MFA Security - you want to vote this up.

Idea suggested by Mike Ellis 3 months ago

Multifactor authentication is a definite must for clearbooks. It seems very unusual that this (now quite old) security technology is available on nearly every type of online account (even the non-sensitive/non-critical ones), yet it is not available on my accounts package. Seems like a very big security gap. IMO it should be you #1 dev priority. All the functionality in the world doesn't help if your account isn't appropriately secured.

6 Replies

I completely agree with the need for MFA (and other security improvements to the access management capabilities) to be taken more seriously and some urgent development focus applied. The system also has no controls to manage secure passwords (i.e. forcing complex passwords to be used) and does not force users to change their passwords from time to time. It does not protect users from logging in with IP addresses in different countries (or the same user from different IP addresses at the same time). These are basic security controls needed by any financial or data protection auditor and could be obvious causes of data breaches in my opinion.

On a slightly different topic, the terms and conditions of ClearBooks state that I as the 'Subscriber' must 'invite' other users to access my system by me assigning roles and permissions to them. This approach is not actually used in practice, as Clearbooks overrides this by directly providing my Accounting provider (a ClearBooks reseller) with administrative access to my copy of ClearBooks with no notification to me. I currently have 6 users on my system that I did not create or assign roles to, which under GDPR could be considered as a data breach, as I (as the Controller) am not in control of who has access to my data at any time.

ClearBooks staff also have access to all of the data in my copy of the system to provide me with technical support and so therefore needs to have in place suitable legal safeguards for the protection of personal data (e.g. a Data Processing Agreement, or some equivalent). This direct access to the personal data by ClearBooks is not sufficiently covered in the standard terms currently. The Privacy Policy only relates to the safeguarding of the personal data of 'Subscribers' (and invited users), not any suppliers or customers I might add to the the system.

As a result of all of the above, I do not currently add any customer or supplier personal data into Clearbooks (no names, email addresses or phone numbers) as it does not meet my minimum needs from a GDPR perspective. I feel that ClearBooks is not considering itself as operating as a 'Processor' under GDPR and not currently taking a holistic view of the 'technical and organisational measures' of the entire customer proposition.

I think MFA would be a great first step forward and I would happily offer to help to review or guide any developments (technical or legal) in this area.

I agree, this whole area is weaker than it should be in CB. A similar thing happened to me when appointing an accountant. It turns out that they had been added as admin and the account owner. I was subsequently unable to remove their access when I changed accountants last year. I dont think it is too strong a position to take to say they effectively gave my account to somone else. I was at risk of having to go through a process where I had to send in ID to prove who I was. Now, I understand that process and it is reasonable for them to ask that but it shouldn't have happened in the first place. As it happened the accountant wrote to them and asked to have herself removed.

These sections in the Access Conditions Terms do not seem to be entirely accurate...

2.2 the Subscriber determines who is an Invited User and what level of user role access to the relevant organisation and Service that Invited User has;

2.3 the Subscriber is responsible for all Invited Users’ use of the Service;

2.4 the Subscriber controls each Invited User’s level of access to the relevant organisation and Service at all times and can revoke or change an Invited User’s access, or level of access, at any time and for any reason, in which case that person or entity will cease to be an Invited User or shall have that different level of access, as the case may be;

2.5 if there is any dispute between a Subscriber and an Invited User regarding access to any organisation or Service, the Subscriber shall decide what access or level of access to the relevant Data or Service that Invited User shall have, if any.

PS I use onepassword as a PW manager to ensure stog PW's, but CB should beef up the PW policy as well.

I would like to add my voice to this request. Given the confidential nature of the information held on this system, an option MFA should be provided by default, and as soon as possible, especially as online applications are increasingly coming under attack from criminal elements.

I'd like to hear an opinion from one of the mods actually.

Reply to this idea

Attach images by dragging and dropping or upload
 

Your comments will be public and can be answered by anyone in the Clear Books community.

Find out what we do and who we are