Authentication Standards
To protect sensitive superannuation data and meet ATO security expectations, all software partners must implement the following authentication and session standards. These are non-negotiable and apply to all new software partner integrations.
Shared logins are blocked
Users must have individual logins. Shared credentials aren’t allowed and should be blocked. Each user should be identifiable and auditable.
Session time-out after inactivity
Sessions must auto-lock after a maximum of 30 minutes idle time. This lockout can be a screen lock — no need for full MFA to resume activity.
‘Remember me’ lasts no longer than 24 hours
If your app includes a "remember me" or persistent login feature, it must expire within 24 hours.
Brute-force protection kicks in after 5 failed attempts
After five unsuccessful login attempts, your system must trigger a lockout event. The exact lockout method is up to you — we just require that it happens.
Tokens must be short-lived and device-bound
Any temporary login token or credential must:
- Be tied to a single user and device
- Expire immediately after use or within 24 hours (whichever comes first)