delivery.

    Delivery speed and availability may vary by location and service provider. Also, make sure you’ve got adequate mobile coverage when you’re trying to receive your codes.

  4. The verification codes generated by my authenticator app are not working?
    Ensure that your mobile's time zone settings are correct.
  5. Can I remove computers and other devices from my trusted list?
    Please contact BGL on 1300 654 401 for further assistance.
  6. What if my workplace does not allow access to mobile phones?

    If you cannot or do not want to use a mobile phone, a few other authentication options that can be used include:

    • USB tokens. An example is YubiKey. Plug in the YubiKey to a USB port enter the number displayed on screen. 
    • Desktop App. If you prefer to keep your MFA verification code generation separate from your browser, you can install a standalone desktop app such as winauth
    • Chrome Browser extensions. Using a Chrome extension will work on any device that runs the desktop version of the browser. Authenticator for Chrome, for example, works in Linux, on Google's Chromebook laptops, as well as on Mac and Windows PCs.
  7. As an administrator, can I disable MFA for a user?
    No.MFA is controlled by the individual user.
using MFA
  1. Navigate to the BGL login page. Input your username and password and select Sign In.

  2. You will be asked to input a security code found in the authenticator app or received via SMS text. Input the six-digit verification code (ensure there are no spaces).

  3. (Optional) If you want to identify your computer as trusted, select the remember this device for 30 days check box. This only applies when using the same computer with the same browser.
  4. Select Submit.
Disable MFA
  1. Sign into Simple Fund 360 and turn off MFA by Navigating to the Profile Management screen.

  2. Based on the Active authentication which was setup select Disable.

  3. If you disable MFA but then decide to re-enable, you will need to set it up again.
My Phone was lost or stolen. How do I disable MFA?

If your phone was lost or stolen, we strongly recommend that you change your BGL 360 password. This will help prevent others from accessing your BGL Account from your phone.

  1. From the BGL 360 login page, input your username and password and select Sign In.
  2. From the Enter Security Code page, select Lost my device or click here to access the Disable my MFA page.

  3. Input your email address, mobile phone number, and the on-screen captcha code. Select DISABLE MY MFA.

  4. You will receive an email. Select the link contained within the email. This will direct you to a message on the login page confirming the MFA has been disabled on your account.
  5. You can now log in to Simple Fund 360 without MFA. 
Was this article helpful?


  • how do i get a security code via email, i do not use a mobile phone

    Comment actions Permalink
  • Hi Richard, unfortunately, receiving security codes via email is not a supported method. An alternative option would be to Set up MFA using an Authentication App. Authy is a 2FA App that can be installed on your PC and used across multiple devices.

    Comment actions Permalink
  • Can I set up the MFA on two devices, ie Ipad and phone so I can use whichever is convenient

    Comment actions Permalink
  • Hey Bruce, if the 2FA App that you choose to use supports multiple devices then yes.

    Comment actions Permalink
  • Hi any plan to support email authentication soon coz no business mobile phone provided at work. Myob also has two steps authentication but they support using emails.

    Comment actions Permalink
  • Hi Arthas at this stage No, This is due to security reasons. If someone can gain access to your email account, they would then be able to reset your password and gain your MFA codes directly.

    Comment actions Permalink
  • Hi Anthony is it possible to link multiple accounts to one mobile number?

    I reckon if someone can gain access to my email account i am pretty certain they have much better things to do with that privilege than trying to get a MFA code...

    Comment actions Permalink
  • Hi Arthas,

    Whilst it is not recommended, we do allow multiple accounts to be linked to one phone number

    Comment actions Permalink
  • How do you set-up and use WinAuth with Multi Factor Authentication ?

    Comment actions Permalink
  • For WinAuth, we have added an article

    Comment actions Permalink
  • Ha! We even have to enter our phone number for "recovery purposes". Why couldn't our e-mail be used for "recovery purposes" if we don't have our phone on us that has the app?!

    Let me guess, in a few weeks I'll start getting phone calls from random insurance companies. No, I'm sure BGL promises that won't happen.

    I knew this was coming having had to deal with MYOB and Xero but this is the worst one by a mile. Thankfully I only have one super fund job left this year

    Comment actions Permalink
  • In the name of security, you love security don't you? We all want to feel secure. Don't you want to feel secure?

    Now, hand over your personal information.

    Comment actions Permalink
  • Hi Davide,

    We ask you to enter your phone number so if you change or lose your MFA device you can reset it yourself (i.e. Self-service). We do not send text messages for this purpose nor do we share any your details with others.



    Comment actions Permalink
  • And that's better than using e-mail for recovery how?

    Comment actions Permalink
  • The screen asks you to input your email address and mobile phone number. If both pieces of information are correct you will receive an email. (If we asked for email only anyone could trigger the process).

    You then click the link contained within the email. This will direct you to a message on the login page confirming the MFA has been disabled on your account.

    Comment actions Permalink
  • "Anyone" who then also has access to my e-mail account.....

    Nothing you say changes the fact that no other accounting software has forced me to give my phone number to them.

    Only BGL.

    Comment actions Permalink
  • I have tried to implement the WinAuth a dozen times over the last couple of days and Simple Fund rejects the code every time even though I have reset set-up again and created an account four separate times. Neither the version which matches the link instructions and the Win 7 version work. Each time it says Invalid Token. I am fed up with rubbish. I just want to get on with doing accounting. If someone breaks into our premises the last thing they will want to steal is accounting data.

    Comment actions Permalink
  • Hi David,
    I will get a member of our Support Team to help you out. Usually, the time setting on your device is the most common cause.

    Comment actions Permalink
  • Our concern is that, within a production environment, we would like the integration task to run unattended. There is a risk that the refresh token is invalidated (or purged), which then requires us to get a new authorisation code. Getting the auth code requires browser interaction from the user, and in some cases, them to login again using the user credentials. And now just to make it more difficult we need to use one of our staff members mobile numbers?
    Is there a way you can support a Machine-to-Machine (M2M) authentication flow? No humans involved?

    Comment actions Permalink
  • Hi,
    I am OLD (82)
    I do not have a mobile phone and will never get one.
    I do not understand " Apps " etc. and have no intention to learn al this tech. crap.
    What options do I have to access my super 360 account ?????

    Comment actions Permalink
  • David Muir,
    I was against this at first and did not want to have to go chasing my mobile every time I frequently logged on to SF360. Now that I have implemented it it is not so bed.
    1. You can tick a box so you only have to enter the code once per month.
    2. You can download a free program WinAuth to generate the code on your computer. No need to use a mobile.
    3. Only trap is that WinAuth puts a space between the first and second three digits. When entering the code into SF360 ignore the space.

    Comment actions Permalink
  • I have changed my phone and have installed authenticator app on my new phone.

    My phone number has transferred (same number on new phone) .. and now I would like to "establish" this new phone/authenticator with BGL.

    What is the procedure? Do I need to disable the existing set up via BGL website ... and then re-establish the new phone/app?

    Thanks ...

    Comment actions Permalink
  • Hi Julie,

    Yes, you would need to Disable MFA and set-up the MFA process again.



    Comment actions Permalink
  • Thank you Jeevan!

    Comment actions Permalink
  • The tickbox to "remember this device" has no effect. Same computer, same browser. I wanted to disable MFA, but in my profile it says MFA SMS is "inactive". I tried to reset it, but the Next button simply sits there spinning.
    Hate the MFA. Everyday, multiple times, can't disable it, and will not remember device.

    Comment actions Permalink
  • Went into profile on lefthand side and it allowed me to reset it. Now 30 day box is working.

    Comment actions Permalink

Please sign in to leave a comment.

  • synced-from-confluence
  • MFA