IMPORTANT INFO - Multi Factor Authentication for Reckon Accounts Hosted 🔒

Rav

Hi everyone

We wanted to give you a heads up on upcoming changes on Multi-Factor Authentication (MFA) with Reckon Accounts Hosted.

Ensuring the security of your data is a top priority for us at Reckon.

In line with this commitment and the regulations set by the Australian Taxation Office (ATO), we are implementing mandatory multi-factor authentication (MFA) for Reckon Accounts Hosted starting from May 2024.

Multi-factor authentication is essential for strengthening your data's protection. By combining your password with a second authentication source, such as a mobile device, MFA ensures that only authorised access is granted and protects your account from cyber security threats.

From May 2024, you'll be presented an MFA prompt after logging in to Reckon Accounts Hosted once in a 24 hour period, adding an extra layer of protection to your account.

To ensure a smooth transition, we're encouraging our Hosted users to set up MFA now 🙂

After logging in to Reckon Accounts Hosted, click Login Security Settings (MFA) under the Useful Links heading on the Welcome screen. For detailed instructions, please check out our MFA guide here - MFA (Multi-Factor Authentication) in Reckon Accounts Hosted

We really appreciate your understanding and thank you for your co-operation in this. If you have any questions or concerns, please feel free to leave a reply below.

Danuta

Can I use the Reckon Portal Authenticator setup on my computer?

If not, how do I setup a MFA without a mobile phone?

Bruce

@Danuta very easy to set up with MFA. Took me about 2 minutes to set up.

Follow the "useful link" to the right of Launch button when you first log in.

Danuta

Without using a mobile phone?

Rav

Hi @Danuta

Our first recommendation is to use a phone-based authenticator app however yes you could use an authenticator browser extension on Google Chrome for your MFA instead if that's what you prefer.

You will need to setup the authenticator browser extension and then follow the prompts in whichever respective extension you choose to copy the QR code during setup of MFA. While this is not specific to Reckon Accounts Hosted, you'll find the general walkthrough of how it works HERE.

Danuta

Excellent ... worked perfectly.

Thank you.

ShelleyG

I have several part time employees using the same license, on different days and possibly in different locations.

How can a MFA work with this situation?

Rav

Hi @ShelleyG

Multi-Factor Authentication is enabled on the specific Hosted login itself so if you have multiple individuals requiring access, best practice is that they have their own licence which will also mean they will have their own individual MFA on the login. How many users do you have sharing the same licence?

Its not something we endorse or recommend, so if you're sharing a login once MFA comes into effect next year (or if you enable it now) it will require the individual who receives the MFA code to provide it to the user attempting to login before it expires.

ShelleyG

Hi Rav

Currently I have 4 people who have access to that license. They all have their own User logins and permissions.

Can we talk outside the public forum?

Rav

Sure @ShelleyG, feel free to send me a private message 🙂

ShelleyG

I have sent you a private message

Painters

Hi Rav

How is MFA going to work when 2 people (husband and wife), need to use it at different times and we have different phone numbers? We have 2 companies.

Our BAS agent also logs in every quarter and our accountant when necessary.

RFreestun

This is a problem for my boss and me also. Rather than using mobile authenticators only, can the 2FA code be sent to an e-mail address? As used elsewhere, allowing an authenticator, SMS, or e-mail address would be helpful, as we do not all have the same circumstances.

Rav

@Painters

If you're both using the same PC then a potential option could be to use an authenticator extension on your browser as opposed to the SMS or authenticator app on a mobile phone method.

You will need to setup the authenticator browser extension and then follow the prompts in whichever respective extension you choose to copy the QR code during setup of MFA in Hosted. While these instructions are not specific to Reckon Accounts Hosted, you'll find the general walkthrough of how it works HERE.

@RFreestun

MFA to an email address is not an option unfortunately. The current options for MFA are via an authenticator app on mobile/internet browser eg. Google Chrome or SMS delivered to a nominated mobile number.

Painters

Hi Rav. We use different PC's. What other options are there please?

Rav

@Painters The current MFA sources are via an authenticator app on mobile/internet browser eg. Google Chrome or SMS delivered to a nominated mobile number. As mentioned previously above, its not something we endorse or recommend, so if you're sharing a single login once MFA comes into effect next year (or if you enable it now) it will require the individual who receives the MFA code to provide it to the user attempting to login before it expires so you'll need to establish a process around that.

The other option is to obtain an additional licence for that second user. Each licence allows concurrent access to Hosted and it will also have its own dedicated MFA so there won't be any need for sharing.

Painters

How much is the additional license please?

Rav

There are monthly and annual options ( info HERE) but its best to have a chat with our Customer Service team on specific pricing - 1800 732 566

Painters

I don't need a separate license and would definitely not pay double the monthly amount. Can you have 2 separate logins on the same license? I understand you might have to pay a bit more for that. My BAS agent has a separate log in to my accounts.

Kris_Williams

Your accountant possibly logs in to your file because you have shared it with him and he has his own Reckon login.

I too am not happy about this latest change. I know of many people who share 1 license but use at different times

Acctd4

@Painters Unfortunately, Hosted pricing is per licence. You can have as many Users as you like within the Company File itself on a single licence, but cost is per-platform-access.

Note: The MFA requirement is due to the ATO’s new regulations being introduced for online security, which Reckon - along with all other online/cloud software providers - are required to implement.

It’s problematic for those sharing a licence, but just to be clear, it’s not purely a Reckon thing 😬

Wendy_7689800

Definitely can't assume everyone has a company-supplied mobile phone.

It's difficult enough now with the authentication to use STP - but at least that's only once a week that I need to get the code off the person with the phone.

Can I ask why you won't do MFA to an email address? I assume it's not an ATO restriction, as MYOB appears to have that functionality?

Can I ask how the Google authenticator option will work if I use different computers - are you saying I need to put the extension (or app) on all of them - even if they are not "mine" ? That doesn't sound workable.

Painters

Yes why can't MFA go to an email address?

Rav

@Wendy_7689800 @Painters Take this with a pinch of salt but I was told many, many moons ago that email was not a permitted method for MFA as part of the ATO's STP framework for all software providers. I can't confirm the veracity of that though.

However as I've mentioned above, there are a few MFA methods available for Hosted users to utilise; SMS, authenticator app on mobile or authenticator extension on browser - MFA (Multi-Factor Authentication) in Reckon Accounts Hosted

Wendy_7689800

@Rav

Many people don't have company-provided mobile phones, and I don't feel it's appropriate to use a personal mobile (if they have one that they use at work).

Further, the browser extensions sound as if they would need to be applied to every computer the person uses.

Starting to sound like we're going backwards to the old desktop software days.

Painters

@Rav So if I'm using Reckon on my computer, the MFA will go to the app I download to my phone and if my husband is using his computer the same will apply, so we can still use the program without one person having to send a code to the other? Is there a particular MFA app you recommend?

Rav

I'm going to disagree with you there @Wendy_7689800. This is a very large step forward in enhancing the security of Reckon Accounts Hosted and ensuring your data is safe along with helping to protect against cyber security threats. MFA on Hosted has been one of the more frequent requests that we've fielded from users over the years and as mentioned above, this upcoming change is in line with regulations set by the Australian Taxation Office (ATO).

Your Reckon Accounts Hosted login, like other online accounts you have, isn't designed to be shared across multiple individuals. It dilutes any realistic account security and isn't best practice. Ideally, each individual user should have their own licence to Hosted. Each licence allows concurrent access to your file(s) in Hosted ie. its own login, and it will also have its own dedicated MFA for that specific user.

Yes I can certainly understand and appreciate that this upcoming change might feel like an inconvenience at the outset however I'm sure you can agree that your data security is of paramount importance to not only yourself, but also us as well.

Wendy_7689800

Just to clarify @Rav I'm the only user of our system, this is not the issue for us. Rather, it's necessary to use on different computers, when working from different locations.

I don't have a company-provided mobile phone.

I'm not sure why email security would be considered insufficient, and I can't find anything in the ATO guidelines that disallows email.

Kris_Williams

I’m struggling with this change as well Wendy but just so you know it doesn’t have to be a company phone. All that’s involved is receiving a text with a code

Wendy_7689800

Thanks, and I understand that @Kris_Williams, I don't use my personal phone for work activities though. Just a policy I have, helps avoid having to undo a lot of stuff, but also, I shouldn't need to use my personal equipment for business purposes.

Also, we shouldn't be building this type of equipment/phone number requirement into cloud software. To me it defeats the purpose. It also means that (if I use my personal phone), if I'm not at work unexpectedly, there's an unnecessary hurdle in the way of someone needing to pick things up in my absence.

I will have to explore the browser options, and see if I'm able to get admin rights to set it up on the different computers I need to use. Again, defeats the purpose of cloud computing.

Acctd4

@Wendy_7689800 I do understand your frustration but to reiterate, this isn't specifically down to Reckon; it's government requirement & the obligation for providers to ensure protection of customer online data against fraud/hackers.

The intention is that personal devices ARE to be used, to further enhance a user's unique access 😬

The use of your phone involves purely just receiving a 6-digit code via SMS, nothing else. It ensures that if someone else tries to access your data, not only will they be unable to do so, you'll also be alerted by receiving that SMS code.

Eric Murphy

Just been reading some of the comments here and it's pretty apparent that most have completely missed the whole point of MFA and what's its for.

To be honest, this should have been on Hosted a very long time ago but better late than never I suppose.

Odd to see the above commentary that this shouldn't be built into cloud software. Every single service provider worth their salt should be providing some form of secondary factor authentication and you'll find that most already have including Google, Facebook, your internet banking.. the list goes on.

If your login is compromised at some point in the future you'll be very glad that you have it then. Unfortunately I speak from experience on that where hackers previously attempted to access my email and internet banking accounts but couldn't get any further due to the 2FA.

Acctd4

Absolutely agree @Eric Murphy

Unfortunately, these are the times we live in & whilst I agree it's annoying, it's also necessary - Users would be furious (with Reckon!) for not ensuring their data is protected in the event of a security breach/hack 🙄

Xero actually had this happen a few years ago where their users were hacked & their financial data exposed. Reckon has always taking security very seriously & - even without MFA - they have exceptional encryption in place, evident by the fact that this has never happened to Reckon users 😊

Painters

Definitely agree that it needs to happen but trying to work out the best way to do it. Not willing to pay double to get another license.

If I use a MFA App, and I'm using Reckon on my computer, will the MFA go to the app I download to my phone and if my husband is using his computer will the same apply, so we can still use the program without one person having to send a code to the other?

Also what MFA App do people recommend please?

Rav

@Painters Your MFA code will come through to the one source that you choose. If you setup MFA using the authenticator app on your phone then that's where the MFA codes will go. If you're sharing a single login and your husband tries to login on a separate PC he will be required to input the MFA code from your app (once in a 24 hour period).

In terms of recommendations on authenticator apps, check out the article linked in the opening post. We've got links for both iPhone & Android, and I'd suggest using something like the Google Authenticator or Microsoft Authenticator apps, they're really use to use.

Sarah_10102182

Hi Rav. We are a small business with one licence which is accessed by three users at three different locations. Even though I have read through the comments posted above I would appreciate some guidance as to how we can comply with the new ATO regulations and enable MFA without having to purchase additional licences.

Kris_Williams

Only one phone can be used to receive MFA codes, so the only way is for the other 2 users to receive the code from the main user when required

FiRob

How often does RECKON require MFA upon login?

I have successful registered for MFA and using the authenticator APP. I have noticed when using google chrome upon login does not ask for MFA, however, using Microsoft Edge MFA code was requested. I'm not sure if this was just coincidental with accidentally using a different browser or does MFA verification not register using google chrome? I would have expected for MFA authentication be required every login/once per day and not every 30 days as I believe I read somewhere, otherwise MFA does not seem to be protecting our accounts very well I would assume. Thank you in advance for your responses, Michelle

Rav

@FiRob Hi Michelle,

From May 2024, you'll be MFA challenged once in a 24 hour period on each device/browser you attempt to login to Reckon Accounts Hosted. So if you've logged into Google Chrome (and therefore successfully passed MFA) then you wont be asked for MFA again for the next 24 hours on the same browser.

Since Edge is a different browser you'll be asked for MFA upon login there (same as above) and then you won't be asked again for another 24 hours.

Those changes are coming in May as outlined in the opening post however currently, MFA appears once in a 30 day period per device/browser you login on to Hosted.

So if you already passed MFA for Hosted on Chrome within 30 days, you won't be asked again until that 30 day period is up.

Jenny_9381306

Hi Rav, I see there is an option to "revoke" MFA...can we simply set it up, then switch it off if we don't want to use MFA on our licence at all ?

Paul Mason

will this MFA work then on multiple PC's, I travel around the country & sometimes overseas and access Reckon Hosted online almost every day using diffet computers I have in different locations