The Department of Home Affairs is stepping up digital security. From mid-June 2025, Multi-Factor Authentication (MFA) will become mandatory for all users of ImmiAccount, adding a critical layer of protection to safeguard your personal information and align with Australian Government cybersecurity standards.

If you’re using ImmiAccount — whether as an individual, business, or organisation — it’s time to get ready.

Why Multi-Factor Authentication?

MFA enhances account security by requiring two steps to verify your identity:

1. Something you know – your password
2. Something you have – a unique code from either an authenticator app or your email

This simple addition dramatically reduces the risk of unauthorised access — even if someone knows your password.

Implementation Timeline

• Mid-May 2025: Testing phase begins
  Volunteers can trial MFA and provide feedback. To participate, email your ImmiAccount username to MFA.Project.Launch@homeaffairs.gov.au by 11 May 2025.
• Mid-June 2025: Full rollout begins
  MFA becomes mandatory for all ImmiAccount users.

Authentication Options

You’ll be asked to choose one of two authentication methods:

✅ Option 1: Authenticator App (Recommended)

Use apps like Google Authenticator or Microsoft Authenticator to generate a rotating 6-digit code. This is the most secure method.

✅ Option 2: Email Token

Receive a 6-digit code via your registered email address. This is ideal for users without access to an authenticator app.

⏱ Validity: Authenticator app codes expire after 30 seconds. Email tokens are valid for 15 minutes.

Who’s Affected?

All individual and organisational ImmiAccount users will need to use MFA. This includes those accessing systems like VEVO for Organisations and LEGENDcom. MFA is required every time you log in or update account details.

Using Third-Party Software?

Automated tools that interact with ImmiAccount may be affected. The Department does not support third-party software, so be sure to liaise with your vendor to ensure compatibility.

Important for Organisations

Under the updated ImmiAccount Terms and Conditions, credential sharing is strictly prohibited. Organisations should:

• Assign at least one Organisation Account Administrator (OAA)
• Approve or remove user access
• Recover accounts when MFA or passwords are lost
• Manage inactive accounts
• Maintain compliance and protect sensitive data

Learn more about the OAA role at the Department’s website under Manage Your Organisation Accounts.

Support in 16 Languages

Once live, full support materials — including setup guides and FAQs — will be available under “Applying online in ImmiAccount” on the Department’s website. These resources will be provided in 16 languages to ensure accessibility for all users.

MFA is Already Standard Across Government Portals

If you’ve used MFA with your banking apps, government services, or even social media, you already know how it works. The same approach is being applied here — for your safety.

The Department of Education’s PRISMS portal enabled MFA in 2023, and from 28 June 2025, it will become mandatory for all PRISMS users as well — no exceptions.

FAQs

Q: What if I don’t have a smartphone?
A: Use the email token method instead.

Q: Will MFA change how APIs access VEVO?
A: No. VEVO B2B API access remains unchanged.

Q: Can I still change my username?
A: No, usernames are permanent. But you can update your email address.

Q: Are the session timeouts changing?
A: No. The 30-minute inactivity timeout and 4-hour hard limit remain.

✅ Next Steps

✔ Choose your preferred MFA method
✔ Prepare to set it up before mid-June
✔ Ensure your team or organisation is informed and compliant
✔ Volunteer for testing by 11 May 2025 if you’d like early access