What is Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to an online application.
The username and password are one method; the second method for APS cloud applications once MFA is enabled will require the user to use either SMS or any cloud authentication app as the second method before the user can login.
Why enable MFA?
Enabling Multi-Factor Authentication (MFA) adds an extra layer of security to verify user identities, addressing the weaknesses of traditional passwords. MFA helps protect against identity theft, weak employee passwords, and supports compliance with government security expectations.
Although MFA is currently optional because APS cloud applications are not yet directly connected to government systems (such as the ATO/IRD), it will become mandatory as APS+ introduces features that integrate with these systems. Enabling MFA now helps prepare practices for this future requirement.
Once enabled on an APS cloud tenant, MFA applies to all APS cloud applications, including Cloud Timesheets and APS+ apps. Practices using only Cloud Timesheets must enable Contacts+ to manage MFA through User Management+. User Management+ is required to control who can reset MFA for users.
Setting up MFA
Step 1 - MFA Activation
The practice needs to request activation. The APS team will check you meet the prerequisites and advise if any additional work is required before MFA can be enabled.
Once enabled, the activation of MFA is immediate. The next time a user needs to log in to any APS cloud application, they will be prompted with the following:
Sign in to the APS application as normal, and press Continue.
Select one of the two options for additional authentication:
Setup MFA using authentication app.
Setup MFA using SMS.
Step 2 - Setup MFA using authentication app
Many authentication apps are available to be downloaded and used for this process. This may be a firm preference as to which app is used. The most common applications are Microsoft Authenticator, Google Authenticator.
Users can scan the QR code into the app or enter the code provided. The app will then provide the 6-digit code for the user to enter then press Continue.
Step 3 - Setup MFA using SMS
The Countries supported for SMA are:
Australia
New Zealand
United Kingdom
Validation will be done on the phone number entered to ensure it meets these requirements. 📌Note: for the country value, the Other option is not supported and you will be asked to select another country or use an authenticator app instead.
Select your country.
Enter your phone number (spaces accepted) and press Continue.
You will receive a 6-digit security code via an SMS message on your phone.
Enter the 6-digit security code, then click Verify to open the application.
📌Note: If the code expires you can select Resend.
Step 4 - Create a recovery pin
You will be prompted to create a Recovery PIN.
The Recovery PIN can be used so the user can access their account in the event they lose access to the device and cannot receive multi-factor authentication codes.
MFA has now been enabled for the user.
MFA Frequently asked questions
Q: As a user, I change my phone number can I reset my MFA myself?
Yes. See the steps below
when you log in, choose the Can’t access your device option.
You will be prompted to enter your Recovery PIN.
Then select Revoke MFA, which will then come back to Step 1 - MFA Activation as above, using your current credentials.
Q: What happens if a user forgets their recovery PIN?
In this instance, the user would be prompted to contact us. Our advice will be to ask the System Administrator of the practice to log in to User Management+ and reset the users MFA status once they have verified the user is who they say they are.
The relevant person in the practice with User Management+ access will then be able to complete the task from here: http://users.aps.reckon.com.
Select the user and the draw will open with that information of the user on the right-hand side of the screen.
Select the […] option top right-hand side and select Reset MFA which will then prompt the user to set up the MFA again.
Q: What happens if nobody in our practice has access to User Management+?
In this instance please create a case online, and our APS support team members will run through some identification and security checks to confirm the user is who they say they are and grant access to User Management where needed and/or reset the user as required.
Q: As a user of multiple APS cloud applications, why do I have to sign into each app and complete MFA for each application?
Presently the applications are independent. Further work is being completed around single sign on (SSO) that will be available to implement at a later date.
Q: How long does sign in of applications last?
This will vary between applications – generally speaking, this will be 24hrs before login is requested again.
This will change in the future as APS+ applications grow, and inactivity of an application may require a user to sign in again after 15 minutes if in-activity as per the ATO Guidelines once direct connection with ATO applications and potentially IRD applications are made in future APS+ releases.
More information specifically regarding the ATO requirements can be found here: https://softwaredevelopers.ato.gov.au/operational_framework
Q: Do our machine to machine users set up for Integration purposes need to be enabled for MFA (eg. Connectworks, ATOmate, FuseSign, BGL etc.)?
Currently no, the authentication for the machine to machine users will not require MFA setup.