For many of us, the internet is not just an intrinsic part of our lives, it’s integral to how we do business. It enables businesses to connect to global markets and complete transactions in minutes.
As we take advantage of the opportunities the internet has to offer, online security becomes a priority. For Xero partners and customers, and anyone who operates online, this means being vigilant about keeping sensitive data and information secure from hackers and cybercriminals – just as you’d keep your home or your car safe by locking it.
Statistics from online security software vendor Norton show that 978 million people in 20 countries were affected by cybercrime in 2017. In New Zealand and Australia, one in four small businesses experienced a cyber attack or hacking attempt. It’s an unfortunate fact that the impact of cybercrime is a reality for all businesses. We continually remind all of our customers – small businesses, accountants and bookkeepers – to take precautions to keep their data safe from hackers.
As the head of security at Xero, I see security threats from cyber attacks and hacking almost daily. Our security teams identify patterns of malicious activity and take the appropriate steps to notify users and guide them through safeguarding their accounts. Protecting our platform against cyber attacks is a top priority, and we partner with leading security vendors to ensure our systems are as robust as possible.
However, a system is only as good as the weakest link in the chain. Security needs to be strong on all fronts and it’s important that our small businesses and advisors are committed to protecting themselves and their customers from attacks. As a business, it’s your responsibility to safeguard not only your own information but, more importantly, the sensitive data that your customers and employees have entrusted you with. By keeping informed about cybersecurity and instilling the importance of security practices throughout your business, together we can build a stronger, more secure online community.
Here are some simple, easy-to-implement steps that will help you better protect your information and that of your clients online.
Have strong, unique passwords
I cannot stress the importance of strong passwords enough. Over 80% of breaches occur due to stolen or weak passwords. Always use a strong, unique password for each site you log in to. While this may seem extreme, particularly in an age of multiple logins, different passwords will help prevent a compromise of one login becoming a compromise of many. You can use password manager software to help you use your multiple logins, and to generate strong passwords for you. Password manager software securely stores all of your usernames and passwords, on your desktop or in the cloud, so you just need to remember the password for your password manager. We also advise that you clearly communicate the importance of good password practices to your staff, in particular that sharing passwords and reusing personal passwords (eg, for social media sites) is not acceptable.
Use two-step authentication
2SA or two-step authentication equates to having that extra deadbolt on the door. 2SA works by having two layers of security: first you enter your existing password, then another verification code is generated by an app on your smart device. Having 2SA enabled for your Xero account significantly reduces the risk of account takeover, because stealing your password isn’t enough to get access.
Xero’s 2SA allows you to select a “Remember me for 30 days” checkbox when using a device you’ll repeatedly use to access Xero. With this option enabled, you only have to enter the authentication code from your app on that device once every 30 days.
We’re also making it easier to access Xero if you lose your smart device and don’t have the authentication code. You can specify an alternate email address when you set up 2SA to provide a fallback option if your authenticator app isn’t available. You’ll be able to recover access to your Xero account by having a single use authentication code sent to your alternate email address.
2SA (or 2FA, MFA or 2SV) is also important for your email account, which is generally how you reset the passwords for your online services. A compromised email account can also result in invoice fraud, with invoices sent and received by email being maliciously updated with fraudulent payment account details.
Visit Xero Central for more information about 2SA in Xero.
Update your software
Security threats are changing all the time and new software vulnerabilities are identified every day. Keeping your operating system and applications up to date is your first line of defence. Many attacks, such as last year’s Wannacry ransomware, exploit a known software vulnerability that could have been patched. Set your system preferences to update automatically and delete applications you don’t use.
Having up-to-date anti-malware (anti-virus software) is another simple but effective way to protect yourself. Anti-malware will scan your attachments and downloads as you use them and alert you to any malicious software detected. Make sure your anti-malware is updated regularly so it’s able to detect new viruses, trojans, ransomware, and the like.
Backup your local data
Xero, like most cloud services, ensures your data is backed up and available at all times. But most businesses and individuals have data stored locally on their devices too. It’s important that you also backup this data to make sure it remains available when you need it.
While computer hardware is pretty reliable these days, failures still happen. Then there are malicious acts such as theft and ransomware, and accidents and disasters that can prevent access to your data. You need to store copies of your backups at a different site from the source systems so a local disaster doesn’t destroy the backups along with the original data. Cloud backup services can address this need and make your data available from anywhere with an internet connection.
How often you backup your data will depend on its value and how frequently it changes. Norton’s 2017 SMB Cyber Security Survey found that more than a third of Australian business operators believed they wouldn’t last a week without access to their critical business data.
Security is of the utmost importance for Xero and like every other online business we have to be constantly vigilant about phishing attacks and account takeovers. We’re all responsible for using security procedures and continually investing in online security. As an online community we need to work together to make sure we’re all protecting one another and keeping our data safe from cyber criminals.
For more information visit Xero’s security page, get updates on the latest security issues on Xero’s security noticeboard or forward suspicious, Xero branded emails to phishing@xero.com.
Not enough room on my phone to add another app. With our bank when I do a transfer I get a code txt to me is this possible..
Hi Bronwyn,
We do not provide authentication codes via text (SMS) as this method has known security vulnerabilities.
Regards,
Paul
Why is Xero using a Google app for the 2SA? Does this reduce the security, because you are linking your Xero account to a google app?
Hi Lynette,
Using the Google Authenticator app does not link your Xero account to Google. The Google app uses an industry standard TOTP (Time-based One Time Password) algorithm so there are other apps that you can use instead if you prefer, such as Authy or FreeOTP.
Once the authenticator app is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Because it’s time based, it doesn’t connect to anything to generate the code.
Regards,
Paul
I don’t see why we need to forced to use 2SA, it should be optional for individuals
Hi Simon,
The decision to make 2SA compulsory has made been for a few reasons, led both by Xero and the Australian Tax Office (ATO).
2SA has been available as an optional feature since 2015. We monitor security threats closely and know that as security capabilities modernise, so do the threats from cyber criminals and hackers. Security measures that once were optional naturally become standardised over time to help keep data secure.
When the ATO finalised its Operational Framework, it supported this approach – and required digital software providers such as Xero to implement mandatory 2SA before the end of the year. Australian Payroll Administrators and Subscribers will be required to have 2SA on their Xero accounts by 11 September 2018.
I hope that background provides some more clarity around the move to 2SA, and the extra security it offers your login.
Regards,
Paul
Any authentication app recommend?
Hi John,
Our 2SA Setup page on Xero Central refers to the Google Authenticator app, but you can also use Authy or FreeOTP.
It’s really up to you as to which app best meets your needs.
Regards,
Paul
I didn’t ask for this hassle and happy with the existing process.
Really wish it would be left how it is (or optional) but i am sure youll not accommodate subscribers like myself.
Hi Todd,
There are two reasons behind the enforcement of 2SA for our customers – firstly our security focus at Xero and, secondly, new mandates from the ATO.
Xero has offered two-step authentication as an optional feature since 2015. Meanwhile, as the business world operates online, cyber attackers and hackers only get more sophisticated. Modern security features such as this offer an important layer of protection for you.
In addition to this, the Australian Tax Office (ATO) finalised its Operational Framework in February 2018. Among its requirements, digital software providers such as Xero must implement mandatory 2SA across our entire platform before the end of the year. Australian Payroll Administrators and Subscribers will be required to have 2SA on their Xero accounts by 11 September 2018.
We are fully supportive of this key security measure becoming mandated, as it significantly reduces the risk of account takeover and unauthorised access to the sensitive financial and personal information our customers store in Xero.
I hope that helps answer your question.
Regards,
Paul
Tried to get google authenticator app, what does account mean and what does Key mean.
Does not want to accept
Hi David,
Have you had a look at our 2SA Setup help page in Xero Central?
Google Authenticator allows you to setup multiple accounts, so you can use the same app to generate codes for different services that support this type of authentication. You can name each account in the authenticator app so you know which code is for which login.
If you’re unable to scan the QR code when setting up 2SA for your Xero account, you can manually enter the Key displayed below the QR code to Google Authenticator.
Regards,
Paul
Hi, I don’t have a work smart phone to do this and the only email address I have for work is the one I am currently using, what do I need to do in this case.
thanks
Bonita
Hi Bonita,
It’s preferable to have the authenticator app on a separate device to the one you’re logging into Xero on, but you can download the WinAuth app to use Google Authenticator on your Windows desktop.
If you have a personal smart phone you could consider installing the authenticator app on that. The app doesn’t have an ongoing connection to your Xero account after you’ve scanned the QR code to set it up, and it doesn’t require any connection to generate the authentication code.
Regards,
Paul
what if i dont want to use a 2 step process?
Hi Jason,
While 2SA has been an optional feature since 2015, Australian Payroll Administrators and Subscribers will be required to have 2SA on their Xero accounts by 11 September 2018 in order to login.
This security measure is being mandated for a few reasons.
One is that Xero believes in best-practice security against modern-day threats. We know 2SA significantly reduces the risk of account takeover and unauthorised access to the sensitive financial and personal information our customers store in Xero.
Secondly, 2SA is being mandated as part of the ATO’s updated Operational Framework. Any digital software provider, like Xero, will need to implement 2SA across their entire platform by the end of the year. We fully support this decision, as we work to keep everyone as safe as can be.
Regards,
Paul
I have two other staff who require access to Xero using my login password. Can I set up the authentication on their module phones in addition to my phone?
Hi Ray,
2SA isn’t intended to be used in this way because we strongly recommend against sharing passwords for your login, for security reasons.
You can invite each staff member into your Xero organisation with their own email address. There’s no cost to adding additional users and this has the advantage of allowing you to see what actions were performed by each person in your Xero organisation.
Regards,
Paul
Mobile phones dont work here. Internet is by satellite and slow. We do not use Xero for payroll and do NOT want this extra hassle.
I tried to speak to one of the experts at your call centre. Their English was so poor they couldnt understand me and vice versa.
What do we do?
Hi Trish,
Xero does not have a call center, we provide support via email to support@xero.com and by raising a request within the application itself. I suspect you may have searched for a Xero telephone support number and found one of several sites saying they offer support for Xero, but which have no association with us. We posted a warning about the latest of these bogus phone support pages on our Security Noticeboard on July 17th.
You only need an Internet connection to download the authenticator app to your mobile phone and setup 2SA for your Xero account. Once 2SA is setup, the authenticator app doesn’t need an Internet connection to work because it’s time based.
Regards,
Paul
Hi Paul,
I have now read the above comments. You refer to an ATO mandate.
Could you tell me where to find this please so that I can read it.
Regards
Trish
Hi Trish,
You can find the ATO’s Operational Framework requirements for Digital Service Providers (e.g. Xero) here – https://softwaredevelopers.ato.gov.au/RequirementsforDSPs
Regards,
Paul
How does this affect the login I need to provide for my Accountant to access Xero for them to do my Tax Return?
Hi Eva,
Your accountant should be invited into your Xero organisation with their own user account (their email address). As an Australian accountant they’ll already have 2SA enabled on their Xero account.
Regards,
Paul
Cool, that makes sense – thanks.
You’re welcome Eva.
Happy to help.
Regards,
Paul
Hi, have lost all my top tabs when I login is there an issue with Xero
I also don’t have room on my phone for another app. do I have to have it?
Hi Monika,
Australian Payroll Administrators and Subscribers will be required to have 2SA enabled on their Xero accounts by 11 September 2018 in order to login.
Xero believes in best-practice security. 2SA significantly reduces the risk of account takeover and unauthorised access to the sensitive financial and personal information our customers store in Xero. 2SA has also been mandated by the Australian Tax Office as part of their Operational Framework.
Regards,
Paul
I was worried this was going to be a huge pain but something worth noting is that when you login and put your security 6 digit code in, you can then save that for 30 days. So you don’t have to do this EVERY time you login, only once a month per device. So it’s not so bad afterall !
Hi Eva,
That’s right. If you select the ‘Remember me for 30 days’ option when you login with 2SA, you won’t need to enter the code from your app for 30 days. So long as you’re using the same computer with the same browser.
If you login to Xero from multiple devices, you can select this option on each of them and only need to enter the code once on each device every 30 days.
Regards,
Paul
Therefore I am required to create a Google account in order to fulfill the 2SA login requirements
Hi Luke,
Using the Google Authenticator app does not require a Google account. The Google app uses an industry standard TOTP (Time-based One Time Password) algorithm to generate the authentication code used for Xero’s 2SA. There are other apps that you can use instead if you prefer, such as Authy or FreeOTP.
Once the authenticator app is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Because it’s time based, it doesn’t connect to anything to generate the code.
Regards,
Paul
Hi Paul,
If you don’t have a mobile device what is the next solution for this wonderful initiative? When I download the WinAuth as per the Xero directions –
WinAuth for Windows computers (WinAuth website)?, then select Google as the authenticator type
Download the zip file and extract its contents. There is nothing to install and only one file that you can run immediately.
Double-click the WinAuth.exe file.
If you get an error about missing .NET, please make sure you have installed Microsoft’s .NET Framework file from above.
Click the Add button in the main WinAuth window
Choose the type of Authenticator you need. Just choose “Authenticator” if it is not for one of the games or websites listed.
For Authenticator, Google, Microsoft:
Enter a name, for example, the name of service / website / game
(From their website, type or copy/paste the “secret key” or “secret code” into the next field)
Where do we locate this secret key?
Hi Luke,
When you setup 2SA in your Xero account, a QR code is displayed for you to scan with your authenticator app. The secret key is displayed below the QR code so that you can enter this manually to your authenticator app if you’re not able to scan the QR code.
Regards,
Paul
I do not have a smart phone, what can I do?
Terry
Hi Terry,
It’s preferable to have the authenticator app on a separate device from a security perspective. But if you don’t have a smart phone or tablet that you can use, there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.
Regards,
Paul
Hi Paul
I also don’t have a work or personal smart phone that can cancel. I do have an alternative email address, but that would also be accessed on the same computer. Is this a problem? Would there be an issue with using another person’s smart phone within the office for this function?
Regards, Lynda
Hi Lynda,
Having the authenticator app on your smartphone is preferable from a security perspective. But as you don’t have one that you can use, there are a couple of options for installing the authenticator app on your desktop. Authy have a desktop authenticator app for Windows and MacOS devices, which you can download here. If you’re using Windows then you also have the option of using WinAuth, which you can find here.
I don’t recommend having your authentication code generated on another person’s phone, as then you no longer have control of that aspect of your Xero account login. Plus they might not always be around when you need to login to Xero.
Regards,
Paul
I don’t have ‘staff’, so no Payroll data at all. I never use my phone, only my desktop. Do I still have to comply with this. Like a lot of others, not overly happy with being forced into something like this. I use a very advanced password generator, that should be sufficient.
Hi Roz,
Australian Payroll Administrators and Subscribers will be required to have 2SA enabled on their Xero accounts by 11 September 2018 in order to login. This is mandated by the Australian Tax Office as part of their Operational Framework and supported by Xero as good security practice.
Using password manager software with a password generator is also good security practice, as it makes it easier to maintain strong, unique passwords for each online service. But 2SA adds another layer of security that significantly reduces the risk of account takeover and unauthorised access to the sensitive financial and personal information you store in Xero.
We also recommend that businesses use 2SA (or 2FA, MFA or 2SV) to protect their email accounts. Unauthorised access to your email account can be used to reset the passwords for online services, and we often see compromised email accounts used for invoice fraud.
Regards,
Paul
I tried to install without success and as usual with IT companies I can’t find a contact to resolve the matter !
Hi Noel. If you’re having any trouble setting up 2SA, you can check these Xero Central guides: https://central.xero.com/s/article/Set-up-or-disable-two-step-authentication-AU and https://central.xero.com/s/article/Log-in-to-Xero-using-two-step-authentication-AU#Web. which may help. If you’re still experiencing any issues, our support team is always on hand. Just drop a note to support@xero.com.
I don’t have a mobil phone, how can I access XERO
Hi David, from a security perspective, it’s preferable to have the authenticator app on a separate device to the one you login to Xero from. But if you don’t have a smartphone or tablet, there are a couple of options for installing the authenticator app on your desktop. One of the authenticator apps, Authy, has a desktop authenticator app for Windows and MacOS devices. If you’re using Windows, you also have the option of using WinAuth. Hope this helps.
This is a total pain! I don’t have any room on my phone for another compulsory app and don’t want to use an app on my phone for my accounting.
Forcing your paying customers to do this is ridiculous.
Come up with another solution to the security “problem ” that we don’t actually have!
Thanks for your note, Ross. While this mandatory use of 2SA on your account may seem frustrating, it is part of the ATO’s new Operational Framework, which means it applies to customers using digital service providers to interact with the ATO across Australia. You can read more here: https://www.ato.gov.au/general/online-services/online-security/
I am trying to set up 2SA in this police state and Authy desktop demands I add an Authenticator account such as gmail, facebook, dropbox. I don’t have any of these and what am I supposed to do now?
It also says “but you can add accounts by entering the code provided by the service in which you want to enable 2FA” What is 2FA? and as I can’t get past this point, what do you suggest?
Hi Jean,
2FA is 2-factor authentication, essentially the same as 2SA and what you need to set up.
When you click to add your first account in Authy, the screen lets you know that you can “add Authenticator accounts such as Gmail, Facebook, Dropbox and many more using Authy”. You don’t need to add accounts for services that you don’t use; Authy is just letting you know it supports extra security on these services.
When it comes to setting up 2SA with an authenticator app, you can find step-by-step instructions at Xero Central: https://central.xero.com/s/article/Set-up-or-disable-two-step-authentication#Setuptwostepauthentication.
We’ve also noted the initial Authy process setup for you here:
1) Start in your Xero account profile and click ‘Setup’ from the two-step authentication page. There you’ll see a unique number displayed below the QR code
2) On Authy, click “Enter Code given by the website” and enter the unique number shown in Xero
3) Click ‘Add Account’ to go to the next screen where you can input an account name and choose an icon. I suggest you call your account ‘Xero’ and use the generic blue icon
4) Click Save and you’ve completed the Authy setup
5) Back in Xero, enter the authentication code provided by the Authy app
6) Click Next for the following steps to setup 2SA for Xero