Data security is an industry-wide issue and it is our number one priority. Phishing scams that attempt to steal account names and passwords are an ongoing issue for all online and financial services, so it’s vital that businesses everywhere who use these services ensure they have strong security practices and keep their information secure. Security is an issue that everyone needs to take seriously.
On the back of recent security updates, today we released Two-Step Authentication for all Xero customers, providing an additional layer of security for all Xero user accounts. Two-step authentication can help keep your Xero account from being compromised by phishing and malware.
Two-Step Authentication verifies the identity of a customer logging into the Xero dashboard by requiring them to use their existing password and a second, unique code randomly generated by the Google Authenticator app on their smartphone, each time they log in. Based on security best practice, Two-Step Authentication means only the Xero user with access to that trusted device will be able to log in, making it more difficult for unauthorised people to access their data.
How does Two-Step Authentication work?
When you have Two-Step Authentication enabled you need to use a second method to login to Xero. In addition to your standard Xero username and password, you also have to enter a six-digit code provided by a separate app on your smartphone, Google Authenticator.
If you don’t have your mobile device available when you need to login to Xero, you will be able to fall back to answering questions you set up when you enabled Two-Step Authentication in order to gain access to Xero. The fallback questions should only be used when necessary and not as a regular alternative to the authenticator app.
Watch the video below to see how to setup and use Two-step authentication.
In addition, Xero’s Two-step authentication will have trusted device recognition. You’ll be able to select “Remember me for 30 days” as an optional setting. If you select “Remember me for 30 days” you won’t need to perform the second authentication step on that device for 30 days.
For this initial release, individual users can have the option of enabling Two-step authentication when they log-in to Xero. From within the Users Settings page, a Subscriber, or a user with Manage Users access, can see which users of their organisation have enabled Two-Step Authentication. Depending on the uptake of the feature, and the feedback we receive, we may look into making this an organisation-level setting enforceable by the Subscriber.
To find out more about Two-Step Authentication, please review our Help Center.
Security is a constantly-evolving issue for the tech industry and we strongly encourage all Xero users – and technology users in general – to remain vigilant about the online solutions they use. If you have any questions about this area, please check our Security Page.
I am a big fan of two step authentication but I just wondered how it will work in conjunction with third party API integrations that have exchanged my username and password for a token. Will that token expire after 30 days or will it survive?
@David – short answer, it will survive.
The background is as follows:
1. As a user authenticating a 3rd party application to access your Xero data, if you have enabled two step authentication, then these features will apply if you need to login in order to authenticate the application.
2. Once connected, 3rd party applications that are certified Xero add-on partners use the Xero partner API which has the following security features:
i) 30min access tokens that need to be refreshed for further access
ii) RSA request signing using a public/private keypair on all requests
iii) Xero supplied client SSL cert is required to communicate to our partner API
So the API itself has a separate but quite robust security model.
Hope that helps!
If you’ve ticked ‘Remember me for 30 days’ on a device, and you lose that device, can you go in and ‘untrust’ or remove that device?
@Sonia –
We don’t yet have the function available to ‘un-trust’ or remove a device that you’ve ticked ‘Remember me for 30 days’ on. Until we make that function available you’ll need to contact support@xero.com to remove the device for you.
Absolutely want to be able to enforce Organiation wide 2 factor. We already use it for lots of of other things. Please turn it on immediately.
@Andrew –
Allowing a Subscriber to enforce Two-Step Authentication for all users in their organisation is on our 2SA enhancement road map. But it’s not just a matter of turning it on as there is significant development required to enable this feature.
I recommend you join this conversation on Xero’s Community site for updates on this feature.
Will the iPhone app be updated to cater for it as well?
+1 for two-step support on mobile app
Same question as Bill. iPhone app login no longer works with 2 step authentication in place.
Would also like to see Touch ID implemented on iPhone app.
Love the 2 step authentication for Xero on web, but the mobile app needs to be updated. With 2 step authentication enabled on the web, the mobile app wont allow login and thus is useless. Surely the mobile app can bypass the 2 step process if mobile user has enabled touch ID for login. Is Xero working on a solution?
Just another chime in – Xero very kindly
responded to the other concerns above, but the iPhone app issue really needs to be addressed. I’m really unsure what I should be doing right now – turning off two factor so I have a mobile app, or not using the mobile app so I have two factor.
Hi everyone, rounding up all the mobile app questions here. Good news first: As of Wednesday (4th May), the Android app now supports 2SA. Full support for the iOS app is in the works, however there is one small ray of light in the meantime.
Shaun is correct in that if you have Touch ID set up (Matt, we do have it!) or even a PIN, you can still use the mobile app with 2SA turned on. The annoying part is that you have to turn 2SA off in order to set this up, and then back on again afterward. It gets more annoying if you ever cancel a Touch ID login, as this effectively removes Touch ID and requires your credentials again (so you hit the 2SA issue).
We’ve been working on a complete revamp of login for iOS. It’s still in progress, but there shouldn’t be too much longer to wait (anticipating a release in June). This will provide full 2SA support and resolve a host of other niggles we’ve been prevented from addressing up until now. I know this has been a source of intense frustration, and we’re very sorry it has taken so long.
2SA (two step) or 2FA (two factor) authentication is a must. In fact I am surprised it has taken Xero so long to implement. That said, the current option of using Google Authenticator isn’t perfect, but speaks to Xero’s increasing focus on its partnership with Google. There is always a trade-off between security and convenience.
I would like to see 2FA made machine specific and enforceable across the whole organisation, or at least across Admin class of user account. If made machine dependent then after the first 2FA login on the device, usability and convenience would not be compromised.
@Jon –
Xero’s 2SA does provide the option for you to make it device dependent. Simply select the ‘Remember me for 30 days’ option and you will not be required to enter your 2SA authentication code on that device again for 30 days.
Allowing a Subscriber to enforce Two-Step Authentication for all users in their organisation is on our 2SA enhancement road map.
I have 2SA set up on my iMac and MacBook. On the former xero will remember me for 30 days, however this is not working on my MacBook, I have to enter an authentication code every time. This isa pain, is there some weird setting Iu can change to enable this?
Further to my last post – this is only an issue with Safari, remembering for 30 days works fine with Firefox.
@Jeremy –
Can you please raise a support request with our Customer Experience team (support@xero.com) and provide further details of the issue and the browser versions you are using.
Thanks.
Hi all,
Wonder if someone can help. Love 2FA but have just lost access to my authenticator following an update. Now cannot log into Xero.
Any way around this?
Regards
Sanj
@ Sanj –
If your authenticator app is unavailable and you can’t generate the code, you can use your security questions and answers to log in. When you get to the window that asks you to ‘Enter your authentication code’, just click on the ‘I can’t use my authentication app’ link and answer the security questions.
If you need more information please refer to our 2SA Help pages – https://help.xero.com/nz/MyXero_Two-Step_About
Hi what happens if the app doesn’t remember your e-mail address and you can’t remember your secret questions is there any way I can reset it?
@Linda –
If you can’t use your authentication code or answer your security questions to login to your Xero account with 2SA, you can contact Xero Customer Experience (support@xero.com) to have them disable 2SA for you.
If you need more information please refer to our 2SA Troubleshooting page – https://help.xero.com/nz/MyXero_Two-Step_Troubleshoot
Hi, any update in enforcing company wide 2SA?
Thanks
The two step is not worth the time it took to write the app. I am a bookkeeper that works on lots of different clients books. I cannot and will not keep login with this app. If you get busy and Xero times out you have to go through the whole drama over and over and over again. Not to mention the endless waste of time with Apple app store problems. I will move my clients off Xero.
Hi Anita,
Sorry to hear you’re having trouble with 2SA. But I can tell you that it’s a very effective control for preventing unauthorised access to your Xero account. That’s why the Australian Tax Office (ATO) has made it mandatory for all accountants and bookkeepers that use software, like Xero, to interact with the ATO’s online services. You can read more about that here – https://www.xero.com/blog/2017/11/getting-australian-practice-ready-2sa/
Are you using the “Remember me for 30 days” option? This will treat the device you use to login to Xero as a trusted device, meaning you only need to provide the authentication code once every 30 days if you use the same computer and browser. You can find out more about this option here – https://help.xero.com/nz/Xero_LogIn_TwoStepAuth
Regards,
Paul
I agree Anita, Two step security is ridiculous. We are long term users of Xero and we are planning to dump it like you with this unwanted security feature.
Woke up today to see Xero requires 2SA. Happily set this up with my smart phone.
I have a client who does not have a smart phone, in fact she doesnt even have a mobile phone. I realise this can be bypassed as she can answer security questions but how can she set it up with no phone, period! TIA.
Hi Rose,
We recommend having the authenticator app on a separate device to the one you use to login to Xero, but if that’s not possible there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.
Regards,
Paul
Absolute joke, all I keep getting is “invalid code” . After trying for god knows how long I finally got into my account but now I cant get into the settings to set this ridiculous process up.
At this rate I’ll be cancelling my subscription and finding another way to do my bookkeeping.
BTW I should be out earning money so who should I send the Invoice to for the last hour and a half of wasting my time?
Hi Glenn,
These added security measures have been mandated by the Australian Tax Office (ATO) as part of its Operational Framework. Among its requirements, digital software providers such as Xero must implement mandatory 2SA across our entire platform before the end of the year.
You may be getting the “invalid code” error because the time on your authenticator device is out of step with Xero’s time. The authenticator app codes are time based so if there’s too much of a time difference the codes won’t match. This can happen if the time on your device is set manually.
Regards,
Paul
I am having the same problem – and I am logging in within the required time. Luckily I am on a free trial and will not proceed to paid accounts until I can get Xero to recognise Authy-generated codes
What if you do not have a smart phone? I know for some it is hard to believe but not everyone has a smart phone.
What if you need access to xero but do not have a work phone? I can’t see how some businesses would allow an app for company accounts on a private phone.
Regards
Owen
Hi Owen,
It’s preferable to have the authenticator app on a separate device to the one you use to log into Xero. But if you don’t have a smartphone or tablet available, there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.
From a security perspective, there’s no reason why you shouldn’t install the authenticator app on a personal smartphone. The app doesn’t have an ongoing connection to your Xero account after you’ve scanned the QR code to set it up, and it doesn’t require any connection to generate the authentication code as it’s time based. The key consideration is that it’s your phone and only you have access to it to get the authentication code for your Xero account.
Regards,
Paul
Love Xero but mobile app needs improving. Please fix the mobile app to use fingerprint scan or other biometric authentication. I cannot log in currently. Need better UX. Thanks.
Hi
Since I must set it up (and seemingly can only then disable it!)
Where is the simple SMS texting option for your 2FA please?
(You know, send me an SMS & I enter the code I see – easily proves I am who I am & as used by pretty much all the banks as it’s simple & accessible….)
Thanks in advance.
Hi Grant,
We do not provide authentication codes via text (SMS) as this method has known security vulnerabilities. Authentication codes sent via SMS are vulnerable to interception using methods such as phone number porting and SIM swaps.
Regards,
Paul
How does this work if 2-3 people in different states use the same Xero account & log in details. We are having to call the main user to get the code and within 30seconds have it entered before trying again. Can more than one person be set up or is it best to use this ‘remember me for 30 days’ option? Thx
Hi Karin, 2SA isn’t designed to work for people sharing Xero account login details and passwords. This can present a security risk and is something we actively discourage. Everyone logging into Xero should do so with their own user account and a password known only to them, and have an authenticator app for their 2SA installed on their own device. You can invite as many users as you need into your Xero organisation at no additional cost.
I tried to install Authenticator without any success.
All the articles tell you how it works
There is NO information or advice for if it doesnt work
Thus, not a good experience fir me
Hi Roy. Thanks for reaching out. If you have any issues installing the authenticator app, you can contact our team at support@xero.com. They will be on hand to walk you through the process.