Update -Improved Security- 2FA changes

Hi JillL1,

Thank you for your response.

The scenario where the application closes after a backup, creating additional steps to reopen and logout, is definitely not ideal. There are multiple possible solutions that can be considered for both simplifying the logout process and this scenario with backups. Our developers are definitely looking into this, but we are unable to provide an ETA on when a solution will be released. Release notes are regularly published on our support pages, but we will absolutely post an update on this thread when more information is available.

Feel free to reach out if there's anything else I can assist you with.

Cheers,

Princess

Hi Princess,

There is still no ability to force a user to require 2FA on every login to MYOB Essentials through a browser (as in, the live file, not a backup).

Even if you explicitly log out, you don't always need 2FA to log back in.

After Jill suggested it, I emailed all of the different help desk emails I could find for MYOB and have received no response.

The attitude towards what a number of your users are describing as a serious security concern is unsettling.

How long are we expected to wait for you to close this bug, noting that all we want to do is revert back to how it was?

It very interesting that MYOB still do not know when this problem will be resolved. Also, of interest how many users are affected.

It's pretty obvious the software development is outsourced and Myob staff are unqualified to resolve issues as they arise! They are raking in our money every month and not providing any meaningful service. My bookkeeper has greater problems with Myob. I fear QBO and Xero are probably no better...

Hi Jill,

The mention of release notes is a way to stay informed of any future changes we make to our software, including security. As no changes have been made on this yet, there is nothing to share to you.

The security rules around when you will be prompted to enter your email and password, as well as when you will be prompted for 2FA are not the same for all customers depending on how they access their software, what location they access their software, how often they access their software, whether they have multiple staff using a single PC or not (and wether they each have a unique sign on to the PC).

In most cases, the presumed 'gap' in security would come from persons having unprotected access to a PC, rather than to the MYOB software itself. As such, if this is the case, then our recommendation for now is to ensure that all users log out of the software when they are finished.

Logging out of the software will ensure that when it is next opened, the email and password will be requested from the next user.

As Princess has mentioned, we are definitely developing updates to our security based on feedback from our customers but we are unable to provide an ETA on when this will change will be released at the moment.

I have also asked Tiff to get back in touch with you for anything further.

Regards, Mike

Mike_MYOB Princess_R 

I'm almost speechless...

Just to clarify.    EVERY other programme we use that requires 2FA, requires it without variation.   No exceptions.  No work arounds.    No awkward, non-standard way of logging out.   No need to instigate levels of security OUTSIDE of the program just to get some basic security happening.   Most, if not all, automatically log you out after a short period of inactivity.    They just work as they are intended to.    This one does not.

yes we need more fixing on this important security issue, please put in the option to sign in every time the software opens, reguardless of how it was closed 

I had a(nother) call from MYOB where the assistant called and tried to solve the issue by Teamviewer today.

The assistant tried basically exactly the same thing as the previous however-many-times someone has called to try to resolve the issue, but to no avail.

There was then a suggestion that they could change the browser settings on one of my PCs so that that PC asked for the 2FA when logging in.

I noted that this isn't fixing the security issue, it is just going to give me the perception the issue is fixed when I use that one PC (but not my other PCs). That is even riskier as it gives me a false sense of security that the system is secure when it is, in fact, not. The biggest risk is that I use a new computer thinking the system is secure, but that new computer is not tinkered with accordingly, and the security breach propagates to yet another computer.

It is very concerning to wonder how many computers out there have this security issue on them that people don't know about.

It seemed as if the person who called me today had not spoken to any of the previous people who called me, so followed the same checking process, and arrived at the same outcome which was "just want longer for us to fix it". No time frame can be given for how long that might take.

I am losing faith that MYOB are taking the security of their system seriously. There has been a gaping security hole in their platform, which keeps extremely sensitive data in it, for nine months, and the phone call I get entirely lacks progress with no new ideas, suggesting there has been no meaningful internal communication over the issue.

Has anyone else had any progress whatsoever on these security issues?

It is not clear to me if I am the only one having this issue. It certainly feels like it, given it seems to be new information when I tell them the issues - as in, each time I have to explain the details of what is happening.

Unfortunately, I think it is time to investigate what it looks like moving to a new provider. I will be looking at pricing, how hard it is to move, and whether the move can be done in a secure manner whilst moving to a more secure provider.

PS To be clear, the technician who called me today was lovely, knowledgeable, made good suggestions with good ideas, and had a great temperament, so I don't blame them and they have done no wrong. But something out of their control is happening at the organisation, which means their technicians are starting fresh each time they call, and no updates to the software/system are made. It is a recipe for repetition without progress, which is not acceptable for security holes.