Date posted: 29/01/2020 8 min read

Passwords are not enough: the case for multi-factor authentication

More accountants are protecting data using multi-factor authentication, a trend organisations and experts are keen to encourage.

In Brief

  • In Australia, two-factor authentication (2FA) is already mandatory for popular cloud accounting software such as MYOB, Xero and QuickBooks Online.
  • The Australian Cyber Security Centre (ACSC) lists multi-factor authentication (MFA) as one of its “essential eight” security strategies.
  • Experts warn there is more work to do to make MFA technology and processes more robust across the accounting industry.

Consumers long ago became accustomed to using two-factor authentication at ATMs (automatic teller machines), needing both a plastic card from the wallet and a PIN (personal identification number) to access cash in their bank accounts.

And most people are now used to their bank (and other big corporations they deal with) asking them to put in a unique numerical code sent via SMS or email, in addition to their password, to verify their identity.

So it makes sense that clients will soon get used to being asked to use two-factor authentication (2FA) or multi-factor authentication (MFA) tools when they interact with their accountant.

Most Australian accountants were forced to take a first step into MFA in 2018, when the Australian Taxation Office (ATO) required at least two factors of authentication for all cloud-connected software “where users potentially have access to large volumes of taxpayer or superannuation-related information”.

This encompassed popular accounting programs such as MYOB, Xero and QuickBooks Online, as well as SMSF software from vendors such as BGL and Class. So that single mandated step has put accountants ahead of most other service providers in protecting client data.

New Zealand’s tax agency, Inland Revenue, has not made MFA compulsory for accounting packages yet, but those calling on it to do so include CERT NZ, the New Zealand cybersecurity authority, and popular accounting software vendor MYOB.

But even in the Australian context, where 2FA is mandatory on most accounting software, cybersecurity experts warn there is more work to do to make MFA technology and processes more robust across the accounting industry.

There has been a long list of well-publicised data breaches over recent years – some involving hundreds of millions of accounts – making it clear that passwords alone may not protect your clients’ data. And if you or any of your staff happen to use the same or a similar password for multiple services, as surveys show most people do, all those services will be vulnerable to attack.

Communications group Verizon’s 2019 Data Breach Investigations Report found that 29% of cyber breaches involved using stolen credentials. The business repercussions can be severe. Attackers with a list of usernames and passwords can attempt to extract ransoms from any users they can compromise, threatening to delete data if their demands aren’t met.

If your own lack of security gives such a person access to your clients and suppliers, you had better hope your business is complying with the language in your professional indemnity policy.

The Australian Cyber Security Centre (ACSC) lists MFA as one of its “essential eight” security strategies, up there with backing up your data and keeping operating systems up to date with any patches within 48 hours of them being released.

What’s better than sending a code by SMS or email?

Sending a code by SMS or email certainly provides better security than passwords alone, and the ATO’s 2018 cloud software rules accept these methods for implementing MFA.

But organisations looking to build up security can do better. In the US, the National Institute of Standards and Technology hasn’t recommended 2FA alone since 2017, because of the risk that codes sent via SMS or email may be interrupted or intercepted.

In Australia, the ACSC rates authentication codes shared by SMS or email as suitable only for the first of its three levels of security, while New Zealand’s CERT NZ says SMS methods are “considered deprecated”.

Most software that implements MFA, including the MFA in popular accounting packages, will work not just with SMS and email but also with a dedicated authentication application. Experts regard this as a far more secure form of MFA.

When you use an authentication app on your phone, tablet or PC, you can choose to have your software send a code to that app which you then enter into the software to authenticate yourself. The apps most often recommended in independent tests are Twilio’s Authy and Google’s Authenticator, both of which are free.

Another form of MFA is widely regarded as the most secure form of all: hardware keys. These keys look like small USB thumb drives and can be carried on a keyring. You simply insert one into a PC when you start work, and it authenticates many programs almost invisibly.

Unfortunately for accounting practice owners, hardware keys don’t currently work with any popular accounting programs. They can, however, be used with other software programs usually found within accounting practices. For many users, hardware keys will also be the most usable form of MFA.

Yubico sells its well-regarded YubiKey, and Google is expected to offer its rival Titan security keys in Australasia and East Asia soon. At US$25 to US$50 each, these keys are more expensive than systems based on SMS, email or apps.

The drawbacks of multi-factor authentication

MFA, however, has trade-offs of its own. As usability and security expert Stuart Schechter points out, when you prevent attackers from using just a password to access accounts without a second factor, you prevent your own business from doing it, too.

So MFA systems require users to plan carefully for accidents. Most sites and programs allow you to register third factors or recovery codes you can use if, for instance, a user loses their phone with its SMS or authenticator app. Key-based systems need a back-up key for each user. “Study what you will need to do if you lose your second factor,” Schechter warns.

The most expensive aspect of all in any MFA initiative is likely to be education. Darren Booth, national head of security and privacy risk services at RSM Australia, provides security audits and advice for RSM clients across Australia. He says that to gain full acceptance of MFA technologies, businesses need to understand their staff’s needs and concerns. They also need to make clear the threats MFA is designed to fight.

The use of MFA in banking apps and its availability in Office 365 are also helping to increase awareness. But Booth acknowledges “there’s still a perception that it is going to get in the way of doing your work.” To demonstrate the risks, he says, organisations may want to arrange a mock attack against their systems.

“There’s still a perception that [multi-factor authentication] is going to get in the way of doing your work.”
Darren Booth, RSM Australia

A future without passwords?

One technique goes even further in easing the burden of passwords – the passwordless login.

This turns the authentication app or hardware key into the only factor you need. The pioneer here has been Microsoft, which announced in late 2018 that technology built into Windows 10 would let users access online services with just a hardware key, authenticator app, fingerprint or face recognition.

These systems return us to single-factor authentication. But because they use hardware of some kind and don’t pass all your authentication details to the online service, you’re far less vulnerable to online intruders. In most circumstances, someone will need to steal your physical device to gain access to your online accounts.

Yubico’s latest YubiKey 5 not only supports passwordless login, it also allows users to set a four-digit PIN for their YubiKey – essentially the same MFA system you use with your bank card to withdraw money from an ATM.

Booth doubts passwords will disappear altogether, but he does see a future where online services are guarded by automated analysis of online behaviour. But until then, MFA looks like a safe bet for accountants wanting to take the next step in protecting client data.

Know the user experience

Security specialists stress that IT administrators in an organisation should be the first to adopt MFA for their cloud accounts. Since they use most of the business’s apps, their own MFA experiences will help them understand the issues that MFA will present for the company more generally.

IT administrators hold “the keys to the kingdom” at most organisations through powerful administrative accounts that can provide deep access to a wide span of IT systems, says Booth. But he notes that many have not implemented MFA for these administrative accounts. Indeed, many are yet to create an administrative account separate from their ordinary user account.

Booth recommends firm leaders make it clear to their IT staff that system security is a priority and that their administrative accounts should be secured – even though that may be an uncomfortable conversation.


3 questions to ask when setting up MFA

1. What forms of authentication do your main programs and sites support? Check out the list at twofactorauth.org.

2. Have your IT staff started using authentication with your most important apps?

3. Is your organisation able to plan for accidents that may require back-up or recovery codes?


Some popular MFA tech providers

12 authentication app providers

1. Twilio Authy

2. Google Authenticator (Android or Apple iOS)

3. Microsoft Authenticator

4. CA Strong Authentication

5. Okta Verify

6. Defender

7. RSA Authentication Manager and RSA SecurID

8. SafeNet Authentication Service

9. SecureAuth IdP

10. Symantec VIP

11. OneSpan Authentication Server and Digipass

12. LastPass Authenticator

4 hardware key providers

1. Yubico Authenticator

2. Google Titan security key

3. Thetis security key

4. Kensington VeriMark Fingerprint security key