Multi-Factor Authentication (MFA)

Print Friendly and PDF

What can I do now?

You can start to get your business ready for MFA now by ensuring everyone in your practice is using a unique login and not sharing passwords. Shared logins will not be supported by the required implementation of MFA. There is no limitation on the number of users that can be invited to Simple Fund 360. To invite additional users click here

Overview


Multi-Factor Authentication (MFA), sometimes known as Two Factor Authentication, 2FA, 2SA or TFA is a security enhancement for user accounts. Traditionally, users have relied on and are accustomed to authentication systems that require them to provide a unique identifier such as their email address and a correct password to gain access to a system.

Multi-Factor authentication is an extra layer of security in which users will be prompted for their password (the first factor—what they know), and for a security code (the second factor—what they have), making it more difficult for unauthorised people to access your data.

What options are supported for MFA in Simple Fund 360?

The MFA security code can be received using an:

  • Authentication app e.g. Google Authenticator
  • SMS Text Message 

 

Method Description
Authentication App
  • This multi-factor authentication method uses a time-limited one-time PIN provided via a mobile app as a second factor.
  • These apps rely on the creation of a key that’s unique to your device, which is then stored by the app. Then, the app automatically generates login codes for your BGL Account that will allow you to log into your account.
  • The phone does not need to be connected to a network or internet for the app to generate a code. 

SMS Text Message

  • This multi-factor authentication method uses a time-limited one-time PIN  provided via an SMS message to a device as a second factor
  • The phone needs to be connected to a network or internet to receive the code. 

The use of an authentication app is the recommended method. The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA. 

Set up MFA with Authentication App
  1. Download and install an authentication app.

    Device Authentication App
    Phone
    Computer

     

  2. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).

  3. Under the Authentication App option, select Set Up. Simple Fund 360 will display a QR code on the screen.

  4. Open your phone and select your new authenticator app. Within the app, select the Add + icon.

  5. Scan the QR code generated by Simple Fund 360 using your phone, or enter the on-screen code into the authenticator app. This will add BGL as an option and present a verification code.

  6. In Simple Fund 360, input the verification code generated in the authentication app and select Next.

  7. Input your mobile phone number. Note: If you have not set up the SMS Text option for MFA, your mobile number will only be used for account recovery purposes.

  8. Select Finish to complete the MFA set up. 
Set up MFA with SMS
  1. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).

  2. Under the SMS Text Message option, select Set Up. Simple Fund 360 will display a QR code on the screen.

  3. Input your mobile number and select Next.

  4. A six-digit verification code will be sent to the mobile device. Input the code in the MFA configuration page and select Finish.

  5. Select Finish to complete the setup.

FAQs
  1. Can I enforce MFA for all users? 

    MFA is not currently enforceable for all users. BGL is planning on adding this option for all users in the future.

    The Australian Tax Office (ATO) has also introduced a new operational framework for all software which interacts with the ATO. This new framework mandates that Simple Fund 360 users who have access to Australian Taxpayer Information for which is not their own, must use multi-factor authentication when they log in. This means that BGL will need to mandate Multi-Factor Authentication for all users at some stage during 2019.
  2. Can MFA be set up using both methods?

    Yes. Both methods can be set up and in your user profile, you can set a default MFA method.
  3. Does MFA affect the Reset Password option?

    Yes. The reset password process will involve an authentication code sent to a mobile via SMS, or email where no valid mobile number exists for the user.
    1. Head to the BGL 360 login page and select Forgot your password 

    2. You will be directed to the Forgot your password? screen. Enter your Email before clicking Request Verification Code button.



    3. A 'Reset Password' verification code will be sent to you via SMS if a verified phone number exists. If no verified phone number exists, the code will be sent to your email.
    4. Select RESET MY PASSWORD. Enter the code received and then enter your new password and select CHANGE MY PASSWORD to activate the new password.

      Passwords in BGL now have the following minimum requirements

      • Minimum 10 characters
      • Contain at least one lowercase letter (a-z)
      • Contain at least one uppercase letter (A-Z)
      • Contain at least one number (0-9)

      You are restricted from re-using one of your last 3 passwords.

  4. I didn't receive an SMS notification via text? What could cause this?

    If you chose to receive codes by text message (SMS), make sure your service plan and mobile device support text message delivery.

    Delivery speed and availability may vary by location and service provider. Also, make sure you’ve got adequate mobile coverage when you’re trying to receive your codes.

  5. The verification codes generated by my authenticator app are not working?
    Ensure that your mobile's time zone settings are correct.
  6. Can I remove computers and other devices from my trusted list?
    Please contact BGL on 1300 654 401 for further assistance.
  7. What if my workplace does not allow access to mobile phones?

    You could consider using a hardware based authentication solution such as  MicrocosmProtectimus, or Yubikey.
  8. As an administrator, can I disable MFA for a user?
    No.MFA is controlled by the individual user.
Sign-in using MFA
  1. Navigate to the BGL login page. Input your username and password and select Sign In.

  2. You will be asked to input a security code found in the authenticator app or received via SMS text. Input the six-digit verification code.

    mceclip1.png
  3. (Optional) If you want to identify your computer as trusted, select the remember this device for 30 days check box. This only applies when using the same computer with the same browser.
  4. Select Submit.
Disable MFA
  1. Sign into Simple Fund 360 and turn off MFA by Navigating to the Profile Management screen.

  2. Based on the Active authentication which was setup select Disable.


      
  3. If you disable MFA but then decide to re-enable, you will need to set it up again.
My Phone was lost or stolen. How do I disable MFA?

If your phone was lost or stolen, we strongly recommend that you change your BGL 360 password. This will help prevent others from accessing your BGL Account from your phone.

  1. From the BGL 360 login page, input your username and password and select Sign In.
  2. From the Enter Security Code page, select Lost my device or click here to access the Disable my MFA page.

  3. Input your email address, mobile phone number, and the on-screen captcha code. Select DISABLE MY MFA.

  4. You will receive an email. Select the link contained within the email. This will direct you to a message on the login page confirming the MFA has been disabled on your account.
  5. You can now log in to Simple Fund 360 without MFA. 
0 out of 0 found this helpful

Comments

8 comments
  • how do i get a security code via email, i do not use a mobile phone

  • Hi Richard, unfortunately, receiving security codes via email is not a supported method. An alternative option would be to Set up MFA using an Authentication App. Authy is a 2FA App that can be installed on your PC and used across multiple devices.

  • Can I set up the MFA on two devices, ie Ipad and phone so I can use whichever is convenient

  • Hey Bruce, if the 2FA App that you choose to use supports multiple devices then yes.

  • Hi any plan to support email authentication soon coz no business mobile phone provided at work. Myob also has two steps authentication but they support using emails.

  • Hi Arthas at this stage No, This is due to security reasons. If someone can gain access to your email account, they would then be able to reset your password and gain your MFA codes directly.

  • Hi Anthony is it possible to link multiple accounts to one mobile number?

    I reckon if someone can gain access to my email account i am pretty certain they have much better things to do with that privilege than trying to get a MFA code...

  • Hi Arthas,

    Whilst it is not recommended, we do allow multiple accounts to be linked to one phone number

Please sign in to leave a comment.

  • synced-from-confluence