Exec Summary
- MYOB Advanced is enforcing mandatory MFA for all users to enhance online security and comply with ATO Digital Service Provider regulations.
- This rollout will happen in phases during Q2 & Q3:
- Upgrading all sites to version 2023.1.xxx (mandatory). The majority of sites are already scheduled for upgrade.
- User transition to MFA with support and deadlines.
- Changes are also being made to the MFA solution:
- Reauthentication is required every 24 hours (down from 30 days).
- User session lock after 30 minutes of inactivity (down from 4 hours).
- A change management program will keep customers and partners informed.
Benefits:
- Improved online security for MYOB Advanced users and their data.
- Compliance with ATO Digital Service Provider framework.
Action Required:
- All sites must upgrade to version 2023.1.xxx.
- All users who aren’t using MFA will need to transition.
Details
The importance of online security and protecting our digital services is paramount, especially due to the nature of the information and data that is managed through the MYOB Advanced solution. A key part to security is multi-factor authentication.
In support of our commitment to helping our customers remain secure online and aligning to the requirements of the ATO Digital Service Providers framework, over the next quarter we will be rolling out changes to MYOB Advanced to enforce MFA for all users on the platform.
There are several required steps to achieve this:
- All sites need to be upgraded to the 2023.1.xxx release
- All users that are not using MFA need to transition to MFA
- The site will be updated making MFA mandatory
Associated to this, there are also some changes being made to the MFA authentication solution to support best practice security including:
- A change to the time required for MFA authentication which will be set to 24 hours
- A 30min inactive user lock will be applied, currently this is set to 4 hours
Additional details on each of the above:
Site upgrades to 2023.1.xx
A required authentication change was made to the 2023.1 release and all sites will need to be upgraded to this version. Due to the ATO requirements, we will be treating this upgrade as a mandatory compliance upgrade as such we will not be permitting opt-outs or reschedules for sites that are scheduled to be upgraded. Several sites are not scheduled to be upgraded to the 2023.1 release, as such we will be reaching out to make a plan to get them into an upgrade window before end of July.
User transition to MFA
We have a mix of how MFA has been adopted within sites, however, we the objective is to drive a full adoption of MFA for all users through all sites. To achieve this we will segment customers into cohorts and and support them with collateral outlining what needs to happen and how to transition. Each cohort will be given time to make the change, but a due date will be applied. On this due date the site will be updated to enforce mandatory MFA for all users.
Change to 24 hour reauthentication
Currently users have the option to “remember me” for 30days and within this period they will not be prompted to reauthenticate via MFA unless the adaptive MFA identifies a change in their user behaviour (i.e. logging in from a different network). This 30 days will be reduced to 24 hours essentially requiring a user to reauthenticate via MFA on a daily basis.
30min inactive user lock
Currently, if a user is inactive in their session for a period of more than 4 hours, the system will lock and require the user to reauthenticate when they come back. Security best practice recommends this timeout period to be a maximum of 30mins and as such we will be dropping the timeout to the 30 minute mark for sites.
To support all these changes we will be working through a change management program of how to roll this out to ensure that customers and partners are aware of the schedule for the changes, what is required and why we are doing it. Further details on this program of work will be provided in the upcoming weeks.
