Hi Verdant ,
It is of course your decision to continue having the team share a login, but I want to confirm that it is MYOBs and the ATOs guidelines that there are no shared logins.
Regarding the method, you can continue to use email 2FA as this is already set up. We highly recommend having a secondary method (SMS is great) so that you have a back up option available.
If for example, you were unable to access your emails or you couldnt receive the 2FA email, you would then have the secondary option of using SMS.
This is also especially helpful for accessing My Account where you can manage your 2FA preferences without needing to contact MYOB.
As you said, you currently do email 2FA on a 30 day cycle.
The notification you have received is more around the frequency of 2FA.
Instead of every 30 days, this will now be at least once per day (every 24 hours)
Is email always going to be an option for 2FA for new staff accounts going forward? Or, will we need to require staff to have a phone for work use when employing new people?
Hi bigmac , with a high rate of change in the cyber security environment, we cannot confirm that email will always be an option going forward.
Email is currently available but it's not recommended as it is less secure than SMS or Authenticator Apps (both of which do require a phone).
Using a phone isn't ideal at all. I don't see how SMS is any more secure than an email. Someone could steal your phone, and a notification pops up on your screen with a code. Accessing email on a PC requires firstly to be able to login to the PC and then a further log in to emails.
Having requirements for staff to use their own personal phone for such things is not fair to them. We'd have to compensate staff or buy a shop phone just to get into MYOB. Yet another cost to small business. After 18 years of using MYOB this might be deal breaker for us.
Hi Verdant , 18 years is no small feat!
Congratulations of this milestone for your business and your partnership with MYOB, thank you.
To try and add more, the SMS and authenticator app for security is best practice globally.
Many businesses don't have logins on their PCs & Laptops (or individual logins for that matter).
PCs and Laptops are easily and typically shared just as much as emails are.
However it would be incredibly rare to find a phone that does not have a pin, thumbprint or facial recognition lock to access.
It is also a common occurrence to need to use a personal phone for 2FA.
When using SMS, there is little to no overlap between work and personal as they would simply be receiving a text with a number that they need to enter into the software (I do this myself for all of our MYOB software).
I'm sorry to hear that this change could become a deal breaker for you. If you have any more questions about the change, let me know here or via a direct message
