Forum Discussion

PriyaSelvaraj's avatar
PriyaSelvaraj
MYOB Staff
2 years ago

Update -Improved Security- 2FA changes

We have recently taken measures to deliver new security functionality to provide contextual and adaptive multi-factor authentication (MFA) controls. As a result, MFA now takes into consideration a range of factors including user’s location, device & behaviour patterns to determine the level of authentication required.

By analysing contextual information like time of day and user location, our MFA can identify if additional authentication measures are necessary. This approach aims to reduce user effort, whilst maintaining a high level of security.

However, we have reviewed concerns raised by our customers.

What we’ve heard:

  • I want to be prompted for a login more frequently (7 days is not sufficient, unless I have the option to select this frequency)
  • I want to understand MFA and login requirements.
  • I want to understand my role in securing sensitive information.

What we’re doing:

  • Reverting login frequency to 12 hours. Users will be prompted to login after 12 hours, as they were previously.
  • Users can select "Trust this device for 30 days", however may be prompted more frequently if additional authentication is required.
  • We recommend users log out at the end of every session, via the product menu.

What you need to do:

We will provide further updates on these changes for all customer via our channels and MYOB Community Forum.

  • echokim's avatar
    echokim
    Experienced Cover User

    Trust this device for 30 days has disappeared.

    I am having to sign in and password EVERY DAY ???

  • D-C's avatar
    D-C
    Contributing Cover User

    update we need use 2FA each time we open the file 

  • D-C's avatar
    D-C
    Contributing Cover User

    yes we need more fixing on this important security issue, please put in the option to sign in every time the software opens, reguardless of how it was closed 

  • myobuser20's avatar
    myobuser20
    Contributing User

    I had a(nother) call from MYOB where the assistant called and tried to solve the issue by Teamviewer today.


    The assistant tried basically exactly the same thing as the previous however-many-times someone has called to try to resolve the issue, but to no avail.

     

    There was then a suggestion that they could change the browser settings on one of my PCs so that that PC asked for the 2FA when logging in.

    I noted that this isn't fixing the security issue, it is just going to give me the perception the issue is fixed when I use that one PC (but not my other PCs). That is even riskier as it gives me a false sense of security that the system is secure when it is, in fact, not. The biggest risk is that I use a new computer thinking the system is secure, but that new computer is not tinkered with accordingly, and the security breach propagates to yet another computer.

    It is very concerning to wonder how many computers out there have this security issue on them that people don't know about.

     

    It seemed as if the person who called me today had not spoken to any of the previous people who called me, so followed the same checking process, and arrived at the same outcome which was "just want longer for us to fix it". No time frame can be given for how long that might take.

     

    I am losing faith that MYOB are taking the security of their system seriously. There has been a gaping security hole in their platform, which keeps extremely sensitive data in it, for nine months, and the phone call I get entirely lacks progress with no new ideas, suggesting there has been no meaningful internal communication over the issue.

     

    Has anyone else had any progress whatsoever on these security issues?

    It is not clear to me if I am the only one having this issue. It certainly feels like it, given it seems to be new information when I tell them the issues - as in, each time I have to explain the details of what is happening.

    Unfortunately, I think it is time to investigate what it looks like moving to a new provider. I will be looking at pricing, how hard it is to move, and whether the move can be done in a secure manner whilst moving to a more secure provider.

    PS To be clear, the technician who called me today was lovely, knowledgeable, made good suggestions with good ideas, and had a great temperament, so I don't blame them and they have done no wrong. But something out of their control is happening at the organisation, which means their technicians are starting fresh each time they call, and no updates to the software/system are made. It is a recipe for repetition without progress, which is not acceptable for security holes.

    • H-TS's avatar
      H-TS
      Trusted User

      Hi, you're not alone. I've just tested mine, and it looks like I can jump straight back in after closing if I'm within that 12 hour window of having last signed in.  I don't notice because I'm in there all day and don't share my laptop but I can certainly understand it's a huge concern.
      I can confirm I'm also experiencing similar frustration with another feature that I've reported isn't working correctly. They keep telling me it's fixed but it's not, but I can't get anyone to confirm if they've been able to replicate it at their end or not. There was a time agreed for someone to call and do a teamviewer session but they didn't call. Have just received another email this morning trying to organise another teamviewer session... Not holding my breath.