We have recently taken measures to deliver new security functionality to provide contextual and adaptive multi-factor authentication (MFA) controls. As a result, MFA now takes into consideration a range of factors including user’s location, device & behaviour patterns to determine the level of authentication required. By analysing contextual information like time of day and user location, our MFA can identify if additional authentication measures are necessary. This approach aims to reduce user effort, whilst maintaining a high level of security. However, we have reviewed concerns raised by our customers. What we’ve heard: I want to be prompted for a login more frequently (7 days is not sufficient, unless I have the option to select this frequency) I want to understand MFA and login requirements. I want to understand my role in securing sensitive information. What we’re doing: Reverting login frequency to 12 hours. Users will be prompted to login after 12 hours, as they were previously. Users can select "Trust this device for 30 days", however may be prompted more frequently if additional authentication is required. We recommend users log out at the end of every session, via the product menu. What you need to do: We will provide further updates on these changes for all customer via our channels and MYOB Community Forum.

I'd like to be very clear here, the changes MYOB have made has compromised security!!! When users now exit out of MYOB via the options of either closing the program window using the X or selecting File>Exit, they can now open the program without ANY requirement to log in using a password. MYOB will immediately lauch the program without any password OR 2FA authentication!!!!! Previously when you closed the program, you would have to login using a password. Why did MYOB change this and how can you possibly purport that this improves security? The situation now, is that anyone who has access to my computer could simply open the program and have access to MYOB WITHOUT having to actually login in using a password. I'm sorry, but I fail to see how this is an Improved Security measure. Are you aware that other programs such as Xero & Quickbooks, require you to login with a password and Xero requires 2FA everytime you login. Both these programs will also time you out of the program after a period of time, also requiring you to use a password and 2FA to log back in to the program. If the MYOB program is exited in any way, as a matter of security it should require you to login using a password. No system should allow you to open the program without any authentication or password at all.

I am not being asked to log on at all. There is zero security.

I'm sorry, how are you actually "improving security"?!?! Removing the requirement to enter a password when logging in has totally removed all security for this program. At least when we previously selected "trust this device for 30 days", we still had to enter a password to login to the program and select the client files we wanted to work in. Now, all I have to do is click on the MYOB icon on my desktop and I can access any file I want, with no password or any other kind of 2FA required to access the files. This is highly unsecure!! If the security on my computer was to be breached, anyone would have direct access to all of my client files. And who is going to be liable for that??? MYOB??? Is my cyber security going to cover any claim for this??? And I notice that the new update released yesterday/today has not fixed this issue! MYOB - you need to get this issue sorted out ASAP, unless you are happy to lose clients in droves because that's what is going to happen. We are already looking at moving clients out because you can't provide a secure environment for our client's important data. And if you don't just lose clients, you will more than likely end up getting sued when someone's client's data is breached due to your lack of security.

It would be nice to have some security. I can still just click on MYOB on my desktop and I am in. It's been far too long and writing about how important and good you are about security and then not fixing this issue that has been going on for over a week and a half is riduculous.

Update -Improved Security- 2FA changes

78 Replies

echokim
Experienced Cover User
10 months ago
Trust this device for 30 days has disappeared.
I am having to sign in and password EVERY DAY ???
D-C
Contributing Cover User
10 months ago
update we need use 2FA each time we open the file
D-C
Contributing Cover User
3 months ago
yes we need more fixing on this important security issue, please put in the option to sign in every time the software opens, reguardless of how it was closed
myobuser20
Contributing User
2 months ago
I had a(nother) call from MYOB where the assistant called and tried to solve the issue by Teamviewer today.

The assistant tried basically exactly the same thing as the previous however-many-times someone has called to try to resolve the issue, but to no avail.

There was then a suggestion that they could change the browser settings on one of my PCs so that that PC asked for the 2FA when logging in.
I noted that this isn't fixing the security issue, it is just going to give me the perception the issue is fixed when I use that one PC (but not my other PCs). That is even riskier as it gives me a false sense of security that the system is secure when it is, in fact, not. The biggest risk is that I use a new computer thinking the system is secure, but that new computer is not tinkered with accordingly, and the security breach propagates to yet another computer.
It is very concerning to wonder how many computers out there have this security issue on them that people don't know about.

It seemed as if the person who called me today had not spoken to any of the previous people who called me, so followed the same checking process, and arrived at the same outcome which was "just want longer for us to fix it". No time frame can be given for how long that might take.

I am losing faith that MYOB are taking the security of their system seriously. There has been a gaping security hole in their platform, which keeps extremely sensitive data in it, for nine months, and the phone call I get entirely lacks progress with no new ideas, suggesting there has been no meaningful internal communication over the issue.

Has anyone else had any progress whatsoever on these security issues?
It is not clear to me if I am the only one having this issue. It certainly feels like it, given it seems to be new information when I tell them the issues - as in, each time I have to explain the details of what is happening.

Unfortunately, I think it is time to investigate what it looks like moving to a new provider. I will be looking at pricing, how hard it is to move, and whether the move can be done in a secure manner whilst moving to a more secure provider.

PS To be clear, the technician who called me today was lovely, knowledgeable, made good suggestions with good ideas, and had a great temperament, so I don't blame them and they have done no wrong. But something out of their control is happening at the organisation, which means their technicians are starting fresh each time they call, and no updates to the software/system are made. It is a recipe for repetition without progress, which is not acceptable for security holes.
- H-TS
  Trusted User
  2 months ago
  Hi, you're not alone. I've just tested mine, and it looks like I can jump straight back in after closing if I'm within that 12 hour window of having last signed in. I don't notice because I'm in there all day and don't share my laptop but I can certainly understand it's a huge concern.
  I can confirm I'm also experiencing similar frustration with another feature that I've reported isn't working correctly. They keep telling me it's fixed but it's not, but I can't get anyone to confirm if they've been able to replicate it at their end or not. There was a time agreed for someone to call and do a teamviewer session but they didn't call. Have just received another email this morning trying to organise another teamviewer session... Not holding my breath.

Forum Discussion

Update -Improved Security- 2FA changes

78 Replies

Related content

Security Breaches

No security in Myob today

Suggestion for improvement

Session Security Audit report

Emails -Security check: MYOB business settings have changed

Please improve lookup of previous supplier invoices

Security Bond held

Change owner