Two-factor authentication (2FA) provides an additional layer of security and makes it harder for attackers to gain access to your account. It is designed to ensure that you are the only person who can access your account, even if someone else knows your password.
2FA settings for each business are configured via Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab).
A short video on this setup can be found here.
ATO requirements for 2FA
The ATO has provided the following requirements for any end user accessing a product or service that provides any of the following functionality:
- Business and tax accounting services, for example, activity statements and income tax returns;
- Payroll and employer services, for example, Single Touch Payroll reporting;
- Superannuation services, for example, Fund member rollover and reporting.
With regards to any end user that can access taxation or superannuation related information of other entities or individuals (for example, tax agents, employers), 2FA is compulsory.
With regards to any end user that only has access to their own information and does not have access to taxation or superannuation related information of other entities or individuals (for example, employees accessing their employee portal), 2FA is optional but recommended.
NB. Important dates relating to 2FA requirements:
13 May 2021: Mandatory for new users requiring 2FA, to have 2 methods of authentication configured, with email being one of those mandatory methods.
8 March 2022: Same rules as above, but for existing users. Any existing user that has 2FA enabled but only 1 method of authentication configured will be required to set up the second method of authentication, with email being mandatory.
2FA is mandatory for the following users when logging into the payroll platform:
- Full access users;
- Restricted users with access to one or more reports;
- Restricted users with report packs permission (this is different to a report pack recipient and explained further below); and
- Restricted users with STP Pay Event Approver permission.
As a result, the above users are required to enable 2FA and verify their details by following these instructions. Users will not be unable to log into the payroll platform until 2FA has been enabled.
These mandatory 2FA requirements cannot be removed at a business or brand level. If you access the payroll platform from within an external third party platform, for eg QuickBooks, HR platforms, etc, you will not be required to verify your details via 2FA to access the payroll functionality. Rather, you should utilise the 2FA security functions that are provided in those systems instead. If however, you log into the payroll platform using the URL “xxx.yourpayroll.com.au”, you will be required to follow the 2FA process and verify your details.
Report pack recipients
When setting up a report pack, users must also include the email address of the person(s) who will be in receipt of the report pack, i.e. the recipient. Users can require that recipient(s) must login to the payroll platform in order to download the report pack. If this setting is ticked, the recipients will be given restricted access with report pack permissions. These recipients will then be required to set up 2FA. If the setting is not ticked, the recipients are not given access to the platform whatsoever and are merely sent a link that will enable them to download the report packs. As such, these recipients will not be required to set up 2FA.
Optional 2FA for other users
An additional (optional) setting is available that, when selected, requires the following user types to also enable 2FA:
- employees (when accessing the employee portal); and
- all other restricted users that have location or employee group access to permissions such as rostering, timesheets, leave, expenses, etc.
This optional 2FA setting can be enforced at either a business level or a brand level.
- If enforced at a brand level, all businesses under that brand must follow 2FA protocol. There is no ability to revoke this requirement at the business level.
- If enforced at a business level by a full access user, only a full access user of that business will be able to then override the 2FA requirement.
To clarify, if this optional setting is enabled, it will not affect employees or managers logging into WorkZone or Clock Me In. This means that users will not be required to undergo the 2FA process when accessing these apps.
2FA enforced at a brand level
This section is only relevant to users that are brand managers or partners. A brand manager or partner can enforce 2FA for a brand by following these instructions:
Access the relevant brand's settings via the Partner Dashboard > click the 'brand' icon on the left side panel to access the Brand Management page;
- Click on the relevant brand name;
- Click on the "Security" menu option (left hand side);
- Click on the "Manage Two-Factor Authentication" tab;
- Click on the "Require two-factor authentication for managers / employees" checkbox.
- Click on 'Save'.
Users will know that 2FA has been enforced for their business at a brand level when the following message is displayed:
2FA enforced at a business level
You can access the business' 2FA settings by navigating to Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab). If the setting has not already been activated at the brand level, the setting will be displayed as follows:
Click on the checkbox and then click on ‘Save’. You can always choose to switch off this additional 2FA requirement by unticking the checkbox and clicking on ‘Save’.
Additional 2FA options
Where 2FA is enforced for a business, you will notice two additional 2FA options that can be enforced when creating super batches via our Beam integration and/or when lodging STP events with the ATO.
N.B. If you are processing super via a different clearing house or manually, selecting the "Require a two-factor challenge before submitting a super batch" option will not enforce 2FA. This option is only applicable where Beam has been activated for the business.
You can choose to enforce 2FA for either one or both of the additional options. Remember to click 'Save' when making any changes to those settings.
Enabling 2FA for a user
If 2FA is enabled, full access users will need to verify their settings. Detailed instructions on verifying an email address, mobile phone or Google Authenticator can be found here.
2FA frequently asked questions
Do I need to enable all options (email / mobile / google authenticator)
No, however, you need to enable at least two 2FA options, and of these options, email is mandatory.
I've confirmed my email/mobile but I still cannot access my business.
Please be sure to click the 'Enable' button in the bottom right to ensure that 2FA is switched on for your account:
Is 2FA mandatory for ALL users in the system?
Currently, it is only mandatory for full access/reporting users, as per the detailed explanation above. Businesses may opt to require 2FA for managers/employees as well. This can be configured in the "Two Factor Authentication" tab under the "Manage Users" section in "Payroll Settings". Otherwise, 2FA is still an option for employees/managers that wish to do so.
What are the benefits of Google Authenticator
The main benefit is for users that may travel internationally and change SIM cards when they travel, or for users that have poor mobile network coverage and don't receive SMS messages. Google authenticator generates the confirmation code directly from the app and doesn't require waiting for an SMS or email.
Please note also that there are alternative apps to Google Authenticator such as Authy that are also compatible with the system.
How can I see who has switched on 2FA?
Depending on the type of user, you can view the status as follows:
Users with business level access:
The 'Manage Users' page under "Payroll Settings" will show a [2FA] badge next to each user that has 2FA enabled. This information will also be shown in the Excel export.
Brand access users:
Within the brand settings > security page (users that have individual business access to businesses within the brand)
Also, the brand settings > user access page (users with access to the brand)
Partner access users:
Within the partner settings > users page.
Once the employee logs into the employee portal, they can click the 'my account' link in the top right hand corner and then navigate to the Two-Factor Authentication page.
How often am I required to enter my 2FA code when I log in?
When the user enters their 2FA verification code, there is an option to 'Don't ask me again for 30 days'. If this is ticked, the user will not be required to enter a 2FA code for 30 days. Otherwise, the user will be required to enter the code each time they log in.
Help! I am being asked to enter my 2FA code more frequently than every 30 days
We use a cookie on your machine to store the fact it's a trusted device and has passed 2FA. However if you clear your cookies (or more generally your browsing history) for any reason, you can expect to be asked to complete 2FA again at next login. That's one explanation for it occurring.
Another scenario is where one of these cookies ends up invalid/stuck, and in that situation if you keep getting asked, it can help to clear your cookies/browser data (just use the browser function to clear all browsing history) - you'll then have to complete 2FA again once more.
If clearing your cookies does not work, and assuming you're using Chrome, you can follow these steps:
- Click on the little padlock next to the URL - a menu like shown should appear:
- If you then click on Cookies, you'll see a list of Allowed Cookies.
Scroll down until you can see both yourpayroll.com.au and the URL from the branded domain. In the below example, you'll see yourpayroll.com.au/ and test1.yourpayroll.com.au/Admin/User:
- If you expand the branded domain (e.g. test1.yourpayroll.com.au/Admin/User) and then 'cookies' you'll see something like this:
- You want to remove the cookie called ".AspNet.TwoFactorRememberBrowser" (click on it then click the Remove button below).
If you have any questions or feedback, contact us via email@example.com.