Blog Post

MYOB Announcements
2 MIN READ

Secure your account with SMS two-factor authentication (2FA)

Mike_MYOB's avatar
Mike_MYOB
Community Manager
6 months ago
Hi everyone,  We’re introducing an important security update to your MYOB login. Data security is our top priority. To add an additional layer of security and help protect your account, we’ll soo...
Published 6 months ago
Version 1.0
announcements
timkirk112's avatar
timkirk112
Contributing User
6 months ago

A few points...

  1. SMS is not secure, sim swapping attacks have been a thing for ages because of this SMS is considered as a weak from of 2FA
  2. Given the above, why are you REQUIRING all MYOB users to weaken their security by forcing SMS on all accounts?
  3. What about those who don't have a mobile phone? What your saying is you are forcing those who don't have one to shell out at least $200+ for the phone and a monthly payment just so we can continue using your software?

MFA is a great thing, but your upcoming implementation is horrible, why are you doing this?

  • IFMsolutions's avatar
    IFMsolutions
    Contributing Cover User
    5 months ago

    Totally agree......we have many users using MYOB and it is not feasible to have this security measure against one mobile number. Definitely time to go to ZERO

  • AmandaMYOB's avatar
    AmandaMYOB
    MYOB Moderator
    6 months ago

    Hey timkirk112​ 

    Your original authentication method won't be impacted. For many, SMS will serve as an additional 2FA method as most users will already have setup their authenticator app or email as their main authentication method. 

    We introduced SMS two-factor authentication as an additional method to ensure data security and to help make it easier for users to access their file if they're unable to access their original method.

    • timkirk112's avatar
      timkirk112
      Contributing User
      6 months ago

      Hey AmandaMYOB​,

       

      Having SMS as a secondary method for those who need it I can understand and appreciate, even if it isn't best practice.

       

      My problem is with the below statement by MYOB:

       

      Having SMS as a 2FA method will be mandatory for all customers who use MYOB Business and Connected Ledger software*.

       

      While the below link isn't official NIST guidance, it gives a good explanation on why SMS is a poor form of 2FA:
      https://twohandstech.com/why-nist-recommends-otp-apps-over-sms-texting-for-2fa-in-the-wake-of-data-breaches/

       

      By enforcing SMS 2FA on your customers that already have email / authenticator apps (TOTP Auth) already setup actively weakens the security of those accounts as per my above concerns.

       

      Unfortunately your above reply doesn't address my point about those who either don't have a mobile phone, or those who are unwilling to give MYOB their personal phone number (not everyone has a work phone / wants to tie their personal hardware to work)

       

      As for a suggestion, if MYOB could allow / enable SAML SSO or FIDO2 keys as a 2fa option that would go a long way to increasing the security of your platform and bypass the issue of those who don't want to give their phone number to MYOB.

      • AmandaMYOB's avatar
        AmandaMYOB
        MYOB Moderator
        6 months ago

        Hey timkirk112​ 

        For users who rely only on email, SMS is an additional layer of security. Paired with the authentication app (TOTP), this gives users the flexibility to recover their account should they lose access to their primary device before being able to transfer their TOTP instance to their new device. 

         

        We do appreciate your feedback on options for our team in the future. We're continuing to balance customer data security with user friendly access to MYOB software and due to the changing nature of the online security landscape, we'll continue working towards the best option for our customers.