Update -Improved Security- 2FA changes
We have recently taken measures to deliver new security functionality to provide contextual and adaptive multi-factor authentication (MFA) controls. As a result, MFA now takes into consideration a ra...
Forum Discussion
So, after the backup we need to re-open the file and then log out via the services menu? There is NO option to log out once the backup is complete.
Great that you are in talks with the developers but, it has been 5 months. What does MYOB consider an acceptable time frame for a response to be?
Hi JillL1,
Thank you for your response.
The scenario where the application closes after a backup, creating additional steps to reopen and logout, is definitely not ideal. There are multiple possible solutions that can be considered for both simplifying the logout process and this scenario with backups. Our developers are definitely looking into this, but we are unable to provide an ETA on when a solution will be released. Release notes are regularly published on our support pages, but we will absolutely post an update on this thread when more information is available.
Feel free to reach out if there's anything else I can assist you with.
Cheers,
Princess
At the very real risk of wasting my time and effort -
Could you direct me to where in the release notes it talks about the 2FA - or warns users about the lack of security please? As a user the communication from MYOB has been dismal on this. The advice from MYOB has been conflicting and unclear, it is no wonder that the developers are no closer to a solution when MYOB don't appear to have any grip on how big a security concern this is for users. In a world where logging into any site has become more and more secure to have an accounting package with such a gaping hole in it's security is simply unbelievable. Are you serious about fixing this or do we need to take our loyalty elsewhere? Are you waiting for a media storm on a widespread MYOB breach of security?
How exactly do we take this complaint further up the chain? I've tried your complaints process and that is the same "we hope this addresses your concerns in full" or "please feel free to reach out if anything else I can help with". We, the users, those who make MYOB viable ARE BEGGING for help on this issue. This is the security of our accounting records and MYOB are not prioritising the solution - WHY??
As per your Customer Resolutions advice - 2FA is an ATO requirement. Can you please demonstrate how you are compliant with that? If MYOB are unwilling to give users a timely resolution, should we be lodging a complaint with the ATO?
Princess_RHow are the developers going with this? They seem to have time to fluff about and change to more "user friendly" wording but is there any priority at all for these security concerns? It is 7 months since this was raised, 3 months since you advised developers were "definitely looking into this", 2 months since I had an emailed reply from Tiff Codoceo that "I understand the instructions Mike has provided has security concerns and there is no security measures fully in place". You all seem to agree there is a problem - could someone fix it. Please!
But the subscription goes up 1st April .....
I understand costs have to increase but at the same time when service levels decrease it does not sit right.
This 2FA has been an ongoing Iissue and MYOB do not seem to comprehend the truly concerning impact to security the changes they have made.
You state in response above that:
"our recommendation for now is to ensure that all users log out of the software when they are finished."
So to clarify "logging out of the system" requires you to select the menu option Services>sign out of accountright live.
ANY other way of exiting the file such as:
- File>close
- Selecting "X"
- If the system crashes/freezes automatically shuts down
does not require the user to re-enter a password. The MYOB system actually allows you to relaunch the program and it will automatically open the data file under the previous users login.
I cant tell you how dangerous this is and how UNSECURE this protocol is.
Let me give you an example:
We have a staff member of leave at the moment, so we have two staff members using a specific PC who each have different logins and security profiles. If one staff member simply closes the file (as we have always done) by either selecting "X" or File>Close. Anyone who has access to the PC can simply lauch the program and open the MYOB data file WITHOUT REQUIRING A PASSWORD.
We have also had an instance where the wrong email address was entered and returned an error message. The user closed the program and the data file opened WITHOUT REQUIRING A PASSWORD.
I know for a fact that Qbooks/Intuit and XERO both require 2FA EVERYTIME you close the file by ANY METHOD either X or File Close. It will also time you out of the file requriing a password to re-enter.
Please explain how MYOB believe that introducing a distinct and seperate process for exiting a data file and removing the necessity for a password authentication when a file is closed is in any way accceptable security for confidiential Accounting data?
Hi Princess,
There is still no ability to force a user to require 2FA on every login to MYOB Essentials through a browser (as in, the live file, not a backup).
Even if you explicitly log out, you don't always need 2FA to log back in.
After Jill suggested it, I emailed all of the different help desk emails I could find for MYOB and have received no response.
The attitude towards what a number of your users are describing as a serious security concern is unsettling.
How long are we expected to wait for you to close this bug, noting that all we want to do is revert back to how it was?
It very interesting that MYOB still do not know when this problem will be resolved. Also, of interest how many users are affected.
It's pretty obvious the software development is outsourced and Myob staff are unqualified to resolve issues as they arise! They are raking in our money every month and not providing any meaningful service. My bookkeeper has greater problems with Myob. I fear QBO and Xero are probably no better...
Hi Jill,
The mention of release notes is a way to stay informed of any future changes we make to our software, including security. As no changes have been made on this yet, there is nothing to share to you.
The security rules around when you will be prompted to enter your email and password, as well as when you will be prompted for 2FA are not the same for all customers depending on how they access their software, what location they access their software, how often they access their software, whether they have multiple staff using a single PC or not (and wether they each have a unique sign on to the PC).
In most cases, the presumed 'gap' in security would come from persons having unprotected access to a PC, rather than to the MYOB software itself. As such, if this is the case, then our recommendation for now is to ensure that all users log out of the software when they are finished.
Logging out of the software will ensure that when it is next opened, the email and password will be requested from the next user.
As Princess has mentioned, we are definitely developing updates to our security based on feedback from our customers but we are unable to provide an ETA on when this will change will be released at the moment.
I have also asked Tiff to get back in touch with you for anything further.
Regards, MikeI'm almost speechless...
Just to clarify. EVERY other programme we use that requires 2FA, requires it without variation. No exceptions. No work arounds. No awkward, non-standard way of logging out. No need to instigate levels of security OUTSIDE of the program just to get some basic security happening. Most, if not all, automatically log you out after a short period of inactivity. They just work as they are intended to. This one does not.
