Blog Post

MYOB Announcements
5 MIN READ

Enhanced security measures are live - 27/11/24 (Update 19/12/24)

MikeG1's avatar
MikeG1
Admin
4 months ago

Hi everyone,

Update 19/12/24 - Are you still there?

Hello Community members and followers of this security updates thread! Its been a few days since we last spoke.

There is a great update coming through already for the inactivity timeout changes in the browser. AND its releasing Today the 19/12/24.

Users in the browser will now be provided with a warning message 5 minutes prior to the inactivity timeout.
This will show at the top of the window with "Are you still there?" and provides a clickable option to confirm "I'm still here" - example image below

 

Update 05/12/24: Session Inactivity Lock for AccountRight Desktop App
 
We've consulted with the ATO and have been able to agree that AccountRight Desktop can be excluded from the 30 minute inactivity lock requirement. We can confirm this feature has now been removed from the desktop app.

While the inactivity lock is no longer in place on the AccountRight desktop app, we strongly encourage everyone to implement sensible security measures on your individual devices. This includes setting up automatic timeouts and using password-protected logins for added protection. 

The 30-minute inactivity lock will remain in place for MYOB Business and MYOB AccountRight in the browser, in line with ATO requirements.

 

Previous update to this post (27/11/24)
The changes for inactivity went live today on the 27th November. 
Specifically for AccountRight, many customers encountered unexpected crashing/freezing of the software after entering their password to sign in again. Work in progress would also be lost due to the crash.

I want to assure everyone that this is not the expected behaviour associated with the inactivity timeout. You can expect the screen to blur and a message pop up. Click sign in again as [user]. Enter your password and you will be back to continue where you were (no loss to work in progress)

As a result of the crashing, we have temporarily disabled the inactivity timeout for AccountRight, you will need to close and re-open AccountRight for this change to take effect.

Thank you for the feedback, examples and information provided on these issues today. We are continuing to investigate before it is enabled again.


I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change.
With over 100 comments on the post, we are starting to get the same questions being asked, and answers being missed so I hope to summarise the change and key questions/feedback here.

The change/s and timeline

  • September 30th > MYOB implemented 2FA being required at least once every 24 hours
    • Some initial feedback came through about the 2FA prompt caused customers to lose work in progress
    • MYOB has implemented a fix based on feedback and 2FA is prompted on the first login each day to avoid loss of work
  • November 27th > you'll be asked to sign back in after 20-30 minutes of inactivity (announced November 19th)
    • This announcement on inactivity is driving a significant amount of feedback and discussion that I will summarise below

What’s changing:

From Wednesday 27 November 2024, you’ll be asked to sign back in after 20–30 minutes of inactivity. After this time, your screen will become locked and blurred. To continue working, you'll need to sign back in with your username and password. This applies to the following MYOB software: MYOB Business, MYOB AccountRight and AccountRight browser (online files only), MYOB Connected Ledger, MYOB Business Payroll Only and MYOB Practice. 


Browser:


Desktop:

 

What do you need to do?

When you’re presented with the Are you still there? message we recommend that you click Sign in using [existing email] to return to work in progress.
Note* 2FA is not required as part of signing in again and your email will automatically be pre-filled

Will I lose my work when the screen is greyed out?


If you sign back into your account using your existing email, you won’t lose any work in progress and can continue where you left off. However, if you choose to sign in to a different account, your work will not be saved. 

If you click Back or Reload, or if you don’t sign back in after 12 hours, you'll also lose work in progress.

How does the inactivity screen work between Browser and Desktop?


When you are logged into both the Browser and Desktop at the same time, each session will operate independently. This means that if you are inactive in the Desktop version, you can remain active in the Browser version. The inactivity timeouts for these sessions are separate from one another.   

When signing back in after inactivity, do I have to enter my email, password and do 2FA?


No, your email will be automatically pre-filled when signing back in using your existing email to both the desktop and browser software. Users will be required to enter their password only. 2FA is still a 24-hour requirement and not required for signing back in after an inactivity timeout.

Can I opt out of the new inactivity or 24-hour 2FA security measures?


No, as these are mandatory compliance changes in line with industry best practice, they cannot be disabled

Why am I being asked to login or do 2FA multiple times a day?


Based on scenarios described in the forum + a known issue that MYOB is currently working to resolve, this could be for one of the following reasons.

  • Closing AccountRight using the ‘x’ is currently causing 2FA to be prompted when re-opening the software even if it is less than 24 hours. This was recently discovered as a bug/regression with the last AccountRight 2024.10 release and the team are releasing a fix to this asap. This has been resolved*
  • Opening multiple instances of AccountRight. This seems to something multiple customers are doing when they have multiple files they work on. Instead of switching between files (no login would be required) they are all opened concurrently and each instance of AccountRight that is opened will require a login

Is this an MYOB decision or required by the ATO? And subsequently, why do New Zealand customers need to adhere to ATO requirements?

  • Yes, both the 24 hour 2FA and the inactivity timeout changes are mandated requirements from the ATO. This requirement seeks to minimise the opportunity for unauthorised users to access Taxation, Accounting, Payroll, Business Registry or Superannuation related information. Read more on the ATO website here if interested
  • New Zealand customers, although not bound by the same requirements set by the ATO, will share the same security measures as our Australian customers so that MYOB is providing best practice security to all customers.

 

MYOB has also published help articles that explain the changes and can be found below

  • For Australian customers here
  • For New Zealand customers here

 

 

Updated 5 days ago
Version 10.0