This help guide discusses Two-Factor Authentication (2FA) in Tanda, including why Tanda enforces mandatory two-factor authentication in certain circumstances and how to manage your 2FA settings.

For information on enabling Two-Factor Authentication for individual users, see our help guide on Managing Account Two-Factor Authentication (2FA).

Two-factor authentication, sometimes known as multi-factor authentication (MFA), is an online security practice where users must provide two forms (or 'factors') of authentication to log into an account or access specific data.

Typically, these two factors are their password and a code from an authenticator app, such as Google Authenticator or Microsoft Authenticator. To log in with 2FA enabled, enter your username and password. You will then be prompted to enter a six-digit code, which you can retrieve from your authenticator app.

Two-factor authentication makes it far more difficult for cybercriminals to breach your account or access sensitive data. Not only do they need your password, but they also need a second factor to verify the login. As a result, two-factor authentication is generally considered an online security best practice.

Tanda is a Digital Service Provider (DSP) regulated by the ATO’s Operational Security Framework. This framework also regulates the majority of our payroll integration partners, including Xero.

The DSP Operational Security Framework aims to "protect taxation, accounting, payroll, business registry, and superannuation-related data and the integrity of the Taxation, Business Registry, and Superannuation systems that support the Australian community."

Accordingly, DSPs are expected to self-assess against the ATO's Security Standards for Add-On Marketplaces (SSAM) guidelines. In regards to two-factor authentication, these guidelines state:

Therefore, to comply with these security standards, Tanda must enforce Two-Factor Authentication for all accounts with active Xero integrations. We also follow these standards for Tanda Payroll customers.

Even in circumstances when Two-Factor Authentication isn't mandatory, the ATO's Operational Security Framework still advises:

We agree and would strongly advise users to enable two-factor account authentication.

With this in mind, we also offer the option to enforce mandatory two-factor authentication for all users who can see anyone else's data in Tanda (i.e. anyone with Manager or Admin-level user permissions).

This will not apply to users with employee-level permissions. For details on enabling two-factor authentication for employees and individual users, please see our help guide.

To enable this setting, navigate to Settings > General Settings > Show Advanced Settings. Then, tick Enforce Multi-Factor Authentication and select Update Settings. You need admin-level permissions to enable this setting.

Please note that this setting is currently only available on Tanda desktop. It does not apply to the mobile app.