We use cookies to make your experience better. By using xero.com, you accept our cookie notice terms.

Brought to you by

Getting your practice ready for 2SA

Posted 4 years ago in Advisors by Beeny Atherton
Posted by Beeny Atherton

It’s never been more important for your practice to be aware of prioritising online security and safety, and ensuring everyone in the organisation is adhering to best practice guidelines. This is no longer a ‘nice to have’, it’s a basic necessity of running a business.

If we can take anything from the recent news of high profile cases of data theft from the likes of Sony, Microsoft and Yahoo, and the multiple phishing and invoice scams, and account compromises, it is that when it comes to cyber security, businesses need to take practical steps to minimise the risks of being hacked. Typically the reasons businesses have been hacked are directly related to poor security, such as sharing logins or common passwords.

Statistics from online security software vendor Norton show that cybercrime costs Australians more than $1.2 billion a year. More than 3.7 million people in Australia have been victims of online crime, and Norton says that the country ranks as the eighth most impacted in the world by ransomware. Australia’s national CERT has also reported that 7,283 cyber-security incidents affected major Australian businesses in the 2016-2017 financial year, with 284 of these incidents involving systems of national interest and critical infrastructure.

Adding an extra lock on the door

Keeping your clients and your own sensitive data secure is critical. However, it is difficult to ensure that every single member of your team is using appropriate security procedures (such as not sharing logins or common passwords). To help your practice maintain these secure practices Xero is extending the use of Xero login to Xero Practice Manager and Xero Tax.

Additionally, we’ll soon make two-step authentication (2SA) mandatory across our partner products (including Xero HQ) for all Australian practices and accountants and bookkeepers with access to Australian Xero organisations (regardless of their location).


Two-step authentication adds another layer of security for practices and we encourage our accounting and bookkeeping and small business customers to use two-step or multi-factor authentication (2SA/MFA) wherever it is available. This is particularly important for your email account, which is usually the means to hackers being able to reset your passwords for other sites.  Two-step authentication is an extra layer of security that requires a password and username and a second unique code to be generated on a second device, making it more difficult for unauthorised people to access your data. While there are no guarantees in security, Xero has never had an account compromise reported for a user with 2SA enabled.

ATO requirements

The Australian Tax Office (ATO) is introducing a new operational framework for software developers and for accountants and bookkeepers who use software to interact with the ATO. This new framework requires accountants and bookkeepers to use multifactor authentication when they login. This means any staff member working with Australian taxpayer information needs to have 2SA implemented in Xero by March 2018 to comply. From March, if you don’t have 2SA, you won’t be able to access Xero Practice Manager, Xero Tax or Xero HQ.

You can start to get your practice ready for 2SA now by ensuring everyone in your practice is using a unique login and not sharing passwords.

We know there are some practices that use shared logins which will not be supported by the required implementation of 2SA. We understand that this will require these practices to amend their subscriptions.  If you need assistance to amend your subscription, please contact: support@xero.com.

Xero takes security seriously and it is important that we are continuously implementing world class security standards and monitoring and detection services. Our customers hold sensitive and personal data on behalf of their clients and keeping everyone’s data secure is a top priority. Therefore we fully support the ATO’s requirement for 2SA on software that interacts with their tax system. It is the right thing to do to help protect client data.


Cassandra Scott
November 29, 2017 at 5.53 pm

Great initiative – looking forward to it.

Is there any way currently, via XeroHQ to see which staff have 2FA already in place? We can see it in Green Xero, but HQ would be great too.

Paul Macpherson in reply to Cassandra Scott
November 30, 2017 at 4.02 pm

Hi Cassandra,

If you have the Administrator or Master Administrator role you can navigate to the Staff tab where you’ll see the list of all users invited into your practice. The users with 2SA enabled will have a small padlock displayed under their name, to the left of their role type. If you hover your mouse over the padlock you’ll see the message “Two-step authentication active”.

Paul Macpherson

Rory Byrne
December 7, 2017 at 7.02 pm

This is a big step forward on the security front.

I do have a question regarding offshore/outsourcing teams which , for additional security reasons, are unable to use their phones while working in the office.

How do they go through 2SA if the policy is that staff are unable to use their phones while working?

interesting to see how Xero approach this issue.

Paul Macpherson in reply to Rory Byrne
December 8, 2017 at 10.04 am

Hi Rory,

Very good question.

It’s preferable to have the authenticator app on a separate device to the one you’re logging in on, but you can download the WinAuth app to use Google Authenticator on your Windows desktop.

Also worth noting is that our 2SA has a “Remember me for 30 days” option. If you select that option, you only need to enter the code from your authenticator app once every 30 days, so long as you are logging in to Xero from the same device. If you log in from multiple devices you can “Remember me for 30 days” on each of them, so you only need to enter the code once on each device every 30 days.


December 15, 2017 at 6.06 pm

Is the ATO Operational Framework being implemented in March 2018 or is this just when Xero is making 2SA mandatory, if not, when is the ATO implementing this?

Paul Macpherson in reply to Ash
December 18, 2017 at 10.51 am

Hi Ash,

The ATO’s Operational Framework for Digital Service Providers requires Xero to implement 2SA by 31 March 2018.


January 16, 2018 at 3.30 pm

Are there plans to update administrator functionality to solve the current debacle that occurs when 2FA needs to be reset?
ie staff member upgrades phone/old phone breaks and loses access to old authenticator codes, or where staff member leaves the practice but still has direct invited clients attached to their login (ie on a firm email address).

We’ve had major dramas getting 2FA reset – longest took about a week for an admin which is ridiculous.

Paul Macpherson in reply to Liam
January 17, 2018 at 11.53 am

Hi Liam,

We have work progressing now to improve 2SA, to help address the issue of people not having access to their authenticator app and having forgotten the answers to their security questions. I appreciate that it does take time to get 2SA disabled on a user account, but we have to be sure that the person requesting the reset does in fact own the user account. We have to be sure that the request is not an attempt to gain unauthorised access to a Xero user’s account by socially engineering our support staff to disable 2SA.

If you have an ex staff member that still has direct access to clients using your firm’s email address, you can raise a case with our customer support team to remove their access.


Ari Oliver
January 16, 2018 at 3.37 pm

Really not fussed on using the Google Authenticator app…
We’re Microsoft based and have switched to 2SA on Office 365 and have the option to receive a text message which has made the transition much more bearable across our staff.

Paul Macpherson in reply to Ari Oliver
January 17, 2018 at 9.55 am

Hi Ari,

You don’t have to use the Google Authenticator app. It uses an industry standard TOTP algorithm so there are other apps that you can use instead, such as Authy or FreeOTP.


Meg Bosnjak
January 16, 2018 at 5.20 pm


For files that we are invited into as Advisors, will the 2SA apply – ie will the owner of the file have to initiate the set up and by the very nature of using our own login, we will also be prompted?

Meg Bosnjak

Paul Macpherson in reply to Meg Bosnjak
January 17, 2018 at 10.07 am

Hi Meg,

2SA is enabled at the user account level. Once enabled for your account, it’s active for all of your access to Xero services. The owner(s) of the Xero organisation(s) that you’re invited into will be able to see that you have 2SA enabled, but they don’t need to do anything to set it up and are unable to change it.

Remember to select the “Remember me for 30 days” option as this will make it easier to login to Xero with 2SA enabled. You’ll only need to enter the code from your authenticator app once every 30 days, so long as you’re logging in to Xero from the same device.


Trish Mathisen
January 16, 2018 at 7.40 pm

Will it be possible for businesses who use applications such as “onelogin” “PracticeProtect” to not require the 2FA when logging into Xero or XPM? These applications have already requested the user to use 2FA to access all their apps. Will it be necessary to still add an authentication code to Xero and XPM when they are in the secured console?

Paul Macpherson in reply to Trish Mathisen
January 17, 2018 at 10.30 am

Hi Trish,

Xero doesn’t currently offer federated authentication so you will need to provide your 2SA code when logging into Xero or XPM.


Leighton Raphael in reply to Paul Macpherson
January 23, 2018 at 1.48 pm

Hi Paul, We recently subscribed to Practice Protect. Our staff have been able to get 2SA for Xero, but when going into XPM, they cannot get past the login page. Practice Protect are aware of it – apparently they have been flooded with enquiries as to what to do. I am currently waiting on a call back, but for now WE ARE STUCK. I really think Xero should give a solution on what we are required to do, as this is causing lots of bad vibes around our office.

Paul Macpherson in reply to Leighton Raphael
January 29, 2018 at 11.57 am

Hi Leighton,

Can you please raise a case with Xero support and provide the full details of the issue you’re experiencing so we can investigate.


Teresa Sheehan
January 17, 2018 at 12.30 pm

Good morning, I activated 2 step authentication just before Christmas after the online video course Xero ran. As instructed I downloaded the APP Google Authenticator and changed my log in process. It all worked fine…. until I left for a trip to Japan for two weeks…. this 2 step authenticator would not work and it kept saying the numbers I entered did not match… as a result I had automatic invoice reminders on and I was unable to match any payments on the dashboard and clients who paid were sent reminders about invoices that had been paid. I am worried to do this again as it was very embarrassing and I had to spend time answering emails to clients asking why they were still getting reminders when the bill had been paid. Perhaps you can point me toward a step by step process to get this installed again, and perhaps provide another authenticator program that will recognize my codes whether I am here in Australia or travelling overseas.
Thank you

Paul Macpherson in reply to Teresa Sheehan
January 17, 2018 at 4.44 pm

Hi Teresa,

Sorry to hear that you experienced issues with 2SA.
It’s possible that this is due to a timing discrepancy as the algorithm that generates the 2SA code is time based – Time-based One Time Password (TOTP). Each authentication code is only valid for a set period of time. If you manually changed the time on your phone when you went to Japan, it’s possible that it was too far out of sync with Xero for the authentication codes to be valid. Changing your phone settings to use the system-provided time should fix this. Using a different authenticator app isn’t likely to help as they all use the same TOTP algorithm.
If your authentication codes don’t work you can login to Xero using your security questions and answers.
If you’re still having trouble with 2SA, please raise a case with our customer support team.


January 17, 2018 at 5.41 pm

Hi Paul,

If we have invited employees to My Payroll would it be necessary for all of them to get 2SA?

Paul Macpherson in reply to Wendy
January 30, 2018 at 4.06 pm

Hi Wendy,

If your employees only have access to My Payroll, and are not staff within your Xero practice instance, they are not required to enable 2SA.

However, I always recommend that anyone logging into Xero should enable 2SA for their account to reduce the risk of account compromise.


Doriana Mangili
February 2, 2018 at 8.09 pm

What is the solution for workplaces where there is no mobile phone signal. I use Xero on my laptop and two desktop computers, I have mobile signal in most places but in one workplace there is no mobile signal and we receive internet via satellite. Will we be able to use a desktop app and a phone app? Depending on where we are working and which device we are using. Currently for banking we use a two step 2SA process utilising a toggle provided by the bank. Is that an option for xero in cases where there is no mobile phone service (much of regional and remote Australia)

Paul Macpherson in reply to Doriana Mangili
February 7, 2018 at 9.11 am

Hi Doriana,

Once you have the authenticator app installed and set up on your mobile device, you don’t need a mobile connection for it to work. The authentication code produced by the app is time based, so there’s no reliance on a network connection to generate the code.


Steve Humphreys
February 25, 2018 at 5.01 pm

Do clients have to set up 2 step authentication, and if so what is the deadline for this?
Regards Steve

Paul Macpherson in reply to Steve Humphreys
February 28, 2018 at 2.59 pm

Hi Steve,

Any staff member of an Australian accounting or bookkeeping practice that logs into Xero Practice Manager, Xero Tax or Xero HQ will be required to use 2SA.
Clients of a practice who login to the Xero Practice Manager customer portal will also be required to enable 2SA.


Colleen Stromei
March 6, 2018 at 2.39 pm

Is Xero planning to change the alternate method for 2SA so that responses to security questions are masked? I had instances where I’ve had to use the security questions in front of others and my responses are clearly visible to everyone.

Paul Macpherson in reply to Colleen Stromei
March 14, 2018 at 8.39 am

Hi Colleen,

We’re currently working on improvements to 2SA that will address this issue.


Carolyn Gasmier
April 4, 2018 at 4.22 pm

Hi Paul,

We are a small NFP organisation, with our Tax stuff handled by our accountants. Is 2SA mandatory for us as well? Or can we continue as we have?

Paul Macpherson in reply to Carolyn Gasmier
April 5, 2018 at 1.25 pm

Hi Carolyn,

2SA is mandatory for any staff member of an Australian accounting or bookkeeping practice that logs into Xero Practice Manager, Xero Tax or Xero HQ.
As a NFP I expect you’re using our Xero Business edition product, so are not required to have 2SA enabled for your user account. That said, I highly recommend you do enable 2SA for your Xero account as it significantly reduces the risk of unauthorised access through phishing or malware. I also recommend using 2FA/MFA/2SV to better protect your email account, as your email address is typically used to reset passwords for other online services.


April 6, 2018 at 2.14 pm

Yep – doesn’t work. Xero claims the 6-digit code I entered is incorrect – maybe you could send someone out to have a look at my telephone screen and they can tell me which numbers are wrong. Am I supposed to be entering it backwards or reading it upside down or something?

Also, how about we set up our own security questions? Anyone who knows me would know the answer to many of the questions and most of the others I don’t even know the answer to. Those that are left nearly all have the same answer but apparently it’s forbidden to have the same answer – I’m a victim for living on the same road as my friend which is also the same road I lived on when I was 10 and which I also lived on when I was at high school (or something equally inane)

Paul Macpherson in reply to Brad
April 6, 2018 at 3.30 pm

Hi Brad,

It’s possible that this is due to a timing discrepancy as the algorithm that generates the 2SA code is time based – Time-based One Time Password (TOTP). Each authentication code is only valid for a set period of time. Is your phone using the system-provided time? If you’re still having trouble with 2SA, please raise a case with our customer support team.

If you use password manager software you can use this to generate and store answers to your security questions, and not have to remember them. So long as you always provide the same answer that you set the question up with, the answer doesn’t have to be true.


Catherine Kendray in reply to Paul Macpherson
August 14, 2018 at 7.01 pm

I agree with Brad regarding the questions. You say they don’t have to true but will we need to remember the answers in the future?
I understand security is the issue here but better questions would have made this process easier.

Paul Macpherson in reply to Catherine Kendray
August 15, 2018 at 8.43 am

Hi Catherine,

We realise that the security questions can be challenging so we’ve just added another recovery option for 2SA. You can now set up an alternative email address that you can use to get access to your Xero account if you don’t have access to your authenticator app or the answers to your security questions. You can find out how to set this up here.


Leave a reply

Your email address will not be published.