The ATO has introduced new security requirements for software that manages ATO-related data. To meet these requirements, we're turning on mandatory 2FA using for all payroll administrators on your site 30 days after your site is upgraded to 2024.2.
To use 2FA, your users will need to sign up for an MYOB ID account, and start using the purple button to sign in.
While we'll be making 2FA mandatory for these users, get them on 2FA as soon as you can to avoid any interruptions on a pay day.
Not on 2024.2?
If you're upgrading to 2024.2 before DATE, sit tight for now — we'll remind you again your upgrade. If you'll still be on an older version, see our instructions for LINK or LINK.
With 2024.2 we've made some big improvements to user security managment, so turning on 2FA will only take a few minutes.There are three steps:
- Make sure your user account has the External Identity Manager role.
- Send out 2FA invitation emails to help your users sign up for an MYOB ID account.
- Make 2FA mandatory for selected users by turning on Forbid Login with Password.
Checking your user access
In 2024.2 we added the External Identity Management form (MYSM2065) to make it easy to manage user security in bulk.
Anyone can see themselves on the new form, but to view and manage other users you need the External Identity Manager role. To add a role, see User Access: To Modify Access for a User Account.
Only add this role to system administrators, as it gives users a lot of control over access to your system.
Sending 2FA invitation emails
To make it easy for your users to sign up for an MYOB ID account you can send them 2FA emails in bulk, with a sign-up link and instructions.
You can send the emails before or after making 2FA mandatory, and resend them as needed.
- Open the External Identity Management form (MYSM2065).
- Select the checkboxes next to your payroll administrators.
- Click Associate External Identity.
The Associate Users window opens, defaulting to MYOB ID. - Click OK to send the emails to the selected users.
For help with the sign-up process, see LINK.
Making 2FA mandatory
You can enforce 2FA for in bulk by assigning Forbid Login with Password to selected users. This is applied on a per-user, per-tenant basis, so if you have multiple tenants you will need to go through this process for each one.
Once Forbid Login with Password is turned on, those users will only be able to sign using 2FA. If they haven't set up 2FA they'll be prompted the next time they go to sign in.
- Open the External Identity Management form (MYSM2065).
- Select the checkboxes next to your payroll administrators.
If you want to enforce 2FA for all your users, select the checkbox in the header row. - Click Forbid Login with Password.
- In the Update Users window, select the Forbid Login with Password checkbox and click OK.
Consider making 2FA mandatory for all users
2FA significantly strengthens your site's security, helping protect company, employee and customer information. While it's only mandatory for payroll administrators, consider enforcing it for all your users.