Head of Security Xero
Large corporations get most of the publicity when it comes to cybercrime and hacking. But cyber criminals are also targeting small businesses. Security industry research shows that over 40% of cyber attacks last year targeted small businesses and this is increasing. That’s why Two-Step Authentication is an important security measure you need to take.
Businesses get subjected to a constant barrage of phishing scams and malicious software attempting to steal user account names and passwords. So it’s vital that businesses everywhere ensure they have strong security practices to keep their information secure. Security is an issue that everyone needs to take seriously.
Two-Step Authentication (2SA) is available to all Xero customers to provide an additional layer of security for your Xero user accounts. Using two-step authentication significantly reduces the risk of your Xero account becoming compromised if your password gets stolen by phishing or malware.
Many online services offer additional authentication. Whether it’s called Two-Factor Authentication (2FA), Multi-Factor Authentication (MFA), or Two-Step Verification (2SV), it all works in much the same way. Furthermore it significantly increases the security of your account. We strongly recommend using 2FA/MFA/2SV wherever it’s available. This is particularly important in protecting your email and any other account where you may have sensitive, personal or financial information.
How does Two-Step Authentication work?
When you have two-step authentication enabled you need to provide two authentication “factors” to login, plus your Xero username. The first factor is something you know, your password. The second factor is a unique six-digit code that’s generated by a separate app on your smartphone. Try something like the Google Authenticator app, Authy or other similar apps.
With two-step authentication enabled, only the Xero user with access to that trusted device will be able to log in. This makes it more difficult for unauthorised people to access your data.
If you don’t have your mobile device with you when you need to login to Xero, you can answer the security questions that you set up when you enabled two-step authentication. We recommend that you only use the fallback questions when necessary. We would advise strongly against using them as a regular alternative to the authenticator app.
Watch the video below to see how to setup and use Two-step authentication.
Trusted Device Recognition
In addition, Xero’s two-step authentication has trusted device recognition. You’ll be able to select “Remember me for 30 days” as an optional setting. If you select “Remember me for 30 days” you won’t need to perform the second authentication step on that device for 30 days.
Individual users have the option of enabling two-step authentication when they log-in to Xero. From within the Users Settings page, a Subscriber, or a user with Manage Users access, can see which users of their organisation have enabled Two-Step Authentication.
To find out more about two-step authentication, please review our Help Center.
Security is a constantly-evolving issue for the tech industry. We strongly encourage all Xero users – and technology users in general – to remain vigilant about the online solutions they use. If you have any questions about this area, please check our Security Page. For updates on any known phishing or other scams targeting our community, or for any recommendations on how to protect yourself from them, please check our Security Noticeboard.