Secure your account with SMS two-factor authentication (2FA)

Hi Mike,

I need some urgent help.  I am the administrator of our account and login in with SMS code, all other users (employees) login with code to the work email, however, as of today, they are not receiving the code to their email????  I am away atm, however, I can login - remotely - with no issues.   Please help, as I now have employees unable to login to MYOB, and hence no work.

Adding my voice to this - totally agree about SMS being a VERY insecure method.

However does MYOB in its lovely urban office consider that not everyone even has access to mobile phone signal, or that mobile phone signal is not exactly reliable the further from urban centres you go?

Reasons why mobile signal is not sufficiently reliable include:

It does not go everywhere. Extreme rural areas or areas with challenging geography (hills!) impact signal reception. Actually, this one doesn't even have to be rural or remote - there are plenty of places in metropolitan industrial areas where mobile phone signal isn't reliable, although for those, it's generally a matter of walking a few metres. Not so much for us outside the metro area - I have to drive to the top of a nearby hill to get SMS at a couple of workplaces.

Mobile phone towers have AT BEST a battery life of 6 hours. Multi-day power outages are becoming almost commonplace only a couple of hours from Melbourne. We survive with generators and Starlink, because we can be without power AND mobile phone signal for days. At the moment, that's okay because I can get online to work - but I can't get an SMS code in some places, even to do banking. Paying even wages on time has only been possible because a bank signatory was in Melbourne - what if that client had no extra signatory? Many small businesses are sole operators or partnerships without someone geographically distant not experiencing the same natural disaster. 

In holiday areas in particular but generally speaking out here where this is no service overlap between towers, peak periods can result in badly disrupted mobile availability. Telstra can and does adjust the power output from the towers during peak periods, which can have peculiar local results. it is not unusual to have no or very poor reception during those peak holiday periods if you are just outside the tourist area. SMS can take a lot long to arrive if they arrive at all, which results in the requesting application timing out. Then the application can lock you out for making repeated unsuccessful requests...

So even though I consider mandating SMS as a 2FA method is lowering security rather than enhancing it, it's the physical aspect of no/unreliable mobile signal that is a hard barrier for some clients. Once upon a time, you could work offline and restore the file once power and connectivity was back, but that was lost a long time ago.

MYOB now requires SMS two-factor authentication for extra account security. Make sure your mobile number is up to date and set SMS as a 2FA method in your account.

SMS 2FA sends a one-time code to your phone when logging in to confirm it’s you. You can also set up an Authenticator app as a backup. Accounts not using SMS 2FA by the due date will be locked until it is enabled.

I am online trying to verify our "business" .... and want to know why you need our cashflow estimates? I don't want to provide these so now will be stuck being unable to email invoices.

Can we opt out, or at least disable the SMS 2FA feature for our accounts? It is step backwards in terms of industry accepted security practices, especially with authenticator-based 2FA already set up.

At the moment, it seems that MYOB is adamant to force a weakened security threat into all accounts there were, otherwise, well secured.

SMS 2FA is a backward step and old technology. My business is managed on the run from various overseas locations, in each of which I have local sim number. Why cant there be an option for email 2FA or a phone based app that generates a one time code? I will now need to use a colleague's Australian phone number and contact him from overseas every time I want to use my MYOB. Disappointing.

Does this only impact users of the web based platform or does it also impact those of us who still use the desktop version?

Does it validate the mobile number that is entered? Asking for a friend :)

Is the system smart enough to know that the one mobile number is used on more than one user account?

Oh, good grief.
Because MYOB logs you out after 20 minutes of inactivity, we already log in repeatedly throughout the day and (once the daily MYOB tasks are done) it's when a customer is talking on the phone and while they're talking we're ascertaining address, previous work completed, previous invoice amounts, and information regarding on-site H&S issues; or if we're working on a complex task we're logging back in repeatedly .... and now we have to complete authentication as well which is never as quick as you need it to be. Just so frustrating. 

Xero also has 2FA but their inactivity time is 60 minutes. Much more sensible and customer-centric than MYOB's 20 minutes. Could MYOB consider extending timeout threshold to 60 minutes? Has anyone at MYOB ever run their own business??

Security is super-important, but so is being sensible. Have one solid step in place (like 2FA for online banking), not multiple enforcements from various angles to address the same issue. 2FA doesn't need to overlay a ridiculously short timeout threshold. More is not better. It feels like MYOB has lost touch with business owners, and makes me concerned at what 'brilliant' idea is coming next. 

We run MYOB offline, is this two-factor authentication still required?

If so, can each user enter in their own number? 

Once again. MYOB is making it mandatory - but then give out placating advice saying it isn't  mandatory - once again making support stupidly difficult