Subscriptions

Register for Training


Is MFA currently mandatory in Simple Fund 360?

MFA is not currently mandatory for user accounts.

The Australian Tax Office (ATO) has also introduced a new operational framework for all software which interacts with the ATO. This new framework mandates that Simple Fund 360 users who have access to Australian Taxpayer Information for which is not their own, must use multi-factor authentication when they log in. This means that BGL will need to mandate Multi-Factor Authentication for all users at some stage during 2019.

Overview


Multi-Factor Authentication (MFA), sometimes known as Two Factor Authentication, 2FA, 2SA or TFA is a security enhancement for user accounts. Traditionally, users have relied on and are accustomed to authentication systems that require them to provide a unique identifier such as their email address and a correct password to gain access to a system. 

Multi-Factor authentication is an extra layer of security in which users will be prompted for their password (the first factor—what they know), and for a security code (the second factor—what they have), making it more difficult for unauthorised people to access your data. 


What options are supported for MFA in Simple Fund 360?

The MFA security code can be received using an:

  • Authentication app e.g. Google Authenticator
  • SMS Text Message

The use of an authentication app is the recommended method. The U.S. National Institute of Standards and Technology (NIST) has revised its multi-factor authentication security guidelines to discourage SMS based MFA, and encourage the use of more robust MFA alternatives.


Enable MFA


Complete the following steps to enable MFA:

  1. Navigate to your Profile Manager;
  2. Select and set up the preferred MFA method (authenticator app or SMS text message).

Set up MFA with Authentication App


  1. Download and install an authentication app.

    DeviceAuthentication App
    Phone
    Computer



  2. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).



  3. Under the Authentication App option, select Set Up. Simple Fund 360 will display a QR code on the screen.  



  4. Open your phone and select your new authenticator app. Within the app, select the Add + icon.



  5. Scan the QR code generated by Simple Fund 360 using your phone, or enter the on-screen code into the authenticator app. This will add BGL as an option and present a verification code. 



  6. In Simple Fund 360, input the verification code generated in the authentication app and select Next.  



  7. Input your mobile phone number. Note: If you have not set up the SMS Text option for MFA, your mobile number will only be used for account recovery purposes. 



  8. Select Finish to complete the MFA set up. 

Set up MFA with SMS


  1. Sign into Simple Fund 360 and turn on MFA in your user profile. Navigate to the Profile Management screen (select the person icon in the top right-hand corner).



  2. Under the SMS Text Message option, select Set Up. Simple Fund 360 will display a QR code on the screen.  



  3. Input your mobile number and select Next



  4. A six-digit verification code will be sent to the mobile device. Input the code in the MFA configuration page and select Finish.



  5. Select Finish to complete the setup.

FAQs


  1. Can I enforce MFA for all users? 

    MFA is not currently enforceable for all users. BGL is planning on adding this option for all users in the future. 

    The Australian Tax Office (ATO) has also introduced a new operational framework for all software which interacts with the ATO. This new framework mandates that Simple Fund 360 users who have access to Australian Taxpayer Information for which is not their own, must use multi-factor authentication when they log in. This means that BGL will need to mandate Multi-Factor Authentication for all users at some stage during 2019.

      
  2. Can MFA be set up using both methods?

    Yes. Both methods can be set up and in your user profile, you can set a default MFA method. 


  3. Does MFA affect the Reset Password option?

    Yes. The reset password process will involve an authentication code sent to a mobile via SMS, or email where no valid mobile number exists for the user. 
     
    1. Head to the BGL 360 login page and select Forgot your password


    2. You will be directed to the Forgot your password? screen. Enter your Email before clicking Request Verification Code button.



    3. A 'Reset Password' verification code will be sent to you via SMS if a verified phone number exists. If no verified phone number exists, the code will be sent to your email. 

    4. Select RESET MY PASSWORD. Enter the code received and then enter your new password and select CHANGE MY PASSWORD to activate the new password.

      Passwords in BGL now have the following minimum requirements

      • Minimum 10 characters
      • Contain at least one lowercase letter (a-z)
      • Contain at least one uppercase letter (A-Z)
      • Contain at least one number (0-9)

      You are restricted from re-using one of your last 3 passwords.


  4. I didn't receive an SMS notification via text? What could cause this?

    If you chose to receive codes by text message (SMS), make sure your service plan and mobile device support text message delivery.

    Delivery speed and availability may vary by location and service provider. Also, make sure you’ve got adequate mobile coverage when you’re trying to receive your codes.



  5. The verification codes generated by my authenticator app are not working?

    Ensure that your mobile's time zone settings are correct. 


  6. Can I remove computers and other devices from my trusted list?

    Please contact BGL on 1300 654 401 for further assistance. 


  7. What if my workplace does not allow access to mobile phones?

    You could consider using a hardware based authentication solution such as Yubikey or Protectimus



  8. As an administrator, can I disable MFA for a user?

    No.MFA is controlled by the individual user. 

Sign-in using MFA


  1. Navigate to the BGL login page. Input your username and password and select Sign In



  2. You will be asked to input a security code found in the authenticator app or received via SMS text. 



  3. Input the six-digit verification code and select Submit

Disable MFA


  1. Sign into Simple Fund 360 and turn off MFA by Navigating to the Profile Management screen.



  2. Based on the Active authentication which was setup select Disable.


      
  3. If you disable MFA but then decide to re-enable, you will need to set it up again.

My Phone was lost or stolen. How do I disable MFA?


If your phone was lost or stolen, we strongly recommend that you change your BGL 360 password. This will help prevent others from accessing your BGL Account from your phone.

  1. From the BGL 360 login page, input your username and password and select Sign In

  2. From the Enter Security Code page, select Lost my device or click here to access the Disable my MFA page. 



  3. Input your email address, mobile phone number, and the on-screen captcha code. Select DISABLE MY MFA. 



  4. You will receive an email. Select the link contained within the email. This will direct you to a confirmation page displaying a message on the login page. 

  5. You can now log in to Simple Fund 360 without MFA.