We have recently taken measures to deliver new security functionality to provide contextual and adaptive multi-factor authentication (MFA) controls. As a result, MFA now takes into consideration a range of factors including user’s location, device & behaviour patterns to determine the level of authentication required. By analysing contextual information like time of day and user location, our MFA can identify if additional authentication measures are necessary. This approach aims to reduce user effort, whilst maintaining a high level of security. However, we have reviewed concerns raised by our customers. What we’ve heard: I want to be prompted for a login more frequently (7 days is not sufficient, unless I have the option to select this frequency) I want to understand MFA and login requirements. I want to understand my role in securing sensitive information. What we’re doing: Reverting login frequency to 12 hours. Users will be prompted to login after 12 hours, as they were previously. Users can select "Trust this device for 30 days", however may be prompted more frequently if additional authentication is required. We recommend users log out at the end of every session, via the product menu. What you need to do: We will provide further updates on these changes for all customer via our channels and MYOB Community Forum.

I'd like to be very clear here, the changes MYOB have made has compromised security!!! When users now exit out of MYOB via the options of either closing the program window using the X or selecting File>Exit, they can now open the program without ANY requirement to log in using a password. MYOB will immediately lauch the program without any password OR 2FA authentication!!!!! Previously when you closed the program, you would have to login using a password. Why did MYOB change this and how can you possibly purport that this improves security? The situation now, is that anyone who has access to my computer could simply open the program and have access to MYOB WITHOUT having to actually login in using a password. I'm sorry, but I fail to see how this is an Improved Security measure. Are you aware that other programs such as Xero & Quickbooks, require you to login with a password and Xero requires 2FA everytime you login. Both these programs will also time you out of the program after a period of time, also requiring you to use a password and 2FA to log back in to the program. If the MYOB program is exited in any way, as a matter of security it should require you to login using a password. No system should allow you to open the program without any authentication or password at all.

I am not being asked to log on at all. There is zero security.

I'm sorry, how are you actually "improving security"?!?! Removing the requirement to enter a password when logging in has totally removed all security for this program. At least when we previously selected "trust this device for 30 days", we still had to enter a password to login to the program and select the client files we wanted to work in. Now, all I have to do is click on the MYOB icon on my desktop and I can access any file I want, with no password or any other kind of 2FA required to access the files. This is highly unsecure!! If the security on my computer was to be breached, anyone would have direct access to all of my client files. And who is going to be liable for that??? MYOB??? Is my cyber security going to cover any claim for this??? And I notice that the new update released yesterday/today has not fixed this issue! MYOB - you need to get this issue sorted out ASAP, unless you are happy to lose clients in droves because that's what is going to happen. We are already looking at moving clients out because you can't provide a secure environment for our client's important data. And if you don't just lose clients, you will more than likely end up getting sued when someone's client's data is breached due to your lack of security.

It would be nice to have some security. I can still just click on MYOB on my desktop and I am in. It's been far too long and writing about how important and good you are about security and then not fixing this issue that has been going on for over a week and a half is riduculous.

Update -Improved Security- 2FA changes

78 Replies

Maddocks
Cover User
11 months ago
I am not being asked to log on at all. There is zero security.
- PriyaSelvaraj
  MYOB Moderator
  11 months ago
  Hi Maddocks melbdesk
  
  Thanks for your post! I would suggest doing a hard logout, as this would prompt you to log in.
  
  If you still experience issues after trying the hard log out, feel free to send a private message with email details & serial number and I will look into this further.
  
  Thanks
  
  Priya Selvaraj
  - DamienGM
    Experienced Cover User
    11 months ago
    Hi PriyaSelvaraj
    Can we please get a time frame of when the changes listed in the opening post will be implemented, esp 12 hours max login time? I've not manually logged out of my account (both on Desktop and Web) as I want to see when I will be kicked out automatically.
    Regards
    Damien
- CHutchinson
  Experienced Cover User
  11 months ago
  
  That is exactly what the problem is,,,,,,,,,,,,,,,,,,,,,,theere is no security logging in at all now
becdbc
11 months ago
I'm sorry, how are you actually "improving security"?!?! Removing the requirement to enter a password when logging in has totally removed all security for this program. At least when we previously selected "trust this device for 30 days", we still had to enter a password to login to the program and select the client files we wanted to work in. Now, all I have to do is click on the MYOB icon on my desktop and I can access any file I want, with no password or any other kind of 2FA required to access the files. This is highly unsecure!! If the security on my computer was to be breached, anyone would have direct access to all of my client files. And who is going to be liable for that??? MYOB??? Is my cyber security going to cover any claim for this???

And I notice that the new update released yesterday/today has not fixed this issue!

MYOB - you need to get this issue sorted out ASAP, unless you are happy to lose clients in droves because that's what is going to happen. We are already looking at moving clients out because you can't provide a secure environment for our client's important data. And if you don't just lose clients, you will more than likely end up getting sued when someone's client's data is breached due to your lack of security.
ERStewart
Contributing User
11 months ago
I need to be able to log into more than one Myob account simultaneously.

The changes Myob has made to logging in are not "Improved Security", in fact, it's the complete opposite not to mention the accessibility issues. I have users of varying IT abilities, some of whom are elderly and have difficulty with adding a new online file every time they need to change the company file they're working on, this means I must actively supervise each login change.
melbdesk
Experienced Cover User
11 months ago
It would be nice to have some security. I can still just click on MYOB on my desktop and I am in. It's been far too long and writing about how important and good you are about security and then not fixing this issue that has been going on for over a week and a half is riduculous.

Forum Discussion

Update -Improved Security- 2FA changes

78 Replies

Related content

Security Breaches

No security in Myob today

Session Security Audit report

Suggestion for improvement

Emails -Security check: MYOB business settings have changed

Please improve lookup of previous supplier invoices

Security Bond held

Change owner