Data security is an industry-wide issue and it is our number one priority. Phishing scams that attempt to steal account names and passwords are an ongoing issue for all online and financial services, so it’s vital that businesses everywhere who use these services ensure they have strong security practices and keep their information secure. Security is an issue that everyone needs to take seriously.
On the back of recent security updates, today we released Two-Step Authentication for all Xero customers, providing an additional layer of security for all Xero user accounts. Two-step authentication can help keep your Xero account from being compromised by phishing and malware.
Two-Step Authentication verifies the identity of a customer logging into the Xero dashboard by requiring them to use their existing password and a second, unique code randomly generated by the Google Authenticator app on their smartphone, each time they log in. Based on security best practice, Two-Step Authentication means only the Xero user with access to that trusted device will be able to log in, making it more difficult for unauthorised people to access their data.
How does Two-Step Authentication work?
When you have Two-Step Authentication enabled you need to use a second method to login to Xero. In addition to your standard Xero username and password, you also have to enter a six-digit code provided by a separate app on your smartphone, Google Authenticator.
If you don’t have your mobile device available when you need to login to Xero, you will be able to fall back to answering questions you set up when you enabled Two-Step Authentication in order to gain access to Xero. The fallback questions should only be used when necessary and not as a regular alternative to the authenticator app.
Watch the video below to see how to setup and use Two-step authentication.
In addition, Xero’s Two-step authentication will have trusted device recognition. You’ll be able to select “Remember me for 30 days” as an optional setting. If you select “Remember me for 30 days” you won’t need to perform the second authentication step on that device for 30 days.
For this initial release, individual users can have the option of enabling Two-step authentication when they log-in to Xero. From within the Users Settings page, a Subscriber, or a user with Manage Users access, can see which users of their organisation have enabled Two-Step Authentication. Depending on the uptake of the feature, and the feedback we receive, we may look into making this an organisation-level setting enforceable by the Subscriber.
To find out more about Two-Step Authentication, please review our Help Center.
Security is a constantly-evolving issue for the tech industry and we strongly encourage all Xero users – and technology users in general – to remain vigilant about the online solutions they use. If you have any questions about this area, please check our Security Page.