Multi‑Factor Authentication (MFA) will be introduced to Personal Property Securities Register (PPSR) user accounts in late June 2026.
This change will enhance account security by adding an extra layer of protection for users and their registration information.
Once available, PPSR users are encouraged to set up MFA and begin using the updated sign‑in process.
What is MFA?
MFA introduces an additional verification step when logging into the PPSR via the web.
In addition to entering a password, users will be required to verify their identity using a one-time passcode (OTP) sent to the email address recorded on their user profile.
The OTP is a 6‑digit code and is valid for 5 minutes.
Once a valid OTP has been entered, users will have their usual access to the PPSR.
This additional step helps ensure only authorised users can access PPSR accounts, even if a password is compromised.
Why MFA is being introduced?
MFA is a widely used security measure across government and industry. Introducing MFA for the PPSR supports stronger protection for all users by reducing the risk of unauthorised access, fraud, or unintended changes to registrations.
This additional security is particularly important for users who manage high‑value or high‑volume registrations, where unauthorised access could have significant impacts.
Once enabled, MFA will be required each time a user logs in to their PPSR account.
MFA will be mandatory by the end of 2026 and will be automatically applied to any existing accounts which have not already opted in before this time.
MFA will also be automatically applied to any new accounts set up from June 2026.
Important information for account administrators
Prepare users
Account administrators must enable MFA to allow other users on the account to access it.
Administrators should also ensure that users attached to their account can log in successfully and have up‑to‑date contact details to support MFA.
The user management report can be used to review users and their registered email addresses, and to remove users who are no longer with the organisation.
Review shared credentials
Where possible, each user should have a unique email address. Using the same email for multiple users can cause confusion with one-time passcodes. Each OTP email includes the username and first name to help identify the correct code.
Shared usernames are not recommended. Multiple users entering incorrect one-time passcodes can suspend the user.
There is no limit to the number of users or account administrators on an account. Each user should have their own username, with their name and email address recorded.
How to set up MFA
Setting up MFA is straightforward and only takes a few minutes.
For step‑by‑step guidance, visit our Multi-factor authentication page.