Blog Post
Hi I agree with your effort and shall do the same. Can you make it easy for us all with some text we can copy /paste?
As for MYOB, they have done a very poor implementation of this requirement. There are logins that shouldn't have access to payroll etc. These logins should NOT be locked out after inactivity.
Hi perkyone, here you go. I got ChatGPT to turn my email into a template, so it's taken out most of the personal remarks. Change anything you want or don't agree with. Everyhitng said is only from my perspective. The 24 hour MFA hasn't really affected me, but i can see that is has affected others.
Cheers
***
Subject: Inquiry: ATO Guidance on DSP Security Requirements
INTRO
I hope this message finds you well.
I’m reaching out regarding recent guidance from the ATO on security requirements for Digital Service Providers (DSPs)—Xero, MYOB, Sage, and similar platforms.
While I prefer not to include a direct link here for security reasons, a quick search of the topic should lead to the relevant ATO page.
DSP SECURITY REQUIREMENTS
The ATO’s new security measures represent significant progress, and most of the updates make perfect sense.
For example, while multi-factor authentication (MFA) after a 24-hour period adds a small inconvenience, the additional security it provides justifies the extra time required each day.
That said, it’s worth noting that this feature has caused issues for some users, as highlighted on online community forums.
However, one particular requirement is proving especially challenging for many professionals. Under the "Further Guidance on Requirements" section, there’s a stipulation that:
- Inactive session time-out occurs after a maximum of 30 minutes (15 minutes is preferred). This is a screen lock process where full MFA is not required to unlock.
ISSUE
For small business owners working with a single business file, this isn’t likely to pose much of an issue.
However, for those managing multiple sites and/or files—such as accountants, bookkeepers, or finance professionals—it can cause significant disruptions.
At the end of the month, for instance, it’s common to have multiple windows open for a single file to cross-reference reports while processing end-of-month journals.
When these windows lock after 15 minutes of inactivity, it can be extremely frustrating and disrupt workflow, especially when trying to stay focused and productive.
While the importance of safeguarding sensitive information is fully understood, it’s worth exploring potential exceptions or alternative measures, such as:
- Exemptions for accountants (both in practice and in-house), bookkeepers, and registered payroll officers.
- An allowance for a single dedicated IP address to bypass this specific requirement (e.g., for a secure desktop computer in an office).
CLOSE
This may not be the most pressing issue globally, but addressing it could make a significant difference for professionals in this space.
The challenges are evident in discussions across various software community forums, where users have shared their experiences and frustrations.
Thank you for your time and consideration.
Kind regards,
[Your Name]