IMPORTANT INFO - Multi Factor Authentication for Reckon Accounts Hosted 🔒

Rav
Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

Hi everyone

We wanted to give you a heads up on upcoming changes on Multi-Factor Authentication (MFA) with Reckon Accounts Hosted.

Ensuring the security of your data is a top priority for us at Reckon.

In line with this commitment and the regulations set by the Australian Taxation Office (ATO), we are implementing mandatory multi-factor authentication (MFA) for Reckon Accounts Hosted starting from May 2024.

Multi-factor authentication is essential for strengthening your data's protection. By combining your password with a second authentication source, such as a mobile device, MFA ensures that only authorised access is granted and protects your account from cyber security threats.

From May 2024, you'll be presented an MFA prompt after logging in to Reckon Accounts Hosted once in a 24 hour period, adding an extra layer of protection to your account.

To ensure a smooth transition, we're encouraging our Hosted users to set up MFA now 🙂

After logging in to Reckon Accounts Hosted, click Login Security Settings (MFA) under the Useful Links heading on the Welcome screen. For detailed instructions, please check out our MFA guide here - MFA (Multi-Factor Authentication) in Reckon Accounts Hosted

If you have questions around MFA for Reckon Accounts Hosted check out our Frequently Asked Questions (FAQ) here - Frequently Asked Questions - MFA for Reckon Accounts Hosted ℹ️🔒

We really appreciate your understanding and thank you for your co-operation in this. If you have any questions or concerns, please feel free to leave a reply below.

«134

Comments

  • Danuta
    Danuta Member Posts: 3 Novice Member Novice Member

    Can I use the Reckon Portal Authenticator setup on my computer?

    If not, how do I setup a MFA without a mobile phone?

  • Bruce
    Bruce Member Posts: 442 Professional Partner Professional Partner

    @Danuta very easy to set up with MFA. Took me about 2 minutes to set up.

    Follow the "useful link" to the right of Launch button when you first log in.

  • Danuta
    Danuta Member Posts: 3 Novice Member Novice Member

    Without using a mobile phone?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager
    edited December 2023

    Hi @Danuta

    Our first recommendation is to use a phone-based authenticator app however yes you could use an authenticator browser extension on Google Chrome for your MFA instead if that's what you prefer.

    You will need to setup the authenticator browser extension and then follow the prompts in whichever respective extension you choose to copy the QR code during setup of MFA. While this is not specific to Reckon Accounts Hosted, you'll find the general walkthrough of how it works HERE.

  • Danuta
    Danuta Member Posts: 3 Novice Member Novice Member

    Excellent ... worked perfectly.

    Thank you.

  • ShelleyG
    ShelleyG Member Posts: 27 Reckoner Reckoner

    I have several part time employees using the same license, on different days and possibly in different locations.

    How can a MFA work with this situation?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    Hi @ShelleyG

    Multi-Factor Authentication is enabled on the specific Hosted login itself so if you have multiple individuals requiring access, best practice is that they have their own licence which will also mean they will have their own individual MFA on the login. How many users do you have sharing the same licence?

    Its not something we endorse or recommend, so if you're sharing a login once MFA comes into effect next year (or if you enable it now) it will require the individual who receives the MFA code to provide it to the user attempting to login before it expires.

  • ShelleyG
    ShelleyG Member Posts: 27 Reckoner Reckoner

    Hi Rav

    Currently I have 4 people who have access to that license. They all have their own User logins and permissions.

    Can we talk outside the public forum?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    Sure @ShelleyG, feel free to send me a private message 🙂

  • ShelleyG
    ShelleyG Member Posts: 27 Reckoner Reckoner

    I have sent you a private message

  • RFreestun
    RFreestun Member Posts: 1 Novice Member Novice Member
    edited December 2023

    This is a problem for my boss and me also. Rather than using mobile authenticators only, can the 2FA code be sent to an e-mail address? As used elsewhere, allowing an authenticator, SMS, or e-mail address would be helpful, as we do not all have the same circumstances.

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    @Painters

    If you're both using the same PC then a potential option could be to use an authenticator extension on your browser as opposed to the SMS or authenticator app on a mobile phone method.

    You will need to setup the authenticator browser extension and then follow the prompts in whichever respective extension you choose to copy the QR code during setup of MFA in Hosted. While these instructions are not specific to Reckon Accounts Hosted, you'll find the general walkthrough of how it works HERE.


    @RFreestun

    MFA to an email address is not an option unfortunately. The current options for MFA are via an authenticator app on mobile/internet browser eg. Google Chrome or SMS delivered to a nominated mobile number.

  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    Hi Rav. We use different PC's. What other options are there please?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager
    edited January 2

    @Painters The current MFA sources are via an authenticator app on mobile/internet browser eg. Google Chrome or SMS delivered to a nominated mobile number. As mentioned previously above, its not something we endorse or recommend, so if you're sharing a single login once MFA comes into effect next year (or if you enable it now) it will require the individual who receives the MFA code to provide it to the user attempting to login before it expires so you'll need to establish a process around that.


    The other option is to obtain an additional licence for that second user. Each licence allows concurrent access to Hosted and it will also have its own dedicated MFA so there won't be any need for sharing.

  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    How much is the additional license please?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager
    edited January 2

    There are monthly and annual options ( info HERE) but its best to have a chat with our Customer Service team on specific pricing - 1800 732 566

  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    I don't need a separate license and would definitely not pay double the monthly amount. Can you have 2 separate logins on the same license? I understand you might have to pay a bit more for that. My BAS agent has a separate log in to my accounts.

  • Kris_Williams
    Kris_Williams Member Posts: 3,675 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    Your accountant possibly logs in to your file because you have shared it with him and he has his own Reckon login.

    I too am not happy about this latest change. I know of many people who share 1 license but use at different times

  • Acctd4
    Acctd4 Accredited Partner Posts: 3,790 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    @Painters Unfortunately, Hosted pricing is per licence. You can have as many Users as you like within the Company File itself on a single licence, but cost is per-platform-access.

    Note: The MFA requirement is due to the ATO’s new regulations being introduced for online security, which Reckon - along with all other online/cloud software providers - are required to implement.

    It’s problematic for those sharing a licence, but just to be clear, it’s not purely a Reckon thing 😬

    Shaz Hughes Dip(Fin) ACQ NSW, MICB

    *** Reckon Accredited Partner (AP) Bookkeeper - specialising EXCLUSIVELY in Reckon Accounts / Hosted ! ***

    * Regd BAS Agent (No: 92314 015)* ICB-Certified Bookkeeper* Snr Seasonal Tax Consultant since 2003 *

    Accounted 4 Bookkeeping Services

    Ballajura, WA

    shaz@accounted4.com.au

    https://accounted4.com.au

    (NB: Please give my post a Like or mark as Accepted Answer if I have been able to resolve your query as this helps others when seeking solutions!)
  • Wendy_7689800
    Wendy_7689800 Member Posts: 59 Reckoner Reckoner
    edited January 3

    Definitely can't assume everyone has a company-supplied mobile phone.

    It's difficult enough now with the authentication to use STP - but at least that's only once a week that I need to get the code off the person with the phone.

    Can I ask why you won't do MFA to an email address? I assume it's not an ATO restriction, as MYOB appears to have that functionality?

    Can I ask how the Google authenticator option will work if I use different computers - are you saying I need to put the extension (or app) on all of them - even if they are not "mine" ? That doesn't sound workable.

  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    Yes why can't MFA go to an email address?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    @Wendy_7689800 @Painters Take this with a pinch of salt but I was told many, many moons ago that email was not a permitted method for MFA as part of the ATO's STP framework for all software providers. I can't confirm the veracity of that though.

    However as I've mentioned above, there are a few MFA methods available for Hosted users to utilise; SMS, authenticator app on mobile or authenticator extension on browser - MFA (Multi-Factor Authentication) in Reckon Accounts Hosted

  • Wendy_7689800
    Wendy_7689800 Member Posts: 59 Reckoner Reckoner

    @Rav

    Many people don't have company-provided mobile phones, and I don't feel it's appropriate to use a personal mobile (if they have one that they use at work).

    Further, the browser extensions sound as if they would need to be applied to every computer the person uses.

    Starting to sound like we're going backwards to the old desktop software days.

  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    @Rav So if I'm using Reckon on my computer, the MFA will go to the app I download to my phone and if my husband is using his computer the same will apply, so we can still use the program without one person having to send a code to the other? Is there a particular MFA app you recommend?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    I'm going to disagree with you there @Wendy_7689800. This is a very large step forward in enhancing the security of Reckon Accounts Hosted and ensuring your data is safe along with helping to protect against cyber security threats. MFA on Hosted has been one of the more frequent requests that we've fielded from users over the years and as mentioned above, this upcoming change is in line with regulations set by the Australian Taxation Office (ATO).


    Your Reckon Accounts Hosted login, like other online accounts you have, isn't designed to be shared across multiple individuals. It dilutes any realistic account security and isn't best practice. Ideally, each individual user should have their own licence to Hosted. Each licence allows concurrent access to your file(s) in Hosted ie. its own login, and it will also have its own dedicated MFA for that specific user.

    Yes I can certainly understand and appreciate that this upcoming change might feel like an inconvenience at the outset however I'm sure you can agree that your data security is of paramount importance to not only yourself, but also us as well.

  • Wendy_7689800
    Wendy_7689800 Member Posts: 59 Reckoner Reckoner

    Just to clarify @Rav I'm the only user of our system, this is not the issue for us. Rather, it's necessary to use on different computers, when working from different locations.

    I don't have a company-provided mobile phone.

    I'm not sure why email security would be considered insufficient, and I can't find anything in the ATO guidelines that disallows email.

  • Kris_Williams
    Kris_Williams Member Posts: 3,675 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    I’m struggling with this change as well Wendy but just so you know it doesn’t have to be a company phone. All that’s involved is receiving a text with a code

  • Wendy_7689800
    Wendy_7689800 Member Posts: 59 Reckoner Reckoner

    Thanks, and I understand that @Kris_Williams, I don't use my personal phone for work activities though. Just a policy I have, helps avoid having to undo a lot of stuff, but also, I shouldn't need to use my personal equipment for business purposes.

    Also, we shouldn't be building this type of equipment/phone number requirement into cloud software. To me it defeats the purpose. It also means that (if I use my personal phone), if I'm not at work unexpectedly, there's an unnecessary hurdle in the way of someone needing to pick things up in my absence.

    I will have to explore the browser options, and see if I'm able to get admin rights to set it up on the different computers I need to use. Again, defeats the purpose of cloud computing.

  • Acctd4
    Acctd4 Accredited Partner Posts: 3,790 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    @Wendy_7689800 I do understand your frustration but to reiterate, this isn't specifically down to Reckon; it's government requirement & the obligation for providers to ensure protection of customer online data against fraud/hackers.

    The intention is that personal devices ARE to be used, to further enhance a user's unique access 😬

    The use of your phone involves purely just receiving a 6-digit code via SMS, nothing else. It ensures that if someone else tries to access your data, not only will they be unable to do so, you'll also be alerted by receiving that SMS code.

    Shaz Hughes Dip(Fin) ACQ NSW, MICB

    *** Reckon Accredited Partner (AP) Bookkeeper - specialising EXCLUSIVELY in Reckon Accounts / Hosted ! ***

    * Regd BAS Agent (No: 92314 015)* ICB-Certified Bookkeeper* Snr Seasonal Tax Consultant since 2003 *

    Accounted 4 Bookkeeping Services

    Ballajura, WA

    shaz@accounted4.com.au

    https://accounted4.com.au

    (NB: Please give my post a Like or mark as Accepted Answer if I have been able to resolve your query as this helps others when seeking solutions!)
  • Acctd4
    Acctd4 Accredited Partner Posts: 3,790 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    Absolutely agree @Eric Murphy

    Unfortunately, these are the times we live in & whilst I agree it's annoying, it's also necessary - Users would be furious (with Reckon!) for not ensuring their data is protected in the event of a security breach/hack 🙄

    Xero actually had this happen a few years ago where their users were hacked & their financial data exposed. Reckon has always taking security very seriously & - even without MFA - they have exceptional encryption in place, evident by the fact that this has never happened to Reckon users 😊

    Shaz Hughes Dip(Fin) ACQ NSW, MICB

    *** Reckon Accredited Partner (AP) Bookkeeper - specialising EXCLUSIVELY in Reckon Accounts / Hosted ! ***

    * Regd BAS Agent (No: 92314 015)* ICB-Certified Bookkeeper* Snr Seasonal Tax Consultant since 2003 *

    Accounted 4 Bookkeeping Services

    Ballajura, WA

    shaz@accounted4.com.au

    https://accounted4.com.au

    (NB: Please give my post a Like or mark as Accepted Answer if I have been able to resolve your query as this helps others when seeking solutions!)
  • Painters
    Painters Member Posts: 10 Reckoner Reckoner

    Definitely agree that it needs to happen but trying to work out the best way to do it. Not willing to pay double to get another license.

    If I use a MFA App, and I'm using Reckon on my computer, will the MFA go to the app I download to my phone and if my husband is using his computer will the same apply, so we can still use the program without one person having to send a code to the other?

    Also what MFA App do people recommend please?

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager

    @Painters Your MFA code will come through to the one source that you choose. If you setup MFA using the authenticator app on your phone then that's where the MFA codes will go. If you're sharing a single login and your husband tries to login on a separate PC he will be required to input the MFA code from your app (once in a 24 hour period).


    In terms of recommendations on authenticator apps, check out the article linked in the opening post. We've got links for both iPhone & Android, and I'd suggest using something like the Google Authenticator or Microsoft Authenticator apps, they're really use to use.

  • Sarah_10102182
    Sarah_10102182 Member Posts: 8 Reckoner Reckoner

    Hi Rav. We are a small business with one licence which is accessed by three users at three different locations. Even though I have read through the comments posted above I would appreciate some guidance as to how we can comply with the new ATO regulations and enable MFA without having to purchase additional licences.

  • Kris_Williams
    Kris_Williams Member Posts: 3,675 Reckon Accounts Hosted Elite Expert Reckon Accounts Hosted Expert

    Only one phone can be used to receive MFA codes, so the only way is for the other 2 users to receive the code from the main user when required

  • FiRob
    FiRob Member Posts: 3 Novice Member Novice Member

    How often does RECKON require MFA upon login?

    I have successful registered for MFA and using the authenticator APP. I have noticed when using google chrome upon login does not ask for MFA, however, using Microsoft Edge MFA code was requested. I'm not sure if this was just coincidental with accidentally using a different browser or does MFA verification not register using google chrome? I would have expected for MFA authentication be required every login/once per day and not every 30 days as I believe I read somewhere, otherwise MFA does not seem to be protecting our accounts very well I would assume. Thank you in advance for your responses, Michelle

  • Rav
    Rav Administrator, Reckon Staff Posts: 16,515 Reckon Community Manager Community Manager
    edited February 14

    @FiRob Hi Michelle,

    From May 2024, you'll be MFA challenged once in a 24 hour period on each device/browser you attempt to login to Reckon Accounts Hosted. So if you've logged into Google Chrome (and therefore successfully passed MFA) then you wont be asked for MFA again for the next 24 hours on the same browser.

    Since Edge is a different browser you'll be asked for MFA upon login there (same as above) and then you won't be asked again for another 24 hours.

    Those changes are coming in May as outlined in the opening post however currently, MFA appears once in a 30 day period per device/browser you login on to Hosted.

    So if you already passed MFA for Hosted on Chrome within 30 days, you won't be asked again until that 30 day period is up.

  • Jenny_9381306
    Jenny_9381306 Member Posts: 35 Reckoner Reckoner

    Hi Rav, I see there is an option to "revoke" MFA...can we simply set it up, then switch it off if we don't want to use MFA on our licence at all ?

  • Paul Mason
    Paul Mason Member Posts: 63 Reckoner Reckoner
    edited February 14

    will this MFA work then on multiple PC's, I travel around the country & sometimes overseas and access Reckon Hosted online almost every day using diffet computers I have in different locations

This discussion has been closed.