Multi-Factor Authentication (MFA)

Morningstar has upgraded its security protocols to include compulsory Multi-Factor Authentication (MFA) to improve data protection and create a more secure digital environment for our users.

With the increasing sophistication and incidence of cyber threats, MFA adds an extra layer of security by requiring you to provide two or more verification factors to access your accounts.

This significantly reduces the risk of unauthorised access, safeguarding sensitive information against potential breaches.

The additional integration of single sign-on (SSO) across Morningstar’s suite of products allows you to access your multiple Morningstar applications with a single set of credentials.

These upgrades demonstrate Morningstar’s commitment to providing robust security measures while ensuring user convenience and efficiency.

You may also choose to use an authenticator app instead, in this case, please select I'd rather use an authenticator app.

You can choose to enroll by using a Mobile Phone or an Authentication App. Please follow the below instructions based on your preference:

• Mobile Phone Setup Instructions Recommended

• Authenticator Setup Instructions Recommended if travelling overseas

Select the country from the country code drop-down, omitting the initial zero when entering your mobile number.

An SMS message will be sent to your registered mobile device with a one-time code. Enter the code and select Continue to confirm your identity.

When entering the code sent to your mobile device, selecting Remember this browser, will prevent the system from prompting you for the MFA code for 60 days. Please note this step is optional.

It is not possible to disable Multi-Factor Authentication. Selecting "Remember this browser" is the only way to bypass the system, and only for the device you are on at the time of selecting the option. Logging in on another device will recommence the MFA prompts.

Once the mobile phone enrollment is complete, you will be provided with a single-use recovery code for future logins, in case there is an issue with SMS delivery.

Please save this code in a place where you can access it without your registered device, for example: taking a screenshot and emailing it to yourself. Recovery code cannot be retrieved again if it is not saved.

You will be unable to proceed until you have selected the I saved this code for future use tickbox, as the Continue button will be greyed out.

This code will allow you to sign in once, in case you lose your phone, and support is unavailable. Once the code has been used a new one will be generated, however, the original code will expire.

The enrolment stage is now complete. You can now sign in to Morningstar Investor.

MFA registration is a single-time event unless the mobile phone number associated with your account changes. If you need the MFA reset for any reason please contact Morningstar Investor Support. Only the Account Owner has the authority to request an MFA reset.

For this option, you will first need to download a Google or Microsoft Authenticator app from your phone's app marketplace.

Authentication Apps

• Android Google Microsoft

• iPhone Google Microsoft

Select I'd rather use an authenticator app from the Morningstar Investor MFA setup page after logging in with your username and password.

You will navigate to a page with a QR code to be scanned by your chosen Authentication app.

From the Authentication app on your phone select the Add / + / Scan QR code button and proceed to scan the code

A connection will be established, and the authenticator will generate a new code every minute. You may name your connection, or it will be named automatically.

Enter the code into the Code field on the Morningstar Investor page, then select Continue.

When entering the code from your authenticator app, selecting "Remember this browser", will prevent the system from prompting you for the MFA code for 30 days.

If you click on any article link from your email inbox, then website will not ask for MFA if you have selected "Remember this browser".

Note

Only Google or Microsoft Authentication apps can be used with your Morningstar Investor MFA Login.

The authenticator generates a new code every minute, you will have to enter the newest generated code before the timeout, otherwise, you will receive an error.

If you decide you would prefer to instead register with a mobile, please select I'd rather use an SMS.

Recovery Code—Authenticator

Once the Authenticator enrollment is complete, you will be provided with a single-use recovery code for future logins, in case there is an issue with SMS delivery.

Please save this code in a place where you can access it without your registered device, for example—taking a screenshot and emailing it to yourself.

You will be unable to proceed until you have selected the I saved this code for future use tickbox as the Continue button will be greyed out.

The enrolment stage is now complete. You can now sign in to Morningstar Investor with your authentication App.

MFA registration is a single-time event unless the mobile phone number associated with your account changes or you wish to change the MFA Type to SMS.

Please contact Morningstar Investor Support to change this MFA type to Mobile Phone or if you have any issues not covered by the troubleshooting instructions.

Lost/Damaged Phone

If you lose or damage the phone associated with your Morningstar Investor account, you can use the Recovery Code saved when enrolling in Multi-Factor Authentication.

It is also recommended that you reset your MFA as soon as you can by contacting Morningstar Investor Support:

Recovery Code Malfunction

Occasionally, the Recovery Code from your registration will expire or malfunction. If this occurs you will need to reset the MFA by contacting Morningstar Investor Support:

Verification Code via Authenticator App Invalid

• If the code you enter from your authentication app is invalid, please make sure that the timeout has not expired when you are entering the code. These apps typically have a 1-minute timer before the code changes again.

• If the verification code from your Authenticator app becomes invalid despite entering the code within the time window, it may be due to synchronization issues between the app and the server. To resolve this, reset the MFA and opt for mobile number verification

Travelling Overseas and Need Codes to Log in to Morningstar Investor

If you are travelling overseas and need to receive codes to log in to Morningstar Investor, please consider the following best practices.

• Remember This Browser: When logging in, tick the checkbox that says Remember this browser on the device that will be travelling with you. This will eliminate the need to complete MFA for 60 Days.

• Use the Authenticator App: Opt to use an Authenticator app for verification codes, which can work without needing a mobile network connection.

• Keep a Recovery Code: Ensure you have a recovery code saved securely. This code can be used to log in if you cannot receive verification codes.

Oops something went wrong error

You will see this error if your computer has cached a previous login or instance of Morningstar Investor on your computer. Please follow the Cache Clearing Instructions to resolve this.

Selected 'Remember This Browser' but still being prompted for MFA

• Remember this browser is only valid for 60 days on the browser that you have selected this option, changing devices or browsers will trigger the MFA prompt.

• Clearing the Cache will also remove the selection and you will need to reselect this option when entering the MFA details.