Blog Post
Adding my voice to this - totally agree about SMS being a VERY insecure method.
However does MYOB in its lovely urban office consider that not everyone even has access to mobile phone signal, or that mobile phone signal is not exactly reliable the further from urban centres you go?
Reasons why mobile signal is not sufficiently reliable include:
It does not go everywhere. Extreme rural areas or areas with challenging geography (hills!) impact signal reception. Actually, this one doesn't even have to be rural or remote - there are plenty of places in metropolitan industrial areas where mobile phone signal isn't reliable, although for those, it's generally a matter of walking a few metres. Not so much for us outside the metro area - I have to drive to the top of a nearby hill to get SMS at a couple of workplaces.
Mobile phone towers have AT BEST a battery life of 6 hours. Multi-day power outages are becoming almost commonplace only a couple of hours from Melbourne. We survive with generators and Starlink, because we can be without power AND mobile phone signal for days. At the moment, that's okay because I can get online to work - but I can't get an SMS code in some places, even to do banking. Paying even wages on time has only been possible because a bank signatory was in Melbourne - what if that client had no extra signatory? Many small businesses are sole operators or partnerships without someone geographically distant not experiencing the same natural disaster.
In holiday areas in particular but generally speaking out here where this is no service overlap between towers, peak periods can result in badly disrupted mobile availability. Telstra can and does adjust the power output from the towers during peak periods, which can have peculiar local results. it is not unusual to have no or very poor reception during those peak holiday periods if you are just outside the tourist area. SMS can take a lot long to arrive if they arrive at all, which results in the requesting application timing out. Then the application can lock you out for making repeated unsuccessful requests...
So even though I consider mandating SMS as a 2FA method is lowering security rather than enhancing it, it's the physical aspect of no/unreliable mobile signal that is a hard barrier for some clients. Once upon a time, you could work offline and restore the file once power and connectivity was back, but that was lost a long time ago.
Hi shortred , although it is being mandated as an option, it is not being mandated as the only option for our customers.
We would absolutely want and encourage our customers to have 2x 2FA methods available with SMS being mandated as 1 of these.
So if you already have 2FA enabled via email, then you would be adding SMS as a secondary/back up method.
Based on this, those who might work in areas with no reception, will still be able to access their accounts via their existing/second method
Hope this helps to understand the update better - Mike