MYOB Acumatica Security and Multi-Factor Authentication Changes

Home > MYOB Acumatica – Security MFA Changes

What’s coming?

MYOB are introducing enhanced password security standards in line with ATO Digital Service Provider regulations.

This rollout will happen in two phases:

PHASE ONE

With the release of 2023.1 enhanced password security standards are being introduced.

What does this mean for you?

If you DO NOT currently use secure authentication (purple button) – your password will need to meet the complexity requirements of at least 14 characters long and contain at least one upper-case letter (A to Z), one lower-case letter (a to z), and one number (0 to 9) or symbol (e.g., !#$%^) in order to log in.

For more information about better password security go to: https://enterprise-support.myob.com/adv/better-password-security-standards

Note: These changes only affect you if you sign in with a username and password (Green Button), not if you use secure authentication (Purple Button). Momentum however recommend that everyone updates their Advanced Passwords (Green Button) as some areas like Employee Self Service, use the Advanced Login.

What’s next?

Phase TWO (Due Oct 2024 – March 2025):

To further meet ATO Digital Service Provider regulations – all users that are not using MFA will need to transition to MFA – (Momentum will be here to assist transitioning all users on your site to MFA.)

Your site will be updated making MFA mandatory – MYOB will segment customers into cohorts to roll out mandatory MFA. Each cohort will be given time to make the changes before an assigned due date. On this due date your site will be updated to enforce mandatory MFA for all users.

As well there will be some additional changes made to the MFA authentication to support best practice including:

  • Change from 30 day to 24-hour reauthentication: Currently users have the option to “remember me” for 30 days and within this period they will not be promoted to reauthenticate. These 30 days will be reduced to 24 hours and essentially requires a user to reauthenticate via MFA on a daily basis.
  • 30-minute inactive user lock: Currently, if a user is inactive in their session for a period of more than 4 hours, the system will lock and require the user to reauthenticate when they come back. In line with security best practice this timeout period will now drop to 30 minutes.

How to Set Up Secure Authenication

Remember, existing MFA users aren’t impacted by these changes – so why not set up MFA on your account now. 

View the handy guide and watch the video below to learn how to set up and use MFA.

View handy guide

Two Factor Authentication (2FA) Changes
from 1 October 2024

Regulatory compliance combined with our obligations to our customers as a cloud platform provider have meant MYOB have made some changes to how our Secure Authentication service works.

Users will be prompted at least once every 24 hours

We have shortened the maximum time between 2FA prompts to 24 hours. Previously we only prompted for 2FA if the assigned risk factor had become too high and we could no longer be certain they were the same user.

What does this mean?

Users who previously only had to enter their email when using the purple login will now have to enter an authentication code at least once a day. This is much more secure for users, but does mean more login friction.

Full enforcement is on the way

To stay compliant with our security obligations, we pushing towards secure authentication eventually being active for all users. We have not yet made the mandatory enforcement steps, though we have made customers aware of the deadlines.

These changes affect both NZ & Australia

While the changes are required for ATO compliance, they also reflect industry best practice for cloud applications (2FA should be used for any sensitive data). As such we are implementing these changes platform wide, though Australian cohorts will be the initial users forced to change.

Login Options for Users

Native Login (Standard Login) via the Green button

This option is available for users whose sites haven’t activated Enforce Secure Authentication.

Native logins will work until someone either uses Secure Authentication for the first time in a company, or until Secure Authentication Enforcement is turned on sitewide.

If enforce Secure Authentication is on, users should not use the green button.

Native users always required for some features

  • Outlook plugin
  • API Users
  • OData
  • Device Hub
  • & Report Designer

Always require Native Login to function.

Native logins will occasionally force password changes

Based on password expiry & password complexity policies, using the green (native) button to log in will prompt for password changes.

Password changes to Native Logins do not affect MYOB ID

If a user uses the green button to login, and they are prompted to change their password, this doesn’t change their MYOB ID password. Customers are generally unaware that these are different

Password changes to Native logins do not propagate to all tenants.

When an End user changes their password, this only affects the tenant they are currently logging into. This will make their user non-identical to itself and remove access from other tenants unless they change the password there also.

Secure Authentication (also called MYOB ID,) via the purple button

This option is mandatory for sites who have activated Enforce Secure Authentication.

This uses MYOB’s central identity service (backed by Auth0) to prompt users for a Username, password, and a 2FA prompt at least once every 24 hours.

Secure Authentication requires a MYOB ID

This is the same central account used for all direct MYOB services, such as the community forum.

Secure Auth will force 2FA check at least once per 24 hours

Since October 1 2024, MYOB ID will now force a 2FA check once per day.

While App Authenticator is most secure, email or SMS work

For users with less technical skill, they may find it easier to sign up for SMS or Email based 2FA than signing up to App Authenticator. Recommended if users are struggling to consider these options

Users may find it easier to set their MYOB ID & Native Logins to the same password

Please be aware that if one password is changed, the other will remain the same. But users will often have these as the same password.

SSO (Microsoft Azure Entra / Microsoft Azure Active Directory)

SSO (Microsoft Azure Entra / Microsoft Azure Active Directory) is available for customers who want to manage their own security settings around 2FA.

For any company that uses Azure Active Directory already, this is a reliable option. It frees users from any confusion around MYOB ID, especially as SSO sites can fully stop issuing Native User accounts to their users if desired.

MYOB ID is still required for Australian Payroll admins to use the PaySuper service, and in older releases may be required for Bank Feed applications.

More information:

Customers can run their own SSO using Microsoft

This option is native from 2023.1.1 onwards. When a customer has this set up, their primary support point will likely be their IT person.

This offers customers control of their 2FA experience (Including 2FA method resets)

This removes the need to contact MYOB support if an authenticator is lost.

AD group assignment of roles can be tricky

If there are issues with active directory groups assigning roles to users correctly, there is an option to override role assignment. There appear to be issues that may impact multitenant environments.

If needed, MYOB ID can be reached using in-product login buttons

If the user must use MYOB ID for a service, there will be a login button available onscreen.

Troubleshooting Steps

What to do – Options

If something doesn’t work, read the error message.

Users often try to SIGN UP when they already have an account. If so, look for a LOG IN button on screen.

Email address against user profile must match email address for MYOB ID.

Clearing Associations

Can be done by Partner & Admin users.

However, this should only be done if the user has the wrong email address linked for their MYOB ID/have changed their email address for MYOB ID.

In general, clearing association will just force the user to sign up again, leading to 2FA Loop, and requiring use of green button.

Password Resets

These can be done by the user directly during log in.

If no email is received, they may need to SIGN UP instead.

If an account is locked, they either need to wait out the timer, or contact MYOB Support to have a password reset generated.

Reser 2FA Authentication Method

If someone is being asked for an app authenticator, and cannot use the recovery code feature, then MYOB will need to be contacted by the partner.

MYOB can reset the authentication method so the user can choose again.

SMS & Email options are available for users who struggle with App authenticator

Make sure they’re using the purple button

Users are often very confused between Native Login accounts and secure authentication (purple) accounts.

If unsure, have them log in directly at: https://myaccount.myob.com/account/security/

Full Instructions for users experiencing issues

Slow down! Read the error messages!

  • The screens do describe the errorshappening. Users will fail to read them.
  • The email address and/or password used for authentication are invalid
  • The above message means EITHER password is wrong OR Username doesn’t exist.
  • If “Forgotten your Password?” doesn’t send an email, it will almost certainly mean they don’t have an account.
Step 1: Confirm your account at the MYOB community forum

Try the MyAccount page at: https://myaccount.myob.com/account/security/
Try logging in with email address

If they have problems with the password not working, read the message shown on screen. If it mentions that the password is invalid, they should use the Reset Password option on screen. This will email them a one time link to change their password.

Remember, there are 2 systems in use here.

  • Green “Native Login” password for Acumatica
  • Purple “Secure Authentication” password for myaccount.myob.com

Because of this, if they change their password in one service, it will no longer match the other.

Step 2: If you don’t know your password try a password reset, then log in after resetting your password

The screens do describe the errors happening. Users will fail to read them.

The email address and/or password used for authentication are invalid

The above message means EITHER password is wrong OR Username doesn’t exist.

If “Forgotten your Password?” doesn’t send an email, it will almost certainly mean they don’t have an account.

Step 3: If you don’t get a password reset email, try SIGNING UP

Signing up for an account can be done either during the association process OR

  • Go to the community forum: https://community.myob.com/
  • Click “Register” at the top right of the screen
  • After the Login prompt, there will be an option for “Don’t have an account? Sign Up”
Step 4: Once logged in, you’ll be prompted for either

Users with configured 2FA will be asked to put in a code.

New Users, or users whose 2FA method has been reset will be asked to choose an authenticator method.

“App Authenticator” is the most secure method and is recommended for power users as it doesn’t involve waiting for messages with auth codes.

SMS & Email are both available as options and may be more appropriate for some users.

Step 4.1: You can handle your own 2FA resets if you set up a second authenticator method.

Go to: https://myaccount.myob.com/account/security/

There will be an option on screen letting you review your existing 2FA methods and add an additional method.

Step 5: Go to MYOB Acumatica, and try using the purple Secure Authentication button

If this works, your account was already ‘associated’ with your Acumatica login.

If this returns you to the login screen with a message that your account wasn’t found, you’ll need to try Step 6.

Step 6: If account wasn’t found, use the green Native Login button (for the last time)

Please remember, this can be a different password than the one used for the purple button/MyAccount screen you just set up.

  • If users are struggling it might be easiest to reset their password in Acumatica, to make sure they can log in.
  • (While for security reasons all passwords should be unique, some users find it simpler to set the Purple & Green passwords to the same thing.)

This should be the last time you ever need to use the green button. Any future times you go to log in just press the Purple button.

Additional Resources / Support

Users may also benefit from the 2FA for Acumatica home:

Visit 2FA Help Centre

Have some questions?

Momentum Support Ninja’s are here to support you through these changes. Please save this page for the latest updates. In the meantime if you have any questions, please contact Momentum Support by email support@momentumss.com.au or phone (07) 5479 1877.

Get in Touch

Have some questions?
Book a free no-obligation chat

  • This field is for validation purposes and should be left unchanged.
Phone
07 5479 1877
Email
enquiries@momentumss.com.au
Address
Head Office: Level 1/237 Bradman Avenue, Maroochydore, QLD 4558
Brisbane Office: 8/36 Leonard Crescent, Brendale QLD 4500

Our expert team is also located throughout NSW, VIC, SA & Northern QLD