Brought to you by

Introducing New Security Feature – Two-Step Authentication

Posted 4 years ago in Xero news by Paul Macpherson
Posted by Paul Macpherson

Data security is an industry-wide issue and it is our number one priority. Phishing scams that attempt to steal account names and passwords are an ongoing issue for all online and financial services, so it’s vital that businesses everywhere who use these services ensure they have strong security practices and keep their information secure. Security is an issue that everyone needs to take seriously.

On the back of recent security updates, today we released Two-Step Authentication for all Xero customers, providing an additional layer of security for all Xero user accounts. Two-step authentication can help keep your Xero account from being compromised by phishing and malware.

Two-Step Authentication verifies the identity of a customer logging into the Xero dashboard by requiring them to use their existing password and a second, unique code randomly generated by the Google Authenticator app on their smartphone, each time they log in. Based on security best practice, Two-Step Authentication means only the Xero user with access to that trusted device will be able to log in, making it more difficult for unauthorised people to access their data.

How does Two-Step Authentication work?

When you have Two-Step Authentication enabled you need to use a second method to login to Xero. In addition to your standard Xero username and password, you also have to enter a six-digit code provided by a separate app on your smartphone, Google Authenticator.

If you don’t have your mobile device available when you need to login to Xero, you will be able to fall back to answering questions you set up when you enabled Two-Step Authentication in order to gain access to Xero.  The fallback questions should only be used when necessary and not as a regular alternative to the authenticator app.

Watch the video below to see how to setup and use Two-step authentication.

In addition, Xero’s Two-step authentication will have trusted device recognition. You’ll be able to select “Remember me for 30 days” as an optional setting. If you select “Remember me for 30 days” you won’t need to perform the second authentication step on that device for 30 days.

For this initial release, individual users can have the option of enabling Two-step authentication when they log-in to Xero.  From within the Users Settings page, a Subscriber, or a user with Manage Users access, can see which users of their organisation have enabled Two-Step Authentication. Depending on the uptake of the feature, and the feedback we receive, we may look into making this an organisation-level setting enforceable by the Subscriber.

To find out more about Two-Step Authentication, please review our Help Center.

Security is a constantly-evolving issue for the tech industry and we strongly encourage all Xero users – and technology users in general – to remain vigilant about the online solutions they use. If you have any questions about this area, please check our Security Page.

39 comments

David
December 7, 2015 at 9.29 am

I am a big fan of two step authentication but I just wondered how it will work in conjunction with third party API integrations that have exchanged my username and password for a token. Will that token expire after 30 days or will it survive?

Ronan Quirke
December 7, 2015 at 2.01 pm

@David – short answer, it will survive.

The background is as follows:

1. As a user authenticating a 3rd party application to access your Xero data, if you have enabled two step authentication, then these features will apply if you need to login in order to authenticate the application.

2. Once connected, 3rd party applications that are certified Xero add-on partners use the Xero partner API which has the following security features:
i) 30min access tokens that need to be refreshed for further access
ii) RSA request signing using a public/private keypair on all requests
iii) Xero supplied client SSL cert is required to communicate to our partner API

So the API itself has a separate but quite robust security model.

Hope that helps!

Sonia
December 9, 2015 at 11.11 am

If you’ve ticked ‘Remember me for 30 days’ on a device, and you lose that device, can you go in and ‘untrust’ or remove that device?

Paul Macpherson
January 27, 2016 at 10.11 am

@Sonia –

We don’t yet have the function available to ‘un-trust’ or remove a device that you’ve ticked ‘Remember me for 30 days’ on. Until we make that function available you’ll need to contact support@xero.com to remove the device for you.

Andrew Frazer
January 9, 2016 at 1.51 pm

Absolutely want to be able to enforce Organiation wide 2 factor. We already use it for lots of of other things. Please turn it on immediately.

Paul Macpherson in reply to Andrew Frazer Xero
January 27, 2016 at 2.17 pm

@Andrew –

Allowing a Subscriber to enforce Two-Step Authentication for all users in their organisation is on our 2SA enhancement road map. But it’s not just a matter of turning it on as there is significant development required to enable this feature.

I recommend you join this conversation on Xero’s Community site for updates on this feature.

Bill
January 10, 2016 at 11.07 am

Will the iPhone app be updated to cater for it as well?

Ben
January 15, 2016 at 12.39 am

+1 for two-step support on mobile app

Matt
January 15, 2016 at 7.16 am

Same question as Bill. iPhone app login no longer works with 2 step authentication in place.

Would also like to see Touch ID implemented on iPhone app.

Shaun
January 19, 2016 at 7.32 pm

Love the 2 step authentication for Xero on web, but the mobile app needs to be updated. With 2 step authentication enabled on the web, the mobile app wont allow login and thus is useless. Surely the mobile app can bypass the 2 step process if mobile user has enabled touch ID for login. Is Xero working on a solution?

Mira Krishnan
January 27, 2016 at 2.42 am

Just another chime in – Xero very kindly
responded to the other concerns above, but the iPhone app issue really needs to be addressed. I’m really unsure what I should be doing right now – turning off two factor so I have a mobile app, or not using the mobile app so I have two factor.

Luke Gumbley in reply to Mira Krishnan
May 8, 2016 at 10.12 am

Hi everyone, rounding up all the mobile app questions here. Good news first: As of Wednesday (4th May), the Android app now supports 2SA. Full support for the iOS app is in the works, however there is one small ray of light in the meantime.

Shaun is correct in that if you have Touch ID set up (Matt, we do have it!) or even a PIN, you can still use the mobile app with 2SA turned on. The annoying part is that you have to turn 2SA off in order to set this up, and then back on again afterward. It gets more annoying if you ever cancel a Touch ID login, as this effectively removes Touch ID and requires your credentials again (so you hit the 2SA issue).

We’ve been working on a complete revamp of login for iOS. It’s still in progress, but there shouldn’t be too much longer to wait (anticipating a release in June). This will provide full 2SA support and resolve a host of other niggles we’ve been prevented from addressing up until now. I know this has been a source of intense frustration, and we’re very sorry it has taken so long.

Jon
June 5, 2016 at 1.27 am

2SA (two step) or 2FA (two factor) authentication is a must. In fact I am surprised it has taken Xero so long to implement. That said, the current option of using Google Authenticator isn’t perfect, but speaks to Xero’s increasing focus on its partnership with Google. There is always a trade-off between security and convenience.

I would like to see 2FA made machine specific and enforceable across the whole organisation, or at least across Admin class of user account. If made machine dependent then after the first 2FA login on the device, usability and convenience would not be compromised.

Paul Macpherson in reply to Jon Xero
June 8, 2016 at 9.02 am

@Jon –

Xero’s 2SA does provide the option for you to make it device dependent. Simply select the ‘Remember me for 30 days’ option and you will not be required to enter your 2SA authentication code on that device again for 30 days.

Allowing a Subscriber to enforce Two-Step Authentication for all users in their organisation is on our 2SA enhancement road map.

Jeremy Bevan in reply to Paul Macpherson
October 18, 2016 at 7.31 pm

I have 2SA set up on my iMac and MacBook. On the former xero will remember me for 30 days, however this is not working on my MacBook, I have to enter an authentication code every time. This isa pain, is there some weird setting Iu can change to enable this?

Jeremy Bevan
October 18, 2016 at 7.34 pm

Further to my last post – this is only an issue with Safari, remembering for 30 days works fine with Firefox.

Paul Macpherson
October 20, 2016 at 8.16 am

@Jeremy –
Can you please raise a support request with our Customer Experience team (support@xero.com) and provide further details of the issue and the browser versions you are using.
Thanks.

Sanjeev Gupta
December 22, 2016 at 10.51 pm

Hi all,

Wonder if someone can help. Love 2FA but have just lost access to my authenticator following an update. Now cannot log into Xero.

Any way around this?

Regards
Sanj

Paul Macpherson in reply to Sanjeev Gupta Xero
December 23, 2016 at 8.52 am

@ Sanj –

If your authenticator app is unavailable and you can’t generate the code, you can use your security questions and answers to log in. When you get to the window that asks you to ‘Enter your authentication code’, just click on the ‘I can’t use my authentication app’ link and answer the security questions.

If you need more information please refer to our 2SA Help pages – https://help.xero.com/nz/MyXero_Two-Step_About

Linda Mottram
January 20, 2017 at 11.54 am

Hi what happens if the app doesn’t remember your e-mail address and you can’t remember your secret questions is there any way I can reset it?

Paul Macpherson Xero
January 20, 2017 at 12.11 pm

@Linda –

If you can’t use your authentication code or answer your security questions to login to your Xero account with 2SA, you can contact Xero Customer Experience (support@xero.com) to have them disable 2SA for you.

If you need more information please refer to our 2SA Troubleshooting page – https://help.xero.com/nz/MyXero_Two-Step_Troubleshoot

Ray
April 22, 2017 at 7.38 am

Hi, any update in enforcing company wide 2SA?

Thanks

Anita
March 27, 2018 at 5.36 pm

The two step is not worth the time it took to write the app. I am a bookkeeper that works on lots of different clients books. I cannot and will not keep login with this app. If you get busy and Xero times out you have to go through the whole drama over and over and over again. Not to mention the endless waste of time with Apple app store problems. I will move my clients off Xero.

Paul Macpherson in reply to Anita Xero
March 29, 2018 at 9.39 am

Hi Anita,

Sorry to hear you’re having trouble with 2SA. But I can tell you that it’s a very effective control for preventing unauthorised access to your Xero account. That’s why the Australian Tax Office (ATO) has made it mandatory for all accountants and bookkeepers that use software, like Xero, to interact with the ATO’s online services. You can read more about that here – https://www.xero.com/blog/2017/11/getting-australian-practice-ready-2sa/

Are you using the “Remember me for 30 days” option? This will treat the device you use to login to Xero as a trusted device, meaning you only need to provide the authentication code once every 30 days if you use the same computer and browser. You can find out more about this option here – https://help.xero.com/nz/Xero_LogIn_TwoStepAuth

Regards,
Paul

mark fernie
September 27, 2018 at 7.51 pm

I agree Anita, Two step security is ridiculous. We are long term users of Xero and we are planning to dump it like you with this unwanted security feature.

Rose Goodwin
August 14, 2018 at 3.50 pm

Woke up today to see Xero requires 2SA. Happily set this up with my smart phone.

I have a client who does not have a smart phone, in fact she doesnt even have a mobile phone. I realise this can be bypassed as she can answer security questions but how can she set it up with no phone, period! TIA.

Paul Macpherson in reply to Rose Goodwin Xero
August 15, 2018 at 9.27 am

Hi Rose,

We recommend having the authenticator app on a separate device to the one you use to login to Xero, but if that’s not possible there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.

Regards,
Paul

Glenn
August 15, 2018 at 12.31 pm

Absolute joke, all I keep getting is “invalid code” . After trying for god knows how long I finally got into my account but now I cant get into the settings to set this ridiculous process up.
At this rate I’ll be cancelling my subscription and finding another way to do my bookkeeping.

BTW I should be out earning money so who should I send the Invoice to for the last hour and a half of wasting my time?

Paul Macpherson in reply to Glenn Xero
August 21, 2018 at 8.55 am

Hi Glenn,
These added security measures have been mandated by the Australian Tax Office (ATO) as part of its Operational Framework. Among its requirements, digital software providers such as Xero must implement mandatory 2SA across our entire platform before the end of the year.
You may be getting the “invalid code” error because the time on your authenticator device is out of step with Xero’s time. The authenticator app codes are time based so if there’s too much of a time difference the codes won’t match. This can happen if the time on your device is set manually.

Regards,
Paul

Andrew Elder in reply to Paul Macpherson
October 21, 2018 at 2.47 am

I am having the same problem – and I am logging in within the required time. Luckily I am on a free trial and will not proceed to paid accounts until I can get Xero to recognise Authy-generated codes

Owen
August 16, 2018 at 4.41 pm

What if you do not have a smart phone? I know for some it is hard to believe but not everyone has a smart phone.

What if you need access to xero but do not have a work phone? I can’t see how some businesses would allow an app for company accounts on a private phone.

Regards

Owen

Paul Macpherson in reply to Owen Xero
August 17, 2018 at 9.43 am

Hi Owen,
It’s preferable to have the authenticator app on a separate device to the one you use to log into Xero. But if you don’t have a smartphone or tablet available, there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.
From a security perspective, there’s no reason why you shouldn’t install the authenticator app on a personal smartphone. The app doesn’t have an ongoing connection to your Xero account after you’ve scanned the QR code to set it up, and it doesn’t require any connection to generate the authentication code as it’s time based. The key consideration is that it’s your phone and only you have access to it to get the authentication code for your Xero account.
Regards,
Paul

Kevin Tan
August 27, 2018 at 12.39 pm

Love Xero but mobile app needs improving. Please fix the mobile app to use fingerprint scan or other biometric authentication. I cannot log in currently. Need better UX. Thanks.

Grant Fraser
September 4, 2018 at 11.51 am

Hi
Since I must set it up (and seemingly can only then disable it!)
Where is the simple SMS texting option for your 2FA please?
(You know, send me an SMS & I enter the code I see – easily proves I am who I am & as used by pretty much all the banks as it’s simple & accessible….)
Thanks in advance.

Paul Macpherson in reply to Grant Fraser Xero
September 10, 2018 at 4.34 pm

Hi Grant,

We do not provide authentication codes via text (SMS) as this method has known security vulnerabilities. Authentication codes sent via SMS are vulnerable to interception using methods such as phone number porting and SIM swaps.

Regards,
Paul

Karin
September 14, 2018 at 1.08 am

How does this work if 2-3 people in different states use the same Xero account & log in details. We are having to call the main user to get the code and within 30seconds have it entered before trying again. Can more than one person be set up or is it best to use this ‘remember me for 30 days’ option? Thx

Erin Smith in reply to Karin Xero
September 17, 2018 at 1.42 pm

Hi Karin, 2SA isn’t designed to work for people sharing Xero account login details and passwords. This can present a security risk and is something we actively discourage. Everyone logging into Xero should do so with their own user account and a password known only to them, and have an authenticator app for their 2SA installed on their own device. You can invite as many users as you need into your Xero organisation at no additional cost.

Roy Kowarski
September 19, 2018 at 8.36 am

I tried to install Authenticator without any success.
All the articles tell you how it works
There is NO information or advice for if it doesnt work
Thus, not a good experience fir me

Erin Smith in reply to Roy Kowarski Xero
September 19, 2018 at 1.22 pm

Hi Roy. Thanks for reaching out. If you have any issues installing the authenticator app, you can contact our team at support@xero.com. They will be on hand to walk you through the process.

Leave a reply

Your email address will not be published. Required fields are marked *