Blog Post

MYOB Announcements
2 MIN READ

Secure your account with SMS two-factor authentication (2FA)

Mike_MYOB's avatar
Mike_MYOB
Community Manager
6 months ago

Hi everyone, 

We’re introducing an important security update to your MYOB login.

Data security is our top priority. To add an additional layer of security and help protect your account, we’ll soon require SMS to be set up as one of your 2FA methods.

 

Having SMS as a 2FA method will be mandatory for all customers who use MYOB Business and Connected Ledger software*.
We are communicating this change to our customers in smaller groups. The first group will be receiving an email and in product message on the 18th of August and will then have 30 days to set up SMS as a 2FA method.
*Remaining customers on other software will be included soon, but can absolutely still take these steps to set up SMS 2FA now.

 

What do I need to do?

For a smooth login experience, please ensure you have an up-to-date mobile number on your account and have SMS selected as an authentication method. 

You don’t need to wait for the email and in product message, you can get this set up now!

Follow the instructions below.

 

How to enable SMS two-factor authentication 

  • Log into My Account at https://myaccount.myob.com 
  • Click your username in the top-right corner and choose Account security. 
  • Under Authentication, click the Add (>) button next to SMS and follow the instructions. 

Customers in Australia can find more detailed instructions here
Customers in New Zealand can find more detailed instructions here.


Want more info? Here are some frequently asked questions.

  • How does SMS 2FA work?

    Enabling SMS 2FA lets us send a one-time code to your mobile phone via text message when you log in. This extra step helps keep your account secure by making sure it’s really you trying to sign in, even if someone else knows your password. 

 

  • Already have SMS 2FA? 

    We recommend setting up an additional method like an Authenticator app.  That way, if you lose access to your main 2FA method, you can still log in without needing to contact MYOB.

Learn more about logging in and two-factor authentication. 

 

What happens if you don’t set up SMS 2FA by the  due date? 


To keep your account secure, we strongly encourage you to set up SMS two-factor authentication (2FA) now. It should only take a couple of minutes. 

If it’s not set up before the due date for your cohort, your account will be locked and you won’t be able to access your files until SMS 2FA has been enabled.  

Published 6 months ago
Version 1.0
announcements

91 Comments

Show More
  • timkirk112's avatar
    timkirk112
    Contributing User
    6 months ago

    A few points...

    1. SMS is not secure, sim swapping attacks have been a thing for ages because of this SMS is considered as a weak from of 2FA
    2. Given the above, why are you REQUIRING all MYOB users to weaken their security by forcing SMS on all accounts?
    3. What about those who don't have a mobile phone? What your saying is you are forcing those who don't have one to shell out at least $200+ for the phone and a monthly payment just so we can continue using your software?

    MFA is a great thing, but your upcoming implementation is horrible, why are you doing this?

    • IFMsolutions's avatar
      IFMsolutions
      Contributing Cover User
      5 months ago

      Totally agree......we have many users using MYOB and it is not feasible to have this security measure against one mobile number. Definitely time to go to ZERO

    • AmandaMYOB's avatar
      AmandaMYOB
      MYOB Moderator
      6 months ago

      Hey timkirk112​ 

      Your original authentication method won't be impacted. For many, SMS will serve as an additional 2FA method as most users will already have setup their authenticator app or email as their main authentication method. 

      We introduced SMS two-factor authentication as an additional method to ensure data security and to help make it easier for users to access their file if they're unable to access their original method.

      • timkirk112's avatar
        timkirk112
        Contributing User
        6 months ago

        Hey AmandaMYOB​,

         

        Having SMS as a secondary method for those who need it I can understand and appreciate, even if it isn't best practice.

         

        My problem is with the below statement by MYOB:

         

        Having SMS as a 2FA method will be mandatory for all customers who use MYOB Business and Connected Ledger software*.

         

        While the below link isn't official NIST guidance, it gives a good explanation on why SMS is a poor form of 2FA:
        https://twohandstech.com/why-nist-recommends-otp-apps-over-sms-texting-for-2fa-in-the-wake-of-data-breaches/

         

        By enforcing SMS 2FA on your customers that already have email / authenticator apps (TOTP Auth) already setup actively weakens the security of those accounts as per my above concerns.

         

        Unfortunately your above reply doesn't address my point about those who either don't have a mobile phone, or those who are unwilling to give MYOB their personal phone number (not everyone has a work phone / wants to tie their personal hardware to work)

         

        As for a suggestion, if MYOB could allow / enable SAML SSO or FIDO2 keys as a 2fa option that would go a long way to increasing the security of your platform and bypass the issue of those who don't want to give their phone number to MYOB.

  • SarasKrishnan's avatar
    SarasKrishnan
    Contributing Cover User
    6 months ago

    Will we still be able to use email to receive code if don’t want to use sms?

    • AmandaMYOB's avatar
      AmandaMYOB
      MYOB Moderator
      6 months ago

      Hey SarasKrishnan​ 

      You'll be able to continue using email as an authentication method if you've set it up previously. For most, SMS would be a secondary method as most users would already be using email or the authentication app as an existing authentication method. Check out this page for more information on the different methods available. 

      • SarasKrishnan's avatar
        SarasKrishnan
        Contributing Cover User
        6 months ago

        Thanks for your response, Amanda. One further question: will the Email option be available as a choice for new users, going forward? 

        I have several organizations as clients where phones are personal to staff and company prefers official email as preferred means for getting the 2FA code instead of through Authenticator app or SMS.