Brought to you by

Getting your Australian practice ready for 2SA

Posted 2 weeks ago in Advisors by Paul Macpherson
Posted by Paul Macpherson

It’s never been more important for your practice to be aware of prioritising online security and safety, and ensuring everyone in the organisation is adhering to best practice guidelines. This is no longer a ‘nice to have’, it’s a basic necessity of running a business.

If we can take anything from the recent news of high profile cases of data theft from the likes of Sony, Microsoft and Yahoo, and the multiple phishing and invoice scams, and account compromises, it is that when it comes to cyber security, businesses need to take practical steps to minimise the risks of being hacked. Typically the reasons businesses have been hacked are directly related to poor security, such as sharing logins or common passwords.

Statistics from online security software vendor Norton show that cybercrime costs Australians more than $1.2 billion a year. More than 3.7 million people in Australia have been victims of online crime, and Norton says that the country ranks as the eighth most impacted in the world by ransomware. Australia’s national CERT has also reported that 7,283 cyber-security incidents affected major Australian businesses in the 2016-2017 financial year, with 284 of these incidents involving systems of national interest and critical infrastructure.

Adding an extra lock on the door

Keeping your clients and your own sensitive data secure is critical. However, it is difficult to ensure that every single member of your team is using appropriate security procedures (such as not sharing logins or common passwords). To help your practice maintain these secure practices Xero is extending the use of Xero login to Xero Practice Manager and Xero Tax.

Additionally, we’ll soon make two-step authentication (2SA) mandatory across our partner products (including Xero HQ) for all Australian practices to comply with an Australian Tax Office mandate.

Two-step authentication adds another layer of security for practices and we encourage our accounting and bookkeeping and small business customers to use two-step or multi-factor authentication (2SA/MFA) wherever it is available. This is particularly important for your email account, which is usually the means to hackers being able to reset your passwords for other sites.  Two-step authentication is an extra layer of security that requires a password and username and a second unique code to be generated on a second device, making it more difficult for unauthorised people to access your data. While there are no guarantees in security, Xero has never had an account compromise reported for a user with 2SA enabled.

ATO requirements

The Australian Tax Office (ATO) is introducing a new operational framework for software developers and for accountants and bookkeepers who use software to interact with the ATO. This new framework requires accountants and bookkeepers to use multifactor authentication when they login. This means any staff member of an Australian practice needs to have 2SA implemented in Xero by March 2018 to comply with the ATO Operational Framework. From March, if you don’t have 2SA, you won’t be able to access Xero Practice Manager, Xero Tax or Xero HQ.

To get your practice ready for this requirement, Xero will have optional 2SA in Xero for accountants and bookkeepers from late January.  You can start to get your practice ready for 2SA now by ensuring everyone in your practice is using a unique login and not sharing passwords.

We know there are some practices that use shared logins which will not be supported by the required implementation of 2SA. We understand that this will require these practices to amend their subscriptions.  If you need assistance to amend your subscription, please contact:

Xero takes security seriously and it is important that we are continuously implementing world class security standards and monitoring and detection services. Our customers hold sensitive and personal data on behalf of their clients and keeping everyone’s data secure is a top priority. Therefore we fully support the ATO’s requirement for 2SA on software that interacts with their tax system. It is the right thing to do to help protect client data.


Cassandra Scott
November 29, 2017 at 5.53 pm

Great initiative – looking forward to it.

Is there any way currently, via XeroHQ to see which staff have 2FA already in place? We can see it in Green Xero, but HQ would be great too.

Paul Macpherson in reply to Cassandra Scott Xero
November 30, 2017 at 4.02 pm

Hi Cassandra,

If you have the Administrator or Master Administrator role you can navigate to the Staff tab where you’ll see the list of all users invited into your practice. The users with 2SA enabled will have a small padlock displayed under their name, to the left of their role type. If you hover your mouse over the padlock you’ll see the message “Two-step authentication active”.

Paul Macpherson

Rory Byrne
December 7, 2017 at 7.02 pm

This is a big step forward on the security front.

I do have a question regarding offshore/outsourcing teams which , for additional security reasons, are unable to use their phones while working in the office.

How do they go through 2SA if the policy is that staff are unable to use their phones while working?

interesting to see how Xero approach this issue.

Paul Macpherson in reply to Rory Byrne Xero
December 8, 2017 at 10.04 am

Hi Rory,

Very good question.

It’s preferable to have the authenticator app on a separate device to the one you’re logging in on, but you can download the WinAuth app to use Google Authenticator on your Windows desktop.

Also worth noting is that our 2SA has a “Remember me for 30 days” option. If you select that option, you only need to enter the code from your authenticator app once every 30 days, so long as you are logging in to Xero from the same device. If you log in from multiple devices you can “Remember me for 30 days” on each of them, so you only need to enter the code once on each device every 30 days.


Leave a Reply to Paul Macpherson Cancel reply

Your email address will not be published. Required fields are marked *