Blog Post

MYOB Announcements
5 MIN READ

Enhanced security measures are live - 27/11/24 (Update 19/12/24)

MikeG1's avatar
MikeG1
Admin
4 months ago

Hi everyone,

Update 19/12/24 - Are you still there?

Hello Community members and followers of this security updates thread! Its been a few days since we last spoke.

There is a great update coming through already for the inactivity timeout changes in the browser. AND its releasing Today the 19/12/24.

Users in the browser will now be provided with a warning message 5 minutes prior to the inactivity timeout.
This will show at the top of the window with "Are you still there?" and provides a clickable option to confirm "I'm still here" - example image below

 

Update 05/12/24: Session Inactivity Lock for AccountRight Desktop App
 
We've consulted with the ATO and have been able to agree that AccountRight Desktop can be excluded from the 30 minute inactivity lock requirement. We can confirm this feature has now been removed from the desktop app.

While the inactivity lock is no longer in place on the AccountRight desktop app, we strongly encourage everyone to implement sensible security measures on your individual devices. This includes setting up automatic timeouts and using password-protected logins for added protection. 

The 30-minute inactivity lock will remain in place for MYOB Business and MYOB AccountRight in the browser, in line with ATO requirements.

 

Previous update to this post (27/11/24)
The changes for inactivity went live today on the 27th November. 
Specifically for AccountRight, many customers encountered unexpected crashing/freezing of the software after entering their password to sign in again. Work in progress would also be lost due to the crash.

I want to assure everyone that this is not the expected behaviour associated with the inactivity timeout. You can expect the screen to blur and a message pop up. Click sign in again as [user]. Enter your password and you will be back to continue where you were (no loss to work in progress)

As a result of the crashing, we have temporarily disabled the inactivity timeout for AccountRight, you will need to close and re-open AccountRight for this change to take effect.

Thank you for the feedback, examples and information provided on these issues today. We are continuing to investigate before it is enabled again.


I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change.
With over 100 comments on the post, we are starting to get the same questions being asked, and answers being missed so I hope to summarise the change and key questions/feedback here.

The change/s and timeline

  • September 30th > MYOB implemented 2FA being required at least once every 24 hours
    • Some initial feedback came through about the 2FA prompt caused customers to lose work in progress
    • MYOB has implemented a fix based on feedback and 2FA is prompted on the first login each day to avoid loss of work
  • November 27th > you'll be asked to sign back in after 20-30 minutes of inactivity (announced November 19th)
    • This announcement on inactivity is driving a significant amount of feedback and discussion that I will summarise below

What’s changing:

From Wednesday 27 November 2024, you’ll be asked to sign back in after 20–30 minutes of inactivity. After this time, your screen will become locked and blurred. To continue working, you'll need to sign back in with your username and password. This applies to the following MYOB software: MYOB Business, MYOB AccountRight and AccountRight browser (online files only), MYOB Connected Ledger, MYOB Business Payroll Only and MYOB Practice. 


Browser:


Desktop:

 

What do you need to do?

When you’re presented with the Are you still there? message we recommend that you click Sign in using [existing email] to return to work in progress.
Note* 2FA is not required as part of signing in again and your email will automatically be pre-filled

Will I lose my work when the screen is greyed out?


If you sign back into your account using your existing email, you won’t lose any work in progress and can continue where you left off. However, if you choose to sign in to a different account, your work will not be saved. 

If you click Back or Reload, or if you don’t sign back in after 12 hours, you'll also lose work in progress.

How does the inactivity screen work between Browser and Desktop?


When you are logged into both the Browser and Desktop at the same time, each session will operate independently. This means that if you are inactive in the Desktop version, you can remain active in the Browser version. The inactivity timeouts for these sessions are separate from one another.   

When signing back in after inactivity, do I have to enter my email, password and do 2FA?


No, your email will be automatically pre-filled when signing back in using your existing email to both the desktop and browser software. Users will be required to enter their password only. 2FA is still a 24-hour requirement and not required for signing back in after an inactivity timeout.

Can I opt out of the new inactivity or 24-hour 2FA security measures?


No, as these are mandatory compliance changes in line with industry best practice, they cannot be disabled

Why am I being asked to login or do 2FA multiple times a day?


Based on scenarios described in the forum + a known issue that MYOB is currently working to resolve, this could be for one of the following reasons.

  • Closing AccountRight using the ‘x’ is currently causing 2FA to be prompted when re-opening the software even if it is less than 24 hours. This was recently discovered as a bug/regression with the last AccountRight 2024.10 release and the team are releasing a fix to this asap. This has been resolved*
  • Opening multiple instances of AccountRight. This seems to something multiple customers are doing when they have multiple files they work on. Instead of switching between files (no login would be required) they are all opened concurrently and each instance of AccountRight that is opened will require a login

Is this an MYOB decision or required by the ATO? And subsequently, why do New Zealand customers need to adhere to ATO requirements?

  • Yes, both the 24 hour 2FA and the inactivity timeout changes are mandated requirements from the ATO. This requirement seeks to minimise the opportunity for unauthorised users to access Taxation, Accounting, Payroll, Business Registry or Superannuation related information. Read more on the ATO website here if interested
  • New Zealand customers, although not bound by the same requirements set by the ATO, will share the same security measures as our Australian customers so that MYOB is providing best practice security to all customers.

 

MYOB has also published help articles that explain the changes and can be found below

  • For Australian customers here
  • For New Zealand customers here

 

 

Updated 4 days ago
Version 10.0
announcements
Tips
  • MickyH75's avatar
    MickyH75
    Experienced User
    4 months ago

     It should be up to an organisation to set its own policies on security not you as the software provider. Please change it so that I as the company administrator can choose what level I want for my companies (we have 21 separate files).

    • Flowtek15's avatar
      Flowtek15
      Contributing User
      2 months ago

      absolutely,  myob. stop this login. As for security, we have a password, and we have to type the email address, that's enough for us. 

      this is not working for us, so i will be considering moving to another service for sure.

      • MikeG1's avatar
        MikeG1
        Admin
        2 months ago

        Hi Flowtek15 - please see my previous response here
        This is an ATO requirement so all services in Australia will need to meet the 24 hour 2FA standard. It was not a decision made by MYOB to do this, but a case of ensuring our software and our customers are compliant. Thanks

    • dogtraproad102's avatar
      dogtraproad102
      Contributing User
      2 months ago

      Completely agree. Apparently as from 27th November 2024 users will be AUTOMATICALLY signed out of their account after 20-30 minutes of inactivity.

      I am a work at home consultant, so nobody else has access to my computer. There are no other "Team Members" to access my computer.

      Why should I have to re-log back in if it takes me longer than 20 minutes to walk to the kitchen to make my lunch.

  • IntertradePete's avatar
    IntertradePete
    3 months ago

    The MYOB Login has always been bad, but now it's even worse.

    As others mentioned, it should be up to the users to decide the level of security when logging in.

    This is the only program where we have to manually type in the login details every day on the same exact computers, costing the business a minimum of 3-5 minutes a day, which is 20-25 minutes per week, of unpaid labour. Login should be automatic, just like with most other programs. 

    Even for online banking it's far easier and quicker to login daily. 

    • MickyH75's avatar
      MickyH75
      Experienced User
      3 months ago

      With the price increases last year and now this my boss's query the other day about switching to Xero has me thinking I might have to set some time aside to investigate.

      • H-TS's avatar
        H-TS
        Trusted User
        3 months ago

        Xero does have several nice features that aren't available in MYOB and we review it regularly. I would recommend testing thoroughly for everything you need to do in every file you have. Last time I checked there were still a few features we use every day in MYOB that aren't available in Xero (eg recurring sales templates that can be used for any customer). As enticing as Xero is, and as frustrating as MYOB is, it's still the one for us, for now. 

    • MikeG1's avatar
      MikeG1
      Admin
      3 months ago

      Hi IntertradePete , if you're experiencing any slowness with authenticating, I expect this might be due to having email set up.
      Authenticator app is the fastest method where codes refresh 30 seconds, SMS would be the next best thing and then email can certainly experience slowness.
      We find certain email providers can take longer than others and theres always the chance the email goes to junk etc.

      MickyH75 , in Australia, the 24 authentication is being requested by the ATO and if they have not already, then Xero will also be doing this along with all others.
      Price wise, MYOB can provide you more for less at nearly every level of software. It's always a good idea to see whats available, but im sure you'll find you have a good thing with MYOB. 

      • IntertradePete's avatar
        IntertradePete
        3 months ago

        Hi MikeG1. I was referring to the simplicity of the Login, not the speed of the internet or email system. Imagine, we have 10 windows open on the computer and we always need to jump back to the emails to copy over the authentication code. Even if it's a requirement by ATO, at least the login email address should have an option to be saved for Login, so we don't have to type it in manually every morning on every computer. 

  • PowerMaxTom's avatar
    PowerMaxTom
    Contributing User
    2 months ago

    MikeG1Is the 20-30 mins inactivity sign out an ATO thing as well? Daily 2FA is a good idea, but whoever decided the 20-30 mins of inactivity sign out should reconsider their employment.

    Do I need to berate the ATO or MYOB to make sure this doesn't happen?

    • MikeG1's avatar
      MikeG1
      Admin
      2 months ago

      Hi PowerMaxTom , sorry I missed your comment. Yes this is also an ATO requirement
      The link to these requirements is included in the help article here

      • PowerMaxTom's avatar
        PowerMaxTom
        Contributing User
        2 months ago

        Urgh, Thanks Mike. Is there anything that could be done to link tabs or windows (we use account right) so that activity is logged per computer rather than per window? The biggest frustration with this is that we use multiple windows, and we are frequently using the secondary window/s but not necessarily every 20 minutes. It would still be frustrating, but less so...

  • MickyH75's avatar
    MickyH75
    Experienced User
    2 months ago

    Try this link for feedback to the ATO

     

    https://softwaredevelopers.ato.gov.au/contact-us

     

    I've sent the following email to the Standard Business Reporting enquiries email address.

     

    Hi

     

    I am contacting you as a frustrated business owner regarding the onerous requirements being implemented around access to programs such as MYOB. On top of mandatory multi factor authentication they have now told all users that periods of greater than 30 minutes of inactivity will result in screen locks and users having to input their password to unlock. MYOB have pointed disgruntled users to the following links as being the requirements forced on them as an SaaS provider.

     

    https://softwaredevelopers.ato.gov.au/RequirementsforDSPs

     

    https://softwaredevelopers.ato.gov.au/operational_framework/further-guidance-requirements

     

    What authority does the ATO have to mandate the security procedures that my business decides to implement? The only interaction that we have with the ATO through MYOB is the periodic payroll reporting and that should be the limit of any access restrictions the ATO should be able to require. I imagine there are quite a number of businesses who use MYOB who don’t even have that level of interaction.

     

    How do business owners and users of commercially available software object to this unacceptable intrusion into our business by the ATO?

     

    Regards

    Michael

    • RuthCO's avatar
      RuthCO
      Experienced User
      2 months ago

      Brilliant Michael ..... let's all send the ATO our feedback ... bombard them with our voices until they listen.... I am sick of this nanny state legislating us to the grave..... 

    • Thorns001's avatar
      Thorns001
      31 days ago

      Hi. The ATO have not mandated this change for end-users. The requirement is for software developers only. MYOB have clearly taken the cheapest option and implemented it for everyone. I am also certain that the ATO haven't only just released this requirement and MYOB would have been aware of it for some time. The fact is, it will cost MYOB more to implement an 'opt-out' solution so if we do get it, expect to pay more. 

      • Jo15's avatar
        Jo15
        Experienced Cover User
        31 days ago

        This is fine if you are using one Myob file at a time.  We are multi company with retail stores that have standalone trading myobs.  We do transaction matching all day and have intercompany purchasing.  I can have on several myobs open on one screen at a time.  This is no help to multi company users.

        Also, I have now had to turn our trade myobs at the retail stores into payroll active since last week to enable me to add a salesperson to the employee card file to be entered in the salesperson section in sales.  I have a payroll system which is a myob file which is stand alone.  Now to add a salesperson to a trading only file they have to be onboarded.  It makes me laugh when you have software companies making these changes and have probably not used any of the software at the cold face level! I am really going to source by next financial year a more friendly to the user software! Myob! since everything is the cloud has lost sight of their customer.

  • BelaC's avatar
    BelaC
    Cover User
    2 months ago

    Everyone is going away from the core problem, which is that we are again forced to use an unstable online system rather than the old computer based system that has worked with or without internet. We were able to invoice, there was no downtime unless our computer crashed. Didn't have to waste time with logging in, and with other so called "security measures" that are protecting us so well lately... But for that MYOB can not charge a monthly subscription fee. Well, as for myself I'd much rather use the old system than this online version. Every update creates a new problem, and rather than making life easier it seems MYOB hires people to create more and more time wasting measures such as locking us out after 20-30 minutes of inactivity. How stupid! We work, print and invoice as a job is done, or purchase when we have the time to do it. With this fantastic new idea from someone who is sitting in an office looking for ways of securing his/her employment you will achieve to create even more frustration with MYOB. We should be offered a not online option with our own security measures. 

  • MickyH75's avatar
    MickyH75
    Experienced User
    2 months ago

    I've posted on the ATO Community page asking how we object to these requirements. If enough people start questioning it maybe we can get some traction and have the requirements rolled back.

  • Wiffco's avatar
    Wiffco
    Cover User
    2 months ago

    Hi Mike, please explain the ATO requirement? You haven't just been told by the ATO, "hey MYOB, we want ppl kicked out of your software every 30 mins if they don't use it, make it happen". There is way more to it than that. I'm willing to bet that ATO want to make sure that privacy is not breached. This means no unauthorised access to bank account information, payroll info, employee cards with TFN's etc. So rather than handball the disaster to your long suffering clients, why don't you make the lockout's apply to admin users etc who have access to the actual data that the ATO is trying to protect? We are not dumb you know, almost every user on here is a seasoned 5yr+ user of MYOB. You already have a security structure in place within MYOB and we do actually know how to use it. (Yes there are some lazy ones who are just admin everything, but they can change.) If it needs a few tweaks, so be it. But a user in the shop who needs to look up parts availability in Inventory and has no access to this higher level info should not be locked out after 30 mins.

    • Jo15's avatar
      Jo15
      Experienced Cover User
      25 days ago

      I have been trying to make this point with Myob for 2 days! Obviously!  they are trying to cut out anyone with more than one Myob file on users!  We spend $1,593.00 per month with Myob! I am researching other software companies since they don't need us Multi Company Groups! clients

  • perkyone's avatar
    perkyone
    Experienced Cover User
    27 days ago

    This whole discussion is becoming bogged down with so many unhappy MYOB users chiming in. Clicking the "show more" link is now too slow. I'm lost in a sea of unhappy people finding very little helpful replies from MYOB people. It seems to me that MYOB's response to the ATO requirement is not nuanced at all. We are ALL incredibly inconvenienced.  The inactivity requirement should ONLY be needed when in direct contact with ATO servers.  Not for frontline staff that are dealing with customers etc.  MYOB, please just do some quality work rather than this sloppy sledgehammer approach and spending your resources on damage control for the mess you have created.

  • CatFH's avatar
    CatFH
    3 months ago

    Why does MYOB have more security measures than online banking?

     

    If someone had the ability to hack into my user profile online, will they be intent on altering my general ledger or GST return?

     

    Or do you think they will break into the office overnight? Bypass the alarm and physical door locks, crack my computer password and sign in to MYOB. If they've got that far, the 2FA will be emailed to the same computer and they will easily have the same access to MYOB as I do!   

     

     

     

     

    • BinChicken's avatar
      BinChicken
      2 months ago

      Oooh, and while they are there they could bring my reconciliations up to date....yass!

  • David2ayo's avatar
    David2ayo
    Cover User
    2 months ago

    I don't really mind 2FA every 24 hours, but after 30 minutes that is a disaster! I use the inventory function while working on jobs, and being a single operator I don't have an office worker to keep the thing active. I DO NOT want to re-open MYOB every time I need to check whether I have a component for a repair, or look for alternatives. If you want to lock up Payroll, not such a problem, but to re-open for every sale (it takes about an hour to 2 hours for most repairs) or for stock check that is stupidity.

    David

    • AmandaCL's avatar
      AmandaCL
      MYOB Moderator
      2 months ago

      Hey David2ayo 

      You will only be required to sign in again after 20-30 minutes of inactivity, not every 30 minutes. If youe screen is greyed out due to inactivity, your password will be required to access your file again, not 2FA. More information can be found on this page!

      • RuthCO's avatar
        RuthCO
        Experienced User
        2 months ago

        2FA should be renamed 3FA because logging in each day is a 3 step process ..... 1. username, 2. password and 3. authentication .... After every 30 minutes of inactivity (by the way the ATO "would prefer" every 15 minutes! so that will be on the horizon!!)  one has to follow a 2FA 1. username - fully type in the username (typically email address) because there is no "auto prediction" available .... and then 2. password... I have just had 2 major databases (one a Government database [we have an account with this database and have to sign in], the other financial) open on my desktop with no activity for 45 minutes with NO ACTIVITY (I put a timer on to be sure) and low and behold was NOT logged off 🤷‍♀️🤷‍♀️🤷‍♀️ can someone explain that please?