Enhanced security measures are live - 27/11/24 (Update 19/12/24)
Hi everyone, Update 19/12/24 - Are you still there? Hello Community members and followers of this security updates thread! Its been a few days since we last spoke. There is a great update coming through already for the inactivity timeout changes in the browser. AND its releasingTodaythe 19/12/24. Users in the browser will now be provided with a warning message 5 minutes prior to the inactivity timeout. This will show at the top of the window with "Are you still there?" and provides a clickable option to confirm "I'm still here" - example image below Update 05/12/24: Session Inactivity Lock for AccountRight Desktop App We've consulted with the ATO and have been able to agree that AccountRight Desktop can be excluded from the 30 minute inactivity lock requirement. We can confirm this feature has now been removed from the desktop app. While the inactivity lock is no longer in place on the AccountRight desktop app, we strongly encourage everyone to implement sensible security measures on your individual devices. This includes setting up automatic timeouts and using password-protected logins for added protection. The 30-minute inactivity lock will remain in place for MYOB Business and MYOB AccountRight in the browser, in line with ATO requirements. Previous update to this post (27/11/24) The changes for inactivity went live today on the 27th November. Specifically for AccountRight, many customers encountered unexpected crashing/freezing of the software after entering their password to sign in again. Work in progress would also be lost due to the crash. I want to assure everyone that this isnot the expected behaviour associated with the inactivity timeout. You can expect the screen to blur and a message pop up. Click sign in again as [user]. Enter your password and you will be back to continue where you were (no loss to work in progress) As a result of the crashing, we have temporarily disabled the inactivity timeout for AccountRight, you will need to close and re-open AccountRight for this change to take effect. Thank you for the feedback, examples and information provided on these issues today. We are continuing to investigate before it is enabled again. I’m updating this post (2:30pm AU 21/11/24), as there have been a lot of comments and engagement in the change. With over 100 comments on the post, we are starting to get the same questions being asked, and answers being missed so I hope to summarise the change and key questions/feedback here. The change/s and timeline September 30 th > MYOB implemented 2FA being required at least once every 24 hours Some initial feedback came through about the 2FA prompt caused customers to lose work in progress MYOB has implemented a fix based on feedback and 2FA is prompted on thefirst login each day to avoid loss of work November 27 th > you'll be asked to sign back in after 20-30 minutes of inactivity (announced November 19 th ) This announcement on inactivity is driving a significant amount of feedback and discussion that I will summarise below What’s changing: FromWednesday 27 November 2024, you’ll be asked to sign back in after 20–30 minutes of inactivity. After this time, your screen will become locked and blurred. To continue working, you'll need to sign back in with your username and password. This applies to the following MYOB software: MYOB Business, MYOB AccountRight and AccountRight browser (online files only), MYOB Connected Ledger, MYOB Business Payroll Only and MYOB Practice. Browser: Desktop: What do you need to do? When you’re presented with theAre you still there?message we recommend that you clickSign in using [existing email]to return to work in progress. Note* 2FA is not required as part of signing in again and your email will automatically be pre-filled Will I lose my work when the screen is greyed out? If you sign back into your account using your existing email, you won’t lose any work in progress and can continue where you left off. However, if you choose to sign in to a different account, your work will not be saved. If you clickBackorReload, or if you don’t sign back in after 12 hours, you'll also lose work in progress. How does the inactivity screen work between Browser and Desktop? When you are logged into both the Browser and Desktop at the same time, each session will operate independently. This means that if you are inactive in the Desktop version, you can remain active in the Browser version. The inactivity timeouts for these sessions are separate from one another. When signing back in after inactivity, do I have to enter my email, password and do 2FA? No, your email will be automatically pre-filled when signing back in using your existing email to both the desktop and browser software. Users will be required to enter their password only. 2FA is still a 24-hour requirement and not required for signing back in after an inactivity timeout. Can I opt out of the new inactivity or 24-hour 2FA security measures? No, as these are mandatory compliance changes in line with industry best practice, they cannot be disabled Why am I being asked to login or do 2FA multiple times a day? Based on scenarios described in the forum + a known issue that MYOB is currently working to resolve, this could be for one of the following reasons. Closing AccountRight using the ‘x’ is currently causing 2FA to be prompted when re-opening the software even if it is less than 24 hours. This was recently discovered as a bug/regression with the last AccountRight 2024.10 release and the team are releasing a fix to this asap.This has been resolved* Opening multiple instances of AccountRight. This seems to something multiple customers are doing when they have multiple files they work on. Instead of switching between files (no login would be required) they are all opened concurrently and each instance of AccountRight that is opened will require a login Is this an MYOB decision or required by the ATO? And subsequently, why do New Zealand customers need to adhere to ATO requirements? Yes, both the 24 hour 2FA and the inactivity timeout changes are mandated requirements from the ATO. This requirement seeks to minimise the opportunity for unauthorised users to access Taxation, Accounting, Payroll, Business Registry or Superannuation related information. Read more on the ATO website here if interested New Zealand customers, although not bound by the same requirements set by the ATO, will share the same security measures as our Australian customers so that MYOB is providing best practice security to all customers. MYOB has also published help articles that explain the changes and can be found below For Australian customershere For New Zealand customershere
Improvements to updating employee pay details
Hi all, we've recently released a message in AccountRight and MYOB Business to prompt you to either keep an employee’s current Standard Pay hours or revert them to the default hours per pay frequency when the pay rate or frequency is changed in the Payroll Details>Wagestab. This is for Australia only and will keep customers aware of how changes in wages affect Standard Pay and give greater control when updating hourly employees. You can find out more for browser at point 6 here: https://www.myob.com/au/support/myob-business/payroll/changing-an-employees-salary-or-hourly-rate?productview=Browser and desktop at point 8 here: https://www.myob.com/au/support/myob-business/payroll/changing-an-employees-salary-or-hourly-rate?productview=Desktop
