ATO Requirements for Software Companies – 2FA/MFA

March 19, 2018

If a Digital Service Provider (DSP) – best understood to be a software company – provides a software product or service that reads, modifies, or routes any tax or superannuation related information, then that DSP is in scope of the ATO Operational Framework This includes DSPs that use an intermediary (such as a gateway or sending service provider (SSP)) to interact with the ATO. This update is only about the 2FA (2 factor) or MFA (multi factor) authentication requirements. For the purpose of this document we will use the term “2FA”.


ATO Requirements

  1. If the product or service is hosted by the DSP (cloud, browser based, DSP hosted, accessible from any device type): 2FA is mandatory.

  2. If the product is hosted by the business (desktop, on premise, own server): 2FA is optional according to the ATO requirements.


Impact on the DSPs


Software that has the mandatory requirement must implement and mandate a 2FA solution for all users with access to tax or super related information.


The proposed implementation date for the DSP to have this option is:

  • For tax practitioners' products: available by 31st March, 2018 and mandated use by 30th June, 2018.

  • For products with access to large volumes of tax and super data: available by 30th June, 2018 and mandated use by 30th September, 2018.

  • All other mandated products: available by 30th September, 2018 and mandated use by 31st December, 2018.


Alternatively, they must provide assurances that sufficient controls are in place to mitigate the risk.


Moving into the future the government will develop the Trusted Digital Identity Framework (TDIF) which may alter (hopefully improve) the software and user experience as it replaces the Cloud Authentication & Authorisation solution (CAA) that is based around AUSkey, Access Manager and the Unique Software ID.


Impact on You


The burden is on the software companies to deliver this solution to us. If your software is unable to implement (or obtain an extension from the ATO) you may lose the ability to lodge tax and super information, or retrieve information back from the ATO through that software. MYOB, Xero, and Intuit QBO all have 2FA solutions available.





Share on Facebook
Share on Twitter
Please reload

Recent Posts

April 29, 2020

Please reload

Please reload

Search By Tags
Follow Us
  • LinkedIn Social Icon
  • Facebook Basic Square

Stay connected with important business updates

  • Facebook - Black Circle
  • LinkedIn - Black Circle
  • Google+ - Black Circle

PO Box 4293, Baldivis WA  6171

0437 330 835

© 2018 Insightful Bookkeeping

  • White Facebook Icon
  • White LinkedIn Icon
  • White Google+ Icon

Website by 

ABN:   63 131 008 244