Two-factor authentication (2FA) provides an additional layer of security and makes it harder for attackers to gain access to your account. It is designed to ensure that you are the only person who can access your account, even if someone else knows your password.

2FA settings for each business are configured via Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab).

ATO requirements for 2FA

The ATO has provided the following requirements for any end user accessing a product or service that provides any of the following functionality:

  • Business and tax accounting services, for example, activity statements and income tax returns;
  • Payroll and employer services, for example, Single Touch Payroll reporting;
  • Superannuation services, for example, Fund member rollover and reporting.

With regards to any end user that can access taxation or superannuation related information of other entities or individuals (for example, tax agents, employers), 2FA is compulsory.

With regards to any end user that only has access to their own information and does not have access to taxation or superannuation related information of other entities or individuals (for example, employees accessing their employee portal), 2FA is optional but recommended.

NB. Important dates relating to 2FA requirements:

13 May 2021: Mandatory for new users requiring 2FA, to have 2 methods of authentication configured, with email being one of those mandatory methods.

8 March 2022: Same rules as above, but for existing users. Any existing user that has 2FA enabled but only 1 method of authentication configured will be required to set up the second method of authentication, with email being mandatory.


Mandatory 2FA

2FA is mandatory for the following users when logging into the payroll platform:

  • Full access users;
  • Restricted users with access to one or more reports;
  • Restricted users with report packs permission (this is different to a report pack recipient and explained further below); and
  • Restricted users with STP Pay Event Approver permission.

As a result, the above users are required to enable 2FA and verify their details. Users will not be unable to log into the payroll platform until 2FA has been enabled.

Accessing your User Account Details and Two-Factor Authentication

If you or your employees need to manage your account user name or email address, you can do this by accessing your 'My account' settings. This option is accessed by clicking your name in the top right hand corner:

To enable 2FA you will need to confirm your email address, in addition to your mobile phone and/or Google authenticator as follows:

Confirming email address

The email address entered in this field is the email address used for your account. If you need to change this, you must do so from the "Email Address" field at the top of the screen. When you click on "Confirm Email Address" you will be sent a confirmation request via email. Clicking on the link contained in the email will act as confirmation of your email address.

Adding mobile phone

We do not auto-populate mobile numbers for security reasons. As such, users will always need to enter their number in this section. The number format required is the country code plus the number (i.e. +61xxxxxx). Once you enter your mobile phone number, click on "Send Confirmation Code". You will be sent a code via sms - this code will need to be entered in the field specified and then click on "Confirm".

Once either or both of the above settings are confirmed, you will notice that the "Enable Two-Factor Authentication" button is activated and can be clicked on. When you do click on the button the following popup will appear:

 


Please note: SMS codes for Australian businesses can only be sent to AU numbers. For international users please set up Email and Google Authenticator as the two authentication methods.

Optional 2FA for other users

An additional (optional) setting is available that, when selected, requires the following user types to also enable 2FA:

  • employees (when accessing the employee portal); and
  • all other restricted users that have location or employee group access to permissions such as rostering, timesheets, leave, expenses, etc.

This optional 2FA setting can be enforced at either a business level or a brand level.

  • If enforced at a brand level, all businesses under that brand must follow 2FA protocol. There is no ability to revoke this requirement at the business level.
  • If enforced at a business level by a full access user, only a full access user of that business will be able to then override the 2FA requirement.

To clarify, if this optional setting is enabled, it will not affect employees or managers logging into WorkZone or Clock Me In. This means that users will not be required to undergo the 2FA process when accessing these apps.