Two-Factor Authentication Deadline Closing In For The AU’s STP

The AU recently rolled out its new mandatory payroll software for businesses, Single Touch Payroll, and now, they’ve set a new deadline for businesses using the system for mandatory use of two-factor authentication, which utilizes a secondary requirement to identify the user, alongside the password to ensure security.

It’s part of the Australian Signals Directorate’s ‘Essential Eight’, a list of key security strategies for corporate cybersecurity.

The Australian Tax Office published the latest iteration of the Operational Framework for Digital Service Providers early in September, which makes multifactor authentication a necessity for cloud-based accounting systems. An earlier version of said Framework stated that any products and services where users could acquires access to a large volumes of taxpayer or superannuation related information data have to implement multifactor credentials by the end of June 2018, and they must be in use before the end of September 2018.

The ATO will support authentication for the STP payroll software include Google Authenticator for Android, iOS and Blackberry, WinAuth and Windows Authenticator for Windows computers .

Managing Director for Xero, the company behind the STP, Trent Innes, says that the company has always considered security and privacy as important, and that 2SA is similar to an extra lock on the door, which introduces an additional layer of security for online practices, which help businesses avoid fraudulent activity and security issues.

He says that the company supports the ATO’s requirement for 2SA on software that interacts with tax data, as it’s the right thing to do.

An ATO spokesperson says that multi-factor authentication (MFA) is one of the big requirements that they have mandated for software products and services, which they’ve defined as per the guidelines set by the Australian Cyber Security Centre.

The ASD states that mobile authentication apps are acceptable for authentication, but says that not all methods are all the same in efficacy, saying that the use of devices for web browsing or emails means that the device might be a security issue, as many devices aren’t always secure; they can be compromised by criminals, particularly when travelling overseas.

The ASD says that multi-factor authentication is most useful when one of the factors is physically separate from the device that the use is using to get into the system or resource.