Share:
Print
Facebook
Twitter
Linkedin
Email

Multi-factor authentication

Multi-factor authentication (MFA) will be introduced in late June 2026 for users who log in via the website. It will not apply to B2G requests or managing secured party groups once you have logged in.

Feedback

On this page

Getting started with MFA

MFA is being introduced on the PPSR for users logging via the website.

It adds an extra step when signing in to the PPSR, helping prevent unauthorised access, reducing the risk of fraud or unauthorised changes, and providing stronger protection for users.

How to activate MFA

You must be an account administrator or have permission to manage the account. Only one user for the account needs to complete the following steps.

  1. Login to your PPSR account
  2. Select Account customers > Manage account customer
  3. Select Edit in the Preferences section
  4. Tick the box next to Activate under Multi-factor authentication
  5. Select Save.

Optional: password expiry

The default password expiry time has increased from 90 to 365 days.

  1. If you want all the users in your account to have a password that expires in less than 365 days, specify the days for Password expiry period in the account preferences to a number lower than 365.

You can also amend the password expiry period on individual users to a period less than 365 days, or a number lower than you set on the account level. However, you will need to do this for each individual user in your account.

If you already had a lower expiry set at the account or user level, the lower expiry will be retained.

Once you activate MFA on the account:

  • You cannot deactivate it
  • All users on the account will need to use MFA when they next login
  • You do not need to change any of the users or the groups
  • Any user logged in at the time will not be logged out. However, they will need to use MFA the next time they log in.

How to use MFA

When you log in, the PPSR will send a one-time passcode (OTP) to the email address recorded on your user profile.

  • The OTP will be 6 digits and is valid for 5 minutes.
  • When you enter a valid OTP, you will have your usual access to the PPSR.
  • If you enter an invalid or expired passcode several times, you will be suspended for a short period. Another user, including AFSA’s Service Centre, cannot assist with access while you are suspended.
  • If you don’t receive the OTP, you can resend a new one after one minute.
  • If you have resent the OTP three times, you will have the option to use another method.
  • If the PPSR has a known issue with emails, you will be able to use the other method without resending the OTP.
  • If you enter incorrect details on the alternative method, your user profile will automatically be locked.

Please note: If your password is expired or due to expire, you will be prompted for a new password after you have completed MFA.

When MFA is not needed

You only need to use MFA when you login with your username and password on the PPSR. This means once you are logged in, you don’t need to use MFA when you:

  • connect via B2G
  • use a new user or password reset link

Once you have logged in to the PPSR, you will not need to use MFA again to complete further tasks. This includes the following transactions:

  • updating your own password or secret questions
  • managing your account
  • managing your secured party group
  • managing your registrations
  • requesting a report.

Access codes and tokens will still need to be used where required.

Account administrators: prepare your users for MFA

What you can do

Account administrators are encouraged to review their users prior to setting up MFA.

If someone is no longer with your organisation, now is a good time to deactivate or remove their access. Use the user management report to review users in your account and their registered email address. For information about running this report, see Getting PPSR reports

Review shared credentials

  • Shared email address: If several users use the same email address, this can cause confusion with the OTP codes.

Each OTP email will include the username in the subject line and the first name in the email body to help identify the correct code.

To avoid confusion and potential access issues, each user should have their own unique username and individual email address when accessing the PPSR.

  • Shared usernames: The PPSR does not recommend the use of shared usernames. Multiple users entering incorrect one-time passcodes can suspend the user.

There is no limit to the number of users or account system administrators you can have attached to your account. It is recommended each user has their own username with individual names and email addresses recorded.

^
Was this information helpful?

We welcome your feedback to help us improve our website.
Unfortunately we are unable to respond to individual comments or suggestions.

For enquiries see the options available in our contact us section.