Blog Post
A few points...
- SMS is not secure, sim swapping attacks have been a thing for ages because of this SMS is considered as a weak from of 2FA
- Given the above, why are you REQUIRING all MYOB users to weaken their security by forcing SMS on all accounts?
- What about those who don't have a mobile phone? What your saying is you are forcing those who don't have one to shell out at least $200+ for the phone and a monthly payment just so we can continue using your software?
MFA is a great thing, but your upcoming implementation is horrible, why are you doing this?
Hey timkirk112
Your original authentication method won't be impacted. For many, SMS will serve as an additional 2FA method as most users will already have setup their authenticator app or email as their main authentication method.
We introduced SMS two-factor authentication as an additional method to ensure data security and to help make it easier for users to access their file if they're unable to access their original method.
Hey AmandaMYOB,
Having SMS as a secondary method for those who need it I can understand and appreciate, even if it isn't best practice.
My problem is with the below statement by MYOB:
Having SMS as a 2FA method will be mandatory for all customers who use MYOB Business and Connected Ledger software*.
While the below link isn't official NIST guidance, it gives a good explanation on why SMS is a poor form of 2FA:
https://twohandstech.com/why-nist-recommends-otp-apps-over-sms-texting-for-2fa-in-the-wake-of-data-breaches/By enforcing SMS 2FA on your customers that already have email / authenticator apps (TOTP Auth) already setup actively weakens the security of those accounts as per my above concerns.
Unfortunately your above reply doesn't address my point about those who either don't have a mobile phone, or those who are unwilling to give MYOB their personal phone number (not everyone has a work phone / wants to tie their personal hardware to work)
As for a suggestion, if MYOB could allow / enable SAML SSO or FIDO2 keys as a 2fa option that would go a long way to increasing the security of your platform and bypass the issue of those who don't want to give their phone number to MYOB.
Hey timkirk112
For users who rely only on email, SMS is an additional layer of security. Paired with the authentication app (TOTP), this gives users the flexibility to recover their account should they lose access to their primary device before being able to transfer their TOTP instance to their new device.
We do appreciate your feedback on options for our team in the future. We're continuing to balance customer data security with user friendly access to MYOB software and due to the changing nature of the online security landscape, we'll continue working towards the best option for our customers.
Hey AmandaMYOB
there are a few points from my earlier message that don’t seem to have been addressed:
- Impact on accounts already using stronger methods – My concern is that enforcing SMS setup for customers who already use TOTP or email 2FA introduces well-known weaknesses (SIM swapping, number recycling, unencrypted transmission, carrier insider threats). These risks don’t exist with authenticator apps. This is why many security standards recommend avoiding SMS as a factor any more.
- Customers without a mobile phone or unwilling to provide one – My earlier question remains: how will these customers authenticate or recover accounts without being required to give a phone number? This is both a usability and privacy issue.
- Reference material – I provided a link explaining why SMS is considered weaker 2FA. It would be helpful to know whether MYOB agrees or disagrees with that reasoning, or whether the decision is being made with those risks acknowledged but accepted.
By enforcing SMS for customers who already use stronger authentication methods, MYOB is not improving security — it is actively weakening the authentication process and lowering the overall security posture of those accounts.
Could you please address the above points directly so customers can better understand MYOB’s position?