Blog Post

MYOB Announcements

5 MIN READ

Enhanced security measures are live - 27/11/24 (Update 19/12/24)

Admin

5 months ago

Hi everyone,

Update 19/12/24 - Are you still there?

Hello Community members and followers of this security updates thread! Its been a few days since we last spoke.

There is a great update coming through already for the inactivity timeout changes in the browser. AND its releasing Today the 19/12/24.

Users in the browser will now be provided with a warning message 5 minutes prior to the inactivity timeout.
This will show at the top of the window with "Are you still there?" and provides a clickable option to confirm "I'm still here" - example image below

Update 05/12/24: Session Inactivity Lock for AccountRight Desktop App

We've consulted with the ATO and have been able to agree that AccountRight Desktop can be excluded from the 30 minute inactivity lock requirement. We can confirm this feature has now been removed from the desktop app.

While the inactivity lock is no longer in place on the AccountRight desktop app, we strongly encourage everyone to implement sensible security measures on your individual devices. This includes setting up automatic timeouts and using password-protected logins for added protection.

The 30-minute inactivity lock will remain in place for MYOB Business and MYOB AccountRight in the browser, in line with ATO requirements.

Previous update to this post (27/11/24)
The changes for inactivity went live today on the 27th November.
Specifically for AccountRight, many customers encountered unexpected crashing/freezing of the software after entering their password to sign in again. Work in progress would also be lost due to the crash.

I want to assure everyone that this is not the expected behaviour associated with the inactivity timeout. You can expect the screen to blur and a message pop up. Click sign in again as [user]. Enter your password and you will be back to continue where you were (no loss to work in progress)

As a result of the crashing, we have temporarily disabled the inactivity timeout for AccountRight, you will need to close and re-open AccountRight for this change to take effect.

Thank you for the feedback, examples and information provided on these issues today. We are continuing to investigate before it is enabled again.

I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change.
With over 100 comments on the post, we are starting to get the same questions being asked, and answers being missed so I hope to summarise the change and key questions/feedback here.

The change/s and timeline

September 30^th > MYOB implemented 2FA being required at least once every 24 hours
- Some initial feedback came through about the 2FA prompt caused customers to lose work in progress
- MYOB has implemented a fix based on feedback and 2FA is prompted on the first login each day to avoid loss of work

November 27^th > you'll be asked to sign back in after 20-30 minutes of inactivity (announced November 19^th)
- This announcement on inactivity is driving a significant amount of feedback and discussion that I will summarise below

What’s changing:

From Wednesday 27 November 2024, you’ll be asked to sign back in after 20–30 minutes of inactivity. After this time, your screen will become locked and blurred. To continue working, you'll need to sign back in with your username and password. This applies to the following MYOB software: MYOB Business, MYOB AccountRight and AccountRight browser (online files only), MYOB Connected Ledger, MYOB Business Payroll Only and MYOB Practice.

Browser:

Desktop:

What do you need to do?

When you’re presented with the Are you still there? message we recommend that you click Sign in using [existing email] to return to work in progress.
Note* 2FA is not required as part of signing in again and your email will automatically be pre-filled

Will I lose my work when the screen is greyed out?

If you sign back into your account using your existing email, you won’t lose any work in progress and can continue where you left off. However, if you choose to sign in to a different account, your work will not be saved.

If you click Back or Reload, or if you don’t sign back in after 12 hours, you'll also lose work in progress.

How does the inactivity screen work between Browser and Desktop?

When you are logged into both the Browser and Desktop at the same time, each session will operate independently. This means that if you are inactive in the Desktop version, you can remain active in the Browser version. The inactivity timeouts for these sessions are separate from one another.

When signing back in after inactivity, do I have to enter my email, password and do 2FA?

No, your email will be automatically pre-filled when signing back in using your existing email to both the desktop and browser software. Users will be required to enter their password only. 2FA is still a 24-hour requirement and not required for signing back in after an inactivity timeout.

Can I opt out of the new inactivity or 24-hour 2FA security measures?

No, as these are mandatory compliance changes in line with industry best practice, they cannot be disabled

Why am I being asked to login or do 2FA multiple times a day?

Based on scenarios described in the forum + a known issue that MYOB is currently working to resolve, this could be for one of the following reasons.

Closing AccountRight using the ‘x’ is currently causing 2FA to be prompted when re-opening the software even if it is less than 24 hours. This was recently discovered as a bug/regression with the last AccountRight 2024.10 release and the team are releasing a fix to this asap. This has been resolved*
Opening multiple instances of AccountRight. This seems to something multiple customers are doing when they have multiple files they work on. Instead of switching between files (no login would be required) they are all opened concurrently and each instance of AccountRight that is opened will require a login

Is this an MYOB decision or required by the ATO? And subsequently, why do New Zealand customers need to adhere to ATO requirements?

Yes, both the 24 hour 2FA and the inactivity timeout changes are mandated requirements from the ATO. This requirement seeks to minimise the opportunity for unauthorised users to access Taxation, Accounting, Payroll, Business Registry or Superannuation related information. Read more on the ATO website here if interested
New Zealand customers, although not bound by the same requirements set by the ATO, will share the same security measures as our Australian customers so that MYOB is providing best practice security to all customers.

MYOB has also published help articles that explain the changes and can be found below

For Australian customers here
For New Zealand customers here

Updated 29 days ago

Version 10.0

announcements

Tips

MikeG1

Admin

Joined October 29, 2021

View Profile

MYOB Announcements

The latest news and happenings on the MYOB Community Forum.

IntertradePete
4 months ago
The MYOB Login has always been bad, but now it's even worse.
As others mentioned, it should be up to the users to decide the level of security when logging in.
This is the only program where we have to manually type in the login details every day on the same exact computers, costing the business a minimum of 3-5 minutes a day, which is 20-25 minutes per week, of unpaid labour. Login should be automatic, just like with most other programs.
Even for online banking it's far easier and quicker to login daily.
- MikeG1
  Admin
  4 months ago
  Hi IntertradePete , if you're experiencing any slowness with authenticating, I expect this might be due to having email set up.
  Authenticator app is the fastest method where codes refresh 30 seconds, SMS would be the next best thing and then email can certainly experience slowness.
  We find certain email providers can take longer than others and theres always the chance the email goes to junk etc.
  
  MickyH75 , in Australia, the 24 authentication is being requested by the ATO and if they have not already, then Xero will also be doing this along with all others.
  Price wise, MYOB can provide you more for less at nearly every level of software. It's always a good idea to see whats available, but im sure you'll find you have a good thing with MYOB.
  - DavidCullen
    2 months ago
    🤣😡SMS is great when you are in AUSTRALIA, but not great when you are working remotely around the world on your business. Emails are often slow to receive too. This is a huge inconvenience and time waster, when small businesses are already doing things so tough right now!
- MickyH75
  Experienced User
  4 months ago
  With the price increases last year and now this my boss's query the other day about switching to Xero has me thinking I might have to set some time aside to investigate.
  - H-TS
    Trusted User
    4 months ago
    Xero does have several nice features that aren't available in MYOB and we review it regularly. I would recommend testing thoroughly for everything you need to do in every file you have. Last time I checked there were still a few features we use every day in MYOB that aren't available in Xero (eg recurring sales templates that can be used for any customer). As enticing as Xero is, and as frustrating as MYOB is, it's still the one for us, for now.
H-TS
Trusted User
4 months ago
I set up a secondary backup 2fa option as recommended but now that one seems to have become the default. How do I change back to having the other option as default, or will the default always be the last method used. The only options are enable or remove. I don't want to have to select to 'try a different method' every day. Any chance you'll bring back the 'remember my email address' option at least now that we have to do this extra step every time? It's hard to imagine how prefilling an email address is a security risk.
I had to do 2fa to get into the file this morning, then again to enter myaccount to try and change the default, and now again, to try again to set up the authenticator option that wouldn't work yesterday. It's really overkill.
MikeG1
Admin
4 months ago
Good morning MickyH75 ,

MYOB is doing what we can to provide security improvements that prevent unauthorised access to our customers software.
We are also ensuring that we are meeting all of the ATO's compliance requirements and continue to apply best practice security process to all of our software.

We are making this change easier for our customers by introducing the ability to have multiple methods of 2FA, and I recommend that you head to myaccount.myob.com to set up a secondary 2FA method as soon as possible.

2FA has always existed with our software and we don't provide the ability for customers to choose how this operates so that all of our customers are secure and meeting regulatory compliance standards.

The short version of this change is that previously, you had the option to 'trust this device' for 30 days, but from the 30th, this will no longer be available and 2FA will be required at least once every 24 hours.
- perkyone
  Experienced Cover User
  2 months ago
  Why are you avoiding the multiple questions asking the the last used email address is remembered on the desktop version?
  
  This changed about a year ago and drives us made having to type in the email address each time.
  
  We use MYOB as a point of sale on 6 different computers. Now we will be having to waste several minutes multiple times a day with customers standing in front of us. You can be assured that we will let our customers know that MYOB is to blame the slow service.
  - MikeG1
    Admin
    2 months ago
    Good morning perkyone , I have good news. Specifically for the inactivity timeout, the email for the user will be prefilled when signing back in.
    Apologies that I previously said this was only for browser, it is for desktop only.
    Your team will only need to enter their password
- CatFH
  3 months ago
  Can you link the "regulatory compliance standards" that require 2FA and the "the ATO's compliance requirements".
  I suspect this is just waffle from MYOB to stop people looking further.
  I certainly do not have any compunction to comply with the Australian Tax Office compliance in NZ and I find it hard to believe that they have legislated a requirement for MYOB to make sign on so laborious.
  - MikeG1
    Admin
    3 months ago
    Hi CatFH
    Here is the guideline from the ATO for all DSPs (Digital Service Providers)
    
    I definitely understand that as an NZ customer, it may be frustrating to be held to an Australian regulation, but we see security as essential for all of our customers, regardless of the country you are in.
- MickyH75
  Experienced User
  4 months ago
  Hi MikeG1 I could understand if this was rolled out just for the browser version but to make it for the desktop version as well seems over the top. We use SAP B1 for one of the companies in the group and it doesn't even use 2FA.
  - MikeG1
    Admin
    4 months ago
    Hi MickyH75 , there are a couple of extra points I can clarify here.
    Thanks for your questions, I will update our main post about this change as well.
    
    2 key messages/updates:
    
    2FA is prompted on login to your account, and not for each file
    So changing between your 21 files after you have signed in, will not prompt for any further 2FA verification
    
    This is only for online files
    The comms does mention AccountRight Desktop, but we neglected to be specific this is only for online, if you have using a local, offline, desktop file in AccountRight you may not be prompted for 2FA
MickyH75
Experienced User
4 months ago
It should be up to an organisation to set its own policies on security not you as the software provider. Please change it so that I as the company administrator can choose what level I want for my companies (we have 21 separate files).
- BernieP
  2 months ago
  Thank You Micky... I couldn't have said this better.... The 2FA & 30min Time Outs, assume that users only complete one Role.... as Office Manager for a small business I'm forever up & down from my computer & the last thing I need is to constantly have to re-enter into MYOB.... This is over kill & security that not all users requested when we signed up:(
- dramafarma
  2 months ago
  Exactly
  My workflow is different to other businesses and as of today I have have to re-sign in three times - within the space of a little over two hours.
  
  I hate this - it is a massive intrusion and disruption to my workflow - that it is mandated by ATO is a further uninvited, unmandated and unwanted intrusion into the rights of business owners to conduct their businesses within the current legal framework. There was no consultation on this.
  
  This has made my life much more finicky and provided no further level of security in my One-person Office - its frankly ridiciulous
- dogtraproad102
  Contributing User
  2 months ago
  Completely agree. Apparently as from 27th November 2024 users will be AUTOMATICALLY signed out of their account after 20-30 minutes of inactivity.
  I am a work at home consultant, so nobody else has access to my computer. There are no other "Team Members" to access my computer.
  Why should I have to re-log back in if it takes me longer than 20 minutes to walk to the kitchen to make my lunch.