Blog Post

MYOB Announcements
3 MIN READ

Enhanced security measures are live - Update 20/11 *Edit 21/11/24

MikeG1's avatar
MikeG1
Admin
3 months ago

Hi everyone,

I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change.
With over 100 comments on the post, we are starting to get the same questions being asked, and answers being missed so I hope to summarise the change and key questions/feedback here.

The change/s and timeline

  • September 30th > MYOB implemented 2FA being required at least once every 24 hours
    • Some initial feedback came through about the 2FA prompt caused customers to lose work in progress
    • MYOB has implemented a fix based on feedback and 2FA is prompted on the first login each day to avoid loss of work
  • November 27th > MYOB will be implementing a signout based on 20-30 minutes of inactivity (announced November 19th)
    • This announcement on inactivity is driving a significant amount of feedback and discussion that I will summarise below

What’s changing:

From Wednesday 27 November 2024, users will be automatically signed out after 20-30 minutes of inactivity in MYOB products including: MYOB Business, MYOB AccountRight and AccountRight browser (online files only), MYOB Connected Ledger, MYOB Business Payroll Only and MYOB Practice.
After this time, the screen will become locked and blurred. To continue working, users will need to sign back in with their username and password. 

Browser:


Desktop:

 

What do you need to do?

When you’re presented with the Are you still there? message we recommend that you click Sign in using [existing email] to return to work in progress.
Note* 2FA is not required as part of signing in again and your email will automatically be pre-filled

Will I lose my work when I’m signed out?


If you sign back into your account using your existing email, you won’t lose any work in progress and can continue where you left off. However, if you choose to sign in to a different account, your work will not be saved. 

If you click Back or Reload, or if you don’t sign back in after 12 hours, you'll also lose work in progress.

How does the inactivity sign-out work between Browser and Desktop?


When you are logged into both the Browser and Desktop at the same time, each session will operate independently. This means that if you are inactive in the Desktop version, you can remain active in the Browser version. The inactivity timeouts for these sessions are separate from one another.   

When signing back in after inactivity, do I have to enter my email, password and do 2FA?


No, your email will be automatically pre-filled when signing back in using your existing email to both the desktop and browser software. Users will be required to enter their password only. 2FA is still a 24-hour requirement and not required for signing back in after an inactivity timeout.

Can I opt out of the new inactivity or 24-hour 2FA security measures?


No, as these are mandatory compliance changes in line with industry best practice, they cannot be disabled

Why am I being asked to login or do 2FA multiple times a day?


Based on scenarios described in the forum + a known issue that MYOB is currently working to resolve, this could be for one of the following reasons.

  • Closing AccountRight using the ‘x’ is currently causing 2FA to be prompted when re-opening the software even if it is less than 24 hours. This was recently discovered as a bug/regression with the last AccountRight 2024.10 release and the team are releasing a fix to this asap.
  • Opening multiple instances of AccountRight. This seems to something multiple customers are doing when they have multiple files they work on. Instead of switching between files (no login would be required) they are all opened concurrently and each instance of AccountRight that is opened will require a login

Is this an MYOB decision or required by the ATO? And subsequently, why do New Zealand customers need to adhere to ATO requirements?

  • Yes, both the 24 hour 2FA and the inactivity timeout changes are mandated requirements from the ATO. This requirement seeks to minimise the opportunity for unauthorised users to access Taxation, Accounting, Payroll, Business Registry or Superannuation related information. Read more on the ATO website here if interested
  • New Zealand customers, although not bound by the same requirements set by the ATO, will share the same security measures as our Australian customers so that MYOB is providing best practice security to all customers.

 

MYOB has also published help articles that explain the changes and can be found below

  • For Australian customers here
  • For New Zealand customers here

 

 

Updated 15 hours ago
Version 4.0
  • Good morning MickyH75 ,

    MYOB is doing what we can to provide security improvements that prevent unauthorised access to our customers software.
    We are also ensuring that we are meeting all of the ATO's compliance requirements and continue to apply best practice security process to all of our software.

    We are making this change easier for our customers by introducing the ability to have multiple methods of 2FA, and I recommend that you head to myaccount.myob.com to set up a secondary 2FA method as soon as possible.

    2FA has always existed with our software and we don't provide the ability for customers to choose how this operates so that all of our customers are secure and meeting regulatory compliance standards.

    The short version of this change is that previously, you had the option to 'trust this device' for 30 days, but from the 30th, this will no longer be available and 2FA will be required at least once every 24 hours.  

    • Can you link the "regulatory compliance standards" that require 2FA and the "the ATO's compliance requirements".

      I suspect this is just waffle from MYOB to stop people looking further.

      I certainly do not have any compunction to comply with the Australian Tax Office compliance in NZ and I find it hard to believe that they have legislated a requirement for MYOB to make sign on so laborious.

       

      • MikeG1's avatar
        MikeG1
        Admin

        Hi CatFH 
        Here is the guideline from the ATO for all DSPs (Digital Service Providers)

        I definitely understand that as an NZ customer, it may be frustrating to be held to an Australian regulation, but we see security as essential for all of our customers, regardless of the country you are in.

    • MickyH75's avatar
      MickyH75
      Experienced User

      Hi MikeG1  I could understand if this was rolled out just for the browser version but to make it for the desktop version as well seems over the top. We use SAP B1 for one of the companies in the group and it doesn't even use 2FA.

      • MikeG1's avatar
        MikeG1
        Admin

        Hi MickyH75 , there are a couple of extra points I can clarify here.
        Thanks for your questions, I will update our main post about this change as well.

        2 key messages/updates:

        • 2FA is prompted on login to your account, and not for each file
          So changing between your 21 files after you have signed in, will not prompt for any further 2FA verification
        • This is only for online files
          The comms does mention AccountRight Desktop, but we neglected to be specific this is only for online, if you have using a local, offline, desktop file in AccountRight you may not be prompted for 2FA
    • perkyone's avatar
      perkyone
      Experienced Cover User

      Why are you avoiding the multiple questions asking the the last used email address is remembered on the desktop version? 

      This changed about a year ago and drives us made having to type in the email address each time.

      We use MYOB as a point of sale on 6 different computers.  Now we will be having to waste several minutes multiple times a day with customers standing in front of us.  You can be assured that we will let our customers know that MYOB is to blame the slow service.

      • MikeG1's avatar
        MikeG1
        Admin

        Good morning perkyone , I have good news. Specifically for the inactivity timeout, the email for the user will be prefilled when signing back in. 
        Apologies that I previously said this was only for browser, it is for desktop only.
        Your team will only need to enter their password

  • H-TS's avatar
    H-TS
    Trusted User

    Can we remove a level of security from the pay super process now that this is in place? If I make a super payment first thing after logging in, it feels like an endless repeat of typing my email address and password interspersed with an authentication here and there, and then still have to wait for a text message code to be sent and entered...

    • MikeG1's avatar
      MikeG1
      Admin

      Hi H-TS , I have had a quick chat with one of the business analysts in super to check on this for you. They said that it may be possible for the extra level to disappear in future. But because signing in to super is actually logging into a different system (but kept within our software) its currently necessary.

  • We haven't been able to get into MYOB accountrite on our network computer since today's updates to the server computer, network computer and file. Something is not quite right with the upgrade. Both the server and network PC were previously running fine and correctly updated, and the file is updated. Please can you help ASAP so we can keep working. Have added attachments/screenshots

     

    • MikeG1's avatar
      MikeG1
      Admin

      Hi Carlav , you might need to contact your IT. This would happen when the versions of your software don't match between your business' server and the computer you're using. 

      • I am the IT and the 2 versions are the same - see screenshots above from the 2 computers. Please advise next steps and MYOB support number. I cant seem to get a real person through chat it just directs me to more help[ pages on how to use the product. Given we cant work a phone number would probably be helpful. Thanks for your help

  • Looks like this might be an Australia ATO request, But NZ IRD have not push for it - so can you set it for NZ customer to have the option to opt in or out or set the time before inactivity log out kicks in?

    • AmandaCL's avatar
      AmandaCL
      MYOB Moderator

      Hey LAP-BP 

      This idea has been mentioned a few times on our Ideas Exchange however it's unlikely that we'll explore an opt-in, opt-out option as this is a mandatory change. Feel free to reach out if you have any more questions. 

       

  • As it stands I am having to 2FA every time I log in, regardless of whether it's 24hrs or not. For example, I shut down my PC around 11am as some electrical works were being carried out in the building. I restarted at around 1pm and had to 2FA again. I'm using the desktop app, not going in via Chrome/Firefox etc. 

    • Jo15's avatar
      Jo15
      Experienced Cover User

      Hi Gnickrapon

      this has happened to me several times today.  Also from 27/11/2024 this shutdown will occur if your myob is left unused for 20 to 30 minutes.

       

      I use a desktop as well.  This has not been thought out from Myob

       

    • MikeG1's avatar
      MikeG1
      Admin

      Hi Gnickrapon, that sounds like the known bug that recently came about with the 2024.10 release for AccountRight. The good news is that we have released a patch to fix this today and repeated 2FA should not occur for you anymore