FastTrack360 prioritises the privacy and security of your data. Each customer operates on an isolated database, ensuring no cross-environment access. Independent penetration testing is conducted on all new releases to maintain robust protection standards.
FastTrack360 also includes additional security features such as Multi-Factor Authentication (MFA), CAPTCHA, and configurable Password Policies to enhance system protection and support compliance requirements.
⚠️ Important: You need Administrator permissions to configure system security settings, including MFA, CAPTCHA, and Password Policy.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) provides an additional layer of security by confirming a user's identity using two or more authentication factors.
What Is MFA?
MFA verifies a user’s identity using a combination of the following factors:
Knowledge – Something the user knows (e.g., password, security question)
Possession – Something the user has (e.g. mobile device)
Inherence (Biometrics) – Something the user is (e.g. fingerprint, facial recognition)
FastTrack360 uses possession-based authentication through a user’s mobile device, in addition to standard username and password verification.
Why It’s Important
User credentials can be compromised through poor practices such as password sharing or reuse. MFA adds a second verification step, significantly reducing the likelihood of unauthorised access.
The Australian Taxation Office (ATO) requires cloud-based Digital Service Providers (DSPs) to use MFA when users access taxation or superannuation-related data.
How It Works
MFA can be configured as:
SMS-based Authentication (Default) – End users receive a one-time SMS code during login. This requires:
An active account with FastTrack Marketplace partner SMS Central
Correct configuration for user SMS delivery
Sufficient SMS credit
Time-based One-Time Password (TOTP) – Users configure an authenticator app such as Google Authenticator. TOTP setup is available via FastTrack Support.
Where It’s Mandated
The ATO mandates MFA for all Australian agency users accessing taxation or superannuation information. This is a default configuration in FastTrack360.
Recommended Configuration
Enable MFA for all users to enhance protection and meet compliance standards.
Impact on Users
Users must have access to their registered mobile phone when logging in. A verification code will be required after entering their username and password.
💡 Best Practices
Enable MFA across all user accounts.
Regularly audit MFA configurations to ensure all users are compliant with organisational and regulatory requirements.
CAPTCHA
CAPTCHA helps protect your system from automated attacks by verifying that a real person is interacting with the platform.
What Is CAPTCHA?
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is an automated challenge designed to prevent bots from performing malicious actions.
Why It’s Important
Automated attacks can rapidly exploit system vulnerabilities. CAPTCHA limits exposure by ensuring that login and registration actions are performed by real users.
How It Works
FastTrack360 integrates Google’s reCAPTCHA, which appears on:
Login page.
Password reset page.
Questionnaire page.
Candidate registration page.
CAPTCHA challenges can range from a simple checkbox to image-based verification, depending on Google’s threat model and risk assessment.
Configuration Steps
Go to Maintenance, click on Password Policy.
Then click Password Policy.
Adjust No of Login Attempts Before CAPTCHA to set when CAPTCHA appears.
Default: 2 consecutive failed login attempts per IP address.
Recommended Configuration
Set CAPTCHA to appear after two failed attempts to minimise automated locking attacks.
Impact on Users
Users may occasionally be prompted to verify they are not a robot, especially after multiple failed login attempts or when using a shared IP address.
💡 Best Practices
Maintain CAPTCHA at the default setting of two failed attempts.
Educate users on why CAPTCHA appears to reduce login confusion.
Password Policy
FastTrack360 allows you to define and enforce password requirements that align with your organisation’s security standards.
What Is Password Policy?
Password policies define requirements such as password strength, expiration, and account lockout thresholds.
To manage these settings, click Maintenance, and click Password Policy.
How it works
FastTrack360 is designed with security as a top priority, following industry best-practice standards to protect both business-critical and personally sensitive data.
While the system gives you flexibility to configure your own security settings, we recommend the following best-practice guidelines for Password Policy and Multi-Factor Authentication (MFA).
🔐 Password Policy Settings
Minimum Number of Characters and Alphanumeric Requirement
To set up your password requirements:
Click on Maintenance, then select Password Policy.
After that, choose Password Policy, and open the fields Min No of Characters and Force Password Alphanum.
We recommend:
A minimum of 8 characters for all passwords.
Using alphanumeric combinations for stronger security.
Encouraging users to create passphrases instead of single words.
💡 A passphrase combines three or more random words, ideally with numbers or symbols.
Example: towerpebble2cellarhappy – this would take 494 quadrillion years to guess, compared to just 16 hours for s4d87df@#.
Regional Recommendations
Australia: Minimum 13 characters (ACSC ISM Control 0421, Sept 2018).
United Kingdom: Use three random words (NCSC, Nov 2018).
United States: Minimum 8 characters (NIST, June 2017).
Enforce Password Reset
To enforce password resets:
Click on Maintenance.
Then select Password Policy.
After that, open Password Policy, and locate Enforce Password Reset.
We recommend enforcing password resets when:
A new user account is created, or
An administrator resets another user’s password.
This ensures each user sets a unique, private password.
Multi-Factor Authentication (MFA) Security Roles
To manage MFA requirements:
Click on Maintenance.
Then go to Password Policy.
After that, open MFA Security Roles.
We recommend enabling MFA for all users.
Australia: Mandatory for users accessing superannuation or tax data (ATO DSP Requirements).
Globally: Encouraged by ACSC (Australia), NCSC (UK), and NIST (US).
MFA – Remember This Device
To review this setting:
Click on Maintenance.
Then open Password Policy.
After that, select Multi-Factor Authentication (MFA) Global Settings, and find Remember this device.
Set the “Remember this device” duration to no more than 24 hours, as required by the Australian Taxation Office’s DSP standards.
Failed Login Attempts
To configure login attempt limits:
Click on Maintenance.
Then open Password Policy.
After that, choose Password Policy, and locate No of Login Attempt Before Locking.
We recommend:
A maximum of 5 failed login attempts before locking an account.
Showing CAPTCHA after 2 failed attempts to prevent automated attacks.
These settings follow ACSC ISM Control 1403 (Sept 2018).
Session Timeout
To configure session timeout:
Click on Maintenance.
Then open Password Policy.
After that, choose Password Policy, and set Activate Session Timeout and Session Timeout Duration.
We recommend:
A timeout of no more than 15 minutes of inactivity.
Encouraging users to log out when not using FastTrack360.
This aligns with ACSC ISM Control 0428 (Sept 2018).
Password Expiry
To configure expiry settings:
Click on Maintenance.
Then open Password Policy.
After that, choose Password Policy, and set Days Before Password Expiry.
Regional Recommendations
Australia: Require password change every 90 days (ACSC ISM Control 0423, Sept 2018).
United Kingdom: Do not enforce regular expiry (NCSC, Nov 2018).
Why It’s Important
Strong password policies prevent unauthorised access and help align your organisation with global security frameworks.
Recommended Configurations
Below are key recommendations based on best practice standards:
Setting | Recommendation | Reference |
Min No of Characters | Minimum 8 characters; consider using passphrases with at least 3 random words | ACSC, NCSC, NIST |
Enforce Password Reset | Require reset after account creation or password reset by an admin | Internal Policy |
MFA Security Roles | Enforce MFA across all accounts with sensitive data access | ATO, ACSC |
Remember This Device | Maximum 24 hours | ATO Requirements |
No of Login Attempts Before Locking | 5 attempts | ACSC Security Control 1403 |
Session Timeout | Maximum 15 minutes inactivity | ACSC Security Control 0428 |
Days Before Password Expiry | 90 days (AU), none (UK/US unless compromised) | ACSC, NCSC, NIST |
Impact on Users
Depending on your configuration, users may need to change passwords periodically, use longer passphrases, or reauthenticate after idle time.
💡 Best Practices
Encourage use of passphrases instead of complex single-word passwords.
Regularly review password expiry settings in line with your region’s standards.
User Access Policy
FastTrack360 enables fine-grained control over who can access specific data and functionality through Roles and Data Groups.
What Is It?
User access policies define permissions for users to ensure that each individual only has access to what is necessary for their role.
Why It’s Important
Limiting access reduces the risk of data breaches and simplifies auditing in the event of a security incident.
How It Works
Go to Maintenance, click on Security to review system roles.
Navigate to Maintenance, and Users to manage user-level access.
Apply data groups and roles based on job responsibilities.
Recommended Configuration
Restrict user access to only what’s required for their duties.
Conduct regular permission audits to ensure compliance.
Impact on Users
User experience will depend on their assigned roles and data groups. Access restrictions may limit visibility to only relevant areas of FastTrack360.
💡 Best Practices
Schedule quarterly permission audits.
Document all role-based access changes for audit readiness.
Disable accounts promptly when users leave the organisation.
🤔 FAQs
Q1: Can I disable MFA for specific users?
Answer: MFA is mandatory for users with taxation or superannuation access under ATO guidelines. It is strongly recommended for all users.
Q2: Why are users seeing CAPTCHA frequently?
Answer: CAPTCHA appears after failed login attempts or if Google’s risk model detects suspicious activity from a shared IP address.
Q3: How can I reset the Password Policy to default settings?
Answer: Go to Maintenance > Password Policy, and restore default configurations manually by referencing the recommended settings above.
Q4: How often should we audit user roles and access?
Answer: Conduct audits at least quarterly or whenever a major staff change occurs.