ATO MFA Mandate for Tax Agents — What Every Melbourne Accountant Must Do

The Australian Taxation Office has mandated multi-factor authentication for all access to Online Services for Agents. This is not optional — it is a requirement for all registered tax agents. If you have not yet set up MFA on your portal access, you are not only at serious security risk but potentially in breach of your Tax Practitioners Board obligations.

What Is MFA and Why Does the ATO Require It?

Multi-factor authentication adds a second layer of security beyond your password. When you log in, you are required to verify your identity using a second factor — typically a code sent to your mobile or generated by an authenticator app. Even if a criminal steals your password, they cannot access your portal without also having your phone. The ATO mandated this because tax agent portal access has become one of the most targeted attack vectors for cybercriminals — access to a tax agent portal allows fraudulent returns to be lodged and refunds redirected at scale.

How to Set Up MFA on Your ATO Portal

Log in to your existing ATO account, navigate to security settings, and follow the prompts to add an authenticator app or set up SMS verification. The ATO recommends using an authenticator app rather than SMS, as SMS can be compromised by SIM-swapping attacks where a criminal convinces your mobile carrier to transfer your phone number to a SIM they control.

Which Authenticator App Should You Use?

Microsoft Authenticator and Google Authenticator are both excellent choices and free to download. Both work with ATO systems. Microsoft Authenticator has the additional benefit of cloud backup, which makes it easier to recover if you lose or change your phone. Download the app from the official App Store or Google Play before beginning your MFA setup.

TPB Obligations and Cybersecurity

Under the Tax Practitioners Board Code of Professional Conduct, registered tax agents have obligations to maintain appropriate security for client data. Failing to implement MFA when the ATO requires it could be considered a breach of your TPB obligations and result in disciplinary action. Beyond the MFA requirement, the TPB expects agents to maintain broader cybersecurity practices — secure storage of client data, appropriate access controls, and procedures for managing security incidents. The TPB has begun taking action against practitioners who suffered breaches where basic security controls were demonstrably absent.

Beyond the ATO Portal — MFA Everywhere

MFA on your ATO portal is the regulatory minimum, but it is not a complete security solution. Your accounting software — MYOB, Xero, Reckon — should also have MFA enabled. Your business email is arguably more important than any other system, because it is the gateway through which attackers compromise everything else. If a criminal gains access to your email, they can reset passwords to every other account linked to that address. Enable MFA on your email first, then your ATO portal, then your accounting software, then everything else.

What If You Have Multiple Staff?

Every staff member who accesses the ATO portal must have MFA enabled on their own credentials — not shared credentials. Shared logins violate ATO terms and make it impossible to track who made specific changes if a fraudulent return is lodged. Each user should have individual ATO credentials with MFA enabled on their personal device.

MFA on your ATO portal is a minimum baseline, not a complete security solution. Contact IntrusionX for a free security assessment specific to your practice — we work with Melbourne accounting and tax practices to implement the full set of controls the TPB and ATO expect, and to protect your clients' data and your professional reputation.