The next deadline under the STP (Single Touch Payroll) regime is the mandatory use of two-factor authentication.
Rather than relying on knowledge of a password to determine that a user is who they claim to be, two-factor authentication (2FA) also uses something they have (such as a smartcard) or something physical about them (eg, a fingerprint).
It's one of the Australian Signals Directorate's 'Essential Eight' security strategies.
The ATO published the latest edition of its Operational Framework for Digital Service Providers this month, and it mandates the use of multifactor authentication by cloud-based accounting systems.
An earlier version of the Operational Framework said "For products and services where users potentially have access to large volumes of taxpayer or superannuation related information (e.g. payroll) DSPs must implement multifactor credentials by 30 June 2018 and mandate their use by 30 September 2018.
"For all other products and services hosted by the DSP, DSPs must implement multifactor credentials by 30 September 2018 and mandate their use by 31 December 2018."
Xero has announced that its "Australian Payroll Administrators and Subscribers will be required to have 2SA [two-step authentication] on their Xero accounts by 11 September 2018."
The supported authentication apps are Google Authenticator (for Android, iOS and BlackBerry devices), Windows Authenticator (for Windows Phones) and WinAuth (for Windows computers).
Managing director Trent Innes said “At Xero, we have always taken security and privacy seriously. 2SA is similar to a deadbolt on your door; it adds another layer of security for all online practices, helping business avoid fraudulent activity.
"We fully support the ATO’s requirement for 2SA on software that interacts with their tax system. It is the right thing to do to help protect client data.
“We are laser-focused on protecting our customers’ sensitive data. Our customers are at the heart of everything we do and we’ll do everything in our power to keep them safe online.”
Similarly, all users of MYOB's payroll products will be required to use 2FA from the end of September.
”We’re committed to security at MYOB and support the widespread rollout of 2FA," said MYOB general manager of products David Weickhardt.
"This is just one of the advanced security and monitoring systems we have in place to protect our users. By making 2FA mandatory we are protecting all users rather than just those that choose to turn it on. This is a massive step forward in security. It’s an effective way to protect data, and a critical step in running a business responsibly.”
The authentication apps supported by MYOB are Google Authenticator (for Android and iOS), Microsoft Authenticator (for Windows), and Authy (for Android and iOS, plus any device running the Chrome browser). MYOB's implementation of 2FA also supports authentication via email, but the use of a mobile app is recommended.
Curiously, even Google says that Google Authenticator provides two-step authentication (2SA) rather than 2FA. The reason is that you're actually signing in with two things that you know - your password and the authentication code. An attacker doesn't need physical possession of the phone or tablet running the Authenticator app if the device has been infected with malware that can transmit the code to a remote site.
If that seems far-fetched, there have been plenty of banking Trojans designed to capture users' internet banking usernames and passwords. The only real difference is that verification codes – one-time passwords – have to be used very quickly, significantly, Google requires its staff to use a physical authentication key, not its own Authenticator app.
An ATO spokesperson told Business IT that "Multi-factor authentication (MFA) is one of the core requirements that has been mandated for software products or services hosted by DSPs, this may include Software as a Service, Gateways and Sending Service Provider models. The ATO’s definition of MFA is that provided by ASD’s Australian Cyber Security Centre."
According to the ASD, mobile authentication apps are an acceptable form of authentication, but points out that not all methods are equally effective.
The disadvantages of authentication apps are that "use of devices for web browsing or reading emails may mean that the device running the mobile app may no longer be secure" and "many devices are not secure and a device can be compromised by motivated and competent adversaries, particularly when travelling overseas."
ASD's recommendation is that devices used in this way should be hardened by implementing the Essential Eight (which are aimed more at computers than mobile devices) and by applying any specific hardening advice provided by vendors.
The Directorate also recommends the expiry time of the authentication code should be set to the lowest practical value (to give an attacker as little time as possible to do something with it), and users should be instructed to report the theft or loss of the device - even if it is personally owned - as soon as practical.
ASD also points out that "multi-factor authentication is most effective when one of the authentication factors is physically separate from the device from which the user is accessing the system or resource."
Regardless of any technical niceties, the bottom line is that users of the payroll features of cloud accounting systems (and cloud payroll systems, for that matter) will shortly have to get used to more rigorous sign-in requirements.