Hi everyone, I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change. With over 100 comments on the post, we are starting to get the same q...
Updated 4 days ago
Version 4.0
Blog Post
Good morning MickyH75 ,
MYOB is doing what we can to provide security improvements that prevent unauthorised access to our customers software.
We are also ensuring that we are meeting all of the ATO's compliance requirements and continue to apply best practice security process to all of our software.
We are making this change easier for our customers by introducing the ability to have multiple methods of 2FA, and I recommend that you head to myaccount.myob.com to set up a secondary 2FA method as soon as possible.
2FA has always existed with our software and we don't provide the ability for customers to choose how this operates so that all of our customers are secure and meeting regulatory compliance standards.
The short version of this change is that previously, you had the option to 'trust this device' for 30 days, but from the 30th, this will no longer be available and 2FA will be required at least once every 24 hours.
Can you link the "regulatory compliance standards" that require 2FA and the "the ATO's compliance requirements".
I suspect this is just waffle from MYOB to stop people looking further.
I certainly do not have any compunction to comply with the Australian Tax Office compliance in NZ and I find it hard to believe that they have legislated a requirement for MYOB to make sign on so laborious.
Hi CatFH
Here is the guideline from the ATO for all DSPs (Digital Service Providers)I definitely understand that as an NZ customer, it may be frustrating to be held to an Australian regulation, but we see security as essential for all of our customers, regardless of the country you are in.
I would argue that this part of the requirements is more applicable to MYOB
For those that wish to read the whole list of requirements I found them here:
https://softwaredevelopers.ato.gov.au/RequirementsforDSPs
Understand you see security as essential for your customers, so it is great that you offer it for those that wish to go to that level.
Unfortunately - it should in no way be your place - or even the ATOs actually - to mandate for us what level of security / risk our businesses are willing to live with.
And there we have it, mandatory security for access to SPECIFIC information. So MYOB could easily create a regular user in the already existing security structure within MYOB that DOES NOT have access to the secure information, and that user will not be locked out every 30 mins and MYOB will still be compliant. There, I did your job for you and made all your customers happy again.
