Description
The ATO have made a change to the requirements for Multi-Factor Authentication for users who can access sensitive payee information (Mandatory MFA Users). Currently where an Agency has assigned the policy that ‘Remember Me' for 30 days can be utilised, users that access sensitive payee information must use MFA, however they can select to have their MFA credentials stored for 30 days.
The ATO has mandated that these users should not have their credentials stored for a period greater than 24 hours.
To support this requirement, we changed to the behaviour of the ‘Remember Me’ function where an Agency has configured in Password Policy > Multi Factor Authentication (MFA) Global Settings, Remember Me for ‘30 Days’.
On login, the ‘Remember Me’ prompt will still display allowing the user to tick ‘30 days’, however, the user’s credentials will only be stored for a period of 24 hours.
A Tool Tip has been added to the Multi-Factor Authentication pop up where the ‘Remember Me: 30 Days’ item displays, to advise users that if they access sensitive Australian payee info, they will only be remembered for 24 hours.
Benefits
This change ensure that FastTrack360 complies with ATO requirements for protection of sensitive payee information.
Configuration
No new configuration is required, however where you have applied the Password Policy, Remember Me setting for ‘30 Days’ and you have a large volume of users that access Australian Payee sensitive information, we strongly recommend that you change this setting to the ‘Daily to midnight’ option.