We use cookies to make your experience better. By using xero.com, you accept our cookie notice terms.

Brought to you by

Why we’re securing your account with Multi-Factor Authentication

Posted 7 months ago in Advisors by Suzy Clarke
Posted by Suzy Clarke

As more people around the world embrace digital technologies, the number of cyber attacks continues to increase. One of the most common types of cybercrime is phishing, designed to access your online accounts and steal your personal and business information.

At Xero, we are custodians of your data and we take that responsibility very seriously. We don’t just tick the boxes when it comes to security – we go above and beyond to make sure Xero is the most trusted platform for small businesses.

To make sure we continue to keep your Xero account secure, we’re making Multi-Factor Authentication (MFA) mandatory for all Xero customers globally in the year ahead.

A global change to protect your business

MFA is a log in verification process that goes beyond typing in your username and password. It gives you access to your account using something you know (your username and password) and something you have (your mobile device or computer).

Think of it like putting an additional bolt on the door. It’s a small but important thing that significantly reduces the risk of unauthorised access to your account, because it’s much harder to steal something you know and something you have.

In fact, research shows that MFA can prevent up to 80% of data breaches. The beauty of using your phone as an authentication method is that it’s always with you, which means you can still access your Xero account anywhere, at any time.

Introducing the new Xero Verify app

To give you fast, easy and secure access to your Xero account using MFA, we’ve created our own authenticator app called Xero Verify. It’s built using the highest security standards and gives us confidence that your account access is in safe hands.

When MFA became mandatory in Australia, we saw a significant drop in account takeovers. We expect it won’t be long before other governments take Australia’s lead. So like everything we do in security at Xero, we’re staying ahead of the game and making it mandatory for all customers globally.

Xero Verify is now available free of charge in the Apple and Google app stores. It only takes a few minutes to set up and sends a push notification to your phone when you log in, so you can just tap and go. We know you’re busy, so we’ve made it beautifully fast and easy to use.

How we’ll help you prepare for MFA

While we encourage you to download Xero Verify and opt-in to MFA when it’s available in your country, we’ll give you plenty of notice before it becomes mandatory. As always, our team is here to support you over the coming weeks and months, to make it as easy as possible for you to stay safe and secure. In the meantime, take a look at our frequently asked questions for all the details.

50 comments

Michael Hayes
March 31, 2021 at 10.26 am

Great software. Horrible support. Cryptic slow and unhelpful. Takes several hours and basically useless

Beeny Atherton in reply to Michael Hayes Xero
April 7, 2021 at 10.34 am

Hi Michael, so sorry you feel that way about our support. Do you have your case number to hand so I can take a look into this for you? Thanks!

Kay Mead
April 21, 2021 at 10.16 pm

I’m surprised to see the comment from Michael Hayes about support. We’ve raised many support cases over the years for a variety of clients and situations. Yes, support can take a few hours but I don’t see that as a problem, I don’t regard a same day response as slow. But cryptic and unhelpful? Never. Usually I get the answer I need in one go, sometimes I have to explain a bit more if I haven’t been clear enough or if I still can’t see how to put things right.

Peter Michell
April 27, 2021 at 6.20 am

Cant access Xero to file my VAT return as I am on holiday,not in my office. The new MFA has locked me out – just like that whether I wanted it or not. Extremely bad form – whoever sprung this on just like that should be shot for bad management and bad customer relations.

Beeny Atherton in reply to Peter Michell Xero
April 27, 2021 at 1.09 pm

Hi Peter, I’m sorry to hear that you’re experiencing some trouble accessing Xero. If you need to set up MFA, you can find everything to help you get up and running here. If you have already set up MFA and are locked out, please contact us here providing your email address so we can get in touch with you. You can also find some troubleshooting tips here. Hope that helps.

E. M
May 24, 2021 at 11.37 pm

Completely agree Peter – this is absolutely abysmal form.

Despite the hype, I really have to question the supposed “increased security” around this…

I would bet that if the permissions granted to the app upon install were examined the true reasons for it being forced upon everyone would become clear.

Beeny Atherton in reply to E. M Xero
May 27, 2021 at 9.05 am

Hi, thanks so much for sharing your thoughts with us. We strongly believe that authenticator apps, such as Google Authenticator and Xero Verify, do provide increased security. Cyber attackers and hackers are getting more and more sophisticated and so modern security features like MFA offer an important layer of protection by requiring at least two different factors, something you know (your password) and something you have (mobile device) before allowing access to your account. This second layer of security is designed to prevent anyone but you from accessing your account even if an attackers knows your password.

James
June 9, 2021 at 11.28 am

Agree, it’s astonishing how thoughtless this was!! I have exactly zero interest in using MFA, I don’t have anything in my Xero that requires MFA. I don’t pay employees or pay my bills using Xero, so there is no financial information being stored in my account that anyone could ever use to hack someone else.

Contemplating finding another solution, only went with Xero because my accountant suggested it but had no idea they’d hold me hostage like this to use something I have no interest in using 🙁

Beeny Atherton in reply to James Xero
June 9, 2021 at 2.07 pm

Hi James, we’re sorry to hear that you feel MFA doesn’t add any value to you – however, we believe it does. You may not pay employees or bills using Xero but there will still be some very valuable information stored about you in Xero that could cause some trouble should it ever fall into the wrong hands. You do have the option to remember the device you’ve logged in with for 30 days saving you having to authenticate every time.

George
April 30, 2021 at 12.13 pm

MFA is great but it is frustrating that a whole new app needs to be downloaded for this type of thing. It might not seem like it but it is definately a barrier for some users I work with. Building this into the existing app or using existing contact info would have made this easier and more seamless. Even better would be working with apple authentication options for seamless biometric verification.

Beeny Atherton in reply to George Xero
May 6, 2021 at 3.21 pm

Hi George, you don’t need to download a new authenticator app – you can continue to use another authenticate such as Google Authenticator or another app of this nature. The benefit of using Xero Verify is that it allows you to receive a push notification to verify that it’s you – if you choose to use another authenticator app, you’ll need to type or copy the code they provide into Xero when you log in. Find out more here.

Mike Cave
May 5, 2021 at 2.25 pm

I had MFA set up already and now you have cleverly disabled that with this mandatory roll out. Classy

Beeny Atherton in reply to Mike Cave Xero
May 6, 2021 at 3.16 pm

Hi Mike, if you already have MFA set up you shouldn’t need to re-authenticate. We’ve just created a more streamlined and simplified MFA flow for all new customers to help protect everyone’s data and the sensitive information held on Xero with the choice to use the Xero Verify app from the outset (however, you can choose to use another authenticate such as Google Authenticator or another app of this nature). If you need any further help, please refer to our help article here.

Olivia
May 11, 2021 at 9.37 am

Not sure if it’s just me but there is a very long delay in the push notification coming through from Xero Verify as in about 15min difference. I log in and unlike push notifications from other apps eg. Banking app. Nothing comes through, I log in using the code and then 15mins later my phone will ask me “Are you trying to log in” This has happened using different computers, browsers, wifi networks etc
I downloaded the Xero Verify app as I thought it would have been quicker and easier than opening up google authenticator to put in a code but appears not!

Beeny Atherton in reply to Olivia Xero
May 12, 2021 at 2.00 pm

Hi Olivia, thanks so much for sharing your experience with us – and sorry that the push notification via the Xero Verify app is taking so long to come through. I will share your experience with my team so we can investigate what may be happening here. If you continue to experience such lengthy delays, please can you raise a case with our Support Team. Thanks!

Beeny Atherton in reply to Olivia Xero
May 19, 2021 at 12.06 pm

Hi again, Olivia – I’m just checking in to see whether you are still experiencing delays with your push notification. I have spoken in depth with my team and there may be a number of reasons why the notification was delayed depending on the device you are using. In many cases, the delay may be being caused by some sort of power-saving settings on your phone. If you are still experiencing issues, we would be really grateful if you can help with our investigations by submitting a case with our Support Team providing the make and model of the device you are using. Thank you so much for your help!

Sharon
May 20, 2021 at 2.21 pm

This verify issue is not the greatest for someone that is on Xero 20 to 30 times a day. It is a pain. If you don’t use Xero constantly you are asked to put your password in again, and now you have to verify every time you need to reactivate Xero. Do we get an option to ask this verify to sleep for a week or a month and continue on with our password to get in? Xero was supposed to be very convenient and easy. It’s heading in the other direction.

Beeny Atherton in reply to Sharon Xero
May 20, 2021 at 3.11 pm

Hi Sharon, there is an option when you authenticate yourself to skip authentication for 30 days, which remembers the device you’ve logged in with. You’ll need to authenticate again at the end of the 30 days, or if you log in with a new device or browser.

Brian Russell
May 26, 2021 at 2.20 pm

Not cool, accounting is the least enjoyable part of the business and Xero ‘promises’ to make it simple. It doesn’t really. And now the 2 factor authentication requires a new iPhone (ours aren’t iOS13 ). Not cool, not ‘low hassle’. To lock my Xero account with the new mandatory rules is getting in the way of us working today.

Now we have to spend valuable time searching the internet for solutions, buy a new iPhone or yet again ring the accountant to ask how to solve a Xero problem.

Guys and girls in Xero, we don’t work in an office with good internet and new iPhones. PLEASE get your product people to ask some real users before doing this stuff. This really hurts the business where there’s already aren’t enough hours in the day. This just isn’t how it’s meant to be done.

Beeny Atherton in reply to Brian Russell Xero
May 27, 2021 at 11.15 am

Hi Brian, I’m so sorry to hear that you’re experiencing some difficulties with MFA. If you are unable to use your mobile phone as a means to verify yourself, you can install an authenticator app on your desktop. Authy has a desktop authenticator app for Windows and MacOS devices. You can download Authy from here. If you’re using Windows, you can use WinAuth, which you can find here. You can also choose to use a backup email or set security questions if you would prefer to verify your identity another way. I appreciate that using your mobile phone may be more convenient so I have passed your feedback onto my team.

James Fryer
June 3, 2021 at 9.08 pm

I am OK with using MFA but I don’t want to install another app for it. MFA using SMS or email is quite secure, why not allow these options?

Beeny Atherton in reply to James Fryer Xero
June 9, 2021 at 1.41 pm

Hi James, you’re not required to install Xero Verify if you don’t wish to. If you already have another authenticator app installed, such as Google Authenticator, FreeOTP, or Authy, then you can continue to use that app – you’ll just need to type or copy the code they provide into Xero when you log in. Xero Verify is the only authentication app that allows push notifications to your Xero account. You can also specify a backup email address when you set up MFA – however, using an authentication app is less time consuming and easier.

Carolann
June 4, 2021 at 11.13 pm

I have loaded the xreo verify app on my Iphone 11 and it is stuck it has been doing it for hour’s not happy.

Beeny Atherton in reply to Carolann Xero
June 9, 2021 at 1.24 pm

Hi Carolann, I’m so sorry to hear that you’re having some trouble with the Xero Verify app. If you are still experiencing issues, please reach out to our support team here.

simon
June 11, 2021 at 5.29 am

I really want to Opt Out.
I don’t want another app. I don’t want another piece of software. I don’t want to have to use even more codes.
We don’t all have the latest hardware and software.
Just let me log in with my secure password, please.
Xero’s site says it will take 5 minutes, this has cost me at least an hour today, and I have to re-authenticate every single time I access the site.

Beeny Atherton in reply to simon Xero
June 14, 2021 at 10.30 am

Hi Simon, it is not mandatory to install Xero Verify if you already use another authenticator app, such as Google Authenticator, FreeOTP, or Authy, on your device to access other accounts (e.g. your bank) – you can continue to use that app to access Xero. With these apps, you’ll just need to type or copy the code they provide into Xero when you log in. Of course, we recommend Xero Verify because it’s the only authentication app that allows push notifications to your Xero account removing the need to type/paste in codes – however, it’s really up to you as to which app best suits your needs and the type of device you’re installing it on. There is also an option to pause reminders when you authenticate yourself, which remembers the device you’ve logged in with for 30 days after which you’ll need to authenticate again (or if you log in with a new device or browser), which can save you some time.

Jackie Sturgess
June 16, 2021 at 12.37 am

I can’t log my book keeper in if I am logged in. I have to log out, authenticate when she tries to log in and then relog in myself. This is worse than the 2 step verification I currently use on ebay and amazon when she logs in. Why is there no facility to have more than one phone to berify

Beeny Atherton in reply to Jackie Sturgess Xero
June 16, 2021 at 11.17 am

Hi Jackie, thanks for your comment. Can I please clarify the steps you and your bookkeeper are taking – are you both trying to log into Xero using the same credentials (username and password)? We strongly advise not to share your password with anyone, including your bookkeeper, to keep your account secure. With Xero, there are no limits on the number of users you can invite into an organisation or client file so we suggest inviting your bookkeeper instead of sharing your login credentials with them. You can find more information about adding a new user to your organisation here.

Sam
June 16, 2021 at 10.14 pm

This is absolute garbage. I don’t have *any* authenticator apps on my phone and don’t want any more apps on my phone (snooping on everything). I now can’t use the Xero app because I don’t have iOS13 and all this was suddenly thrown on to the account without warning. It’s a disgrace. I don’t need MFA on my account. Just want a nice simple and quick way to access the information. I guess my only option is to look for an alternative piece of software. No customer service phone numbers anywhere to be seen yet you’re making a fortune in subscriptions from customers.

Beeny Atherton in reply to Sam Xero
June 22, 2021 at 10.11 am

Hi Sam, you don’t need an authenticator app on your phone to access Xero if you do not wish to. An alternative option is to add a backup email address or set up a few security questions. The easiest option is to provide a back-up email address – simply add a secondary email address when setting up MFA (please make sure the email address is different to the one you use to log into Xero) then just select this option when you log in. Alternatively, you can set up security questions and select this option when you log in instead. You can find more information about MFA and setting up backup methods here.

kate sheehan
June 19, 2021 at 7.27 pm

I do not use apps on my phone and do not want to download any. Please could you let me know how I can access my account without it please

Beeny Atherton in reply to kate sheehan Xero
June 22, 2021 at 10.05 am

Hi Kate, that’s fine if you do not want to download an authentication app. Another option is to add a backup email address or set security questions. A backup email address is the easiest option. You simply enter a backup email address when you set up MFA – just make sure it’s different to the one you use to log in to Xero. Then whenever you log in to Xero, you just need choose the option to enter your backup email address instead. If you’d rather set up security questions – you can provide answers to some security questions from a drop-down list then you can use this backup method whenever you log in to Xero. You can find more information here.

Jon taylor
June 21, 2021 at 7.23 pm

Another unwanted and complicated verify system. If one is needed, text it to a phone – if HMRC can manage that, so can Xero. Looking for alternatives.

Beeny Atherton in reply to Jon taylor Xero
June 22, 2021 at 8.52 am

Thanks for your comment, Jon – I have passed your feedback on to my team.

Andrew Park
June 22, 2021 at 3.47 am

(When adding backup email for MFA)
“There were problems sending the email. Please try again later”
(add backup security questions)
“There were some problems sending your security questions. Please try again”

Not impressed. As usual the only people this will inconvenience are the legitimate users of your software.

Beeny Atherton in reply to Andrew Park Xero
June 22, 2021 at 8.51 am

Hi Andrew, I’m so sorry that you experienced some difficulties adding your back-up email address and setting up security questions. We will look into this urgently to see what may be causing the issue. Thanks for raising it with us.

Chas Pepps
June 28, 2021 at 4.21 am

Please take MFA away and put Xero login back to how it used to work, or at least let the user decide whether MFA is a useable option for them. I can’t get the 30 day ‘leave me alone’ option to work so am having to get up and get my phone every login – 20/30 times a day. Please, please take it away.

Beeny Atherton in reply to Chas Pepps Xero
June 28, 2021 at 9.32 am

Hi Chas, I’m so sorry to hear that you’re having some trouble with MFA. When trying to set the 30-day ‘remember my device’ option, are you logging into the same device/browser each time? Has another user logged in on the same device/browser in between that time? Have you cleared your cookies & cache (or are cookies not enabled on your device) or are you using a private browser, or a different internet connection? If you answer “yes” to any of those questions then you will need to authenticate each time. If that’s not the case – would you mind raising a case with my Support Team so we can investigate what may be preventing you from setting the 30-day ‘snooze’ option. Thanks!

Andrew Mitchell
June 30, 2021 at 11.53 pm

I now can’t log in to a client’s records because he’s away on leave – I used to say that Xero was OK – not any more – are you being paid by Quickbooks?

Beeny Atherton in reply to Andrew Mitchell Xero
July 1, 2021 at 10.23 am

Hi Andrew, thanks for getting in touch. I just want to make sure I understand the issue you’re experiencing correctly. Are you trying to access your client’s records using their log in credentials or have they invited you into their organisation or client file but you’re unable to get in? Thanks!

Jim
July 1, 2021 at 11.39 pm

Please advise how I can login xero with just the login password i.e. without any further MFA nor any authentication nor verifications steps involve on a PERMANENT basis (I am aware of the skip 30 days option – not good enough for me). I am aware this maybe less secure for my accounts but I am not concern about it for now. Thanks.

Beeny Atherton in reply to Jim Xero
July 6, 2021 at 11.27 am

Hi Jim, thanks for your message. With the increase in security breaches and account compromises, we believe it’s incredibly important to step up security. As custodians of sensitive client data, keeping everyone’s data secure is a top priority for us. I appreciate that there are a couple of additional steps but the safest of your information is paramount – we don’t want it falling into the wrong hands and I’m sure you don’t either. You already know about the ‘remember me’ function, which is the only option to bypass the authentication steps for 30 days (unless you log in using a different device/browser).

julie pickett
July 17, 2021 at 11.02 pm

I’ve taken the day off today to try and catch up with my accounts but have now found I can’t even log in to Xero without signing up for this. There is no opt out option. I have a very old phone, one which does not support Xero Verify. So I cannot get on with any work today! I’ve selected the part that says ‘don’t have a smart phone’ and it doesn’t seem to offer me any solutions! I need to get on!

Beeny Atherton in reply to julie pickett Xero
July 19, 2021 at 9.13 am

Hi Julie, so sorry that you’re unable to set up Xero Verify on your phone. You can still set up MFA by installing an authenticator app on your desktop.
Authy has a desktop authenticator app for Windows and MacOS devices. You can download Authy here. If you’re using Windows, you can use WinAuth, which can be found here. You can find more information about setting up MFA without a smartphone or tablet on this Xero Central article. We also recommend adding a backup email or setting up security questions as a fallback option if your other authenticator app is not available for any reason. You can find instructions on how to set up a backup email here. Finally, there’s an option when you authenticate yourself, to pause reminders for 30 days which remembers the device you’ve logged in with removing the need to authenticate every time you log in during that time. At the end of the 30 days, you’ll need to authenticate again, or if you log in with a new device or browser. I hope that helps.

Evan
July 21, 2021 at 1.48 am

I would also like to voice my disdain for this choice, and to propose a solution. When I heard that MFA was becoming mandatory, I assumed it was to be either a text/email confirmation or the use of security questions. Making people download an additional app (even IF they opt not to use yours) just to use your service is excessive when less demanding measures can yield the same benefit. I’d recommend including an option that involves security questions or

Beeny Atherton in reply to Evan Xero
July 21, 2021 at 3.54 pm

Hi Evan, thanks for your comment. I have shared your thoughts with my team. We do have a way to add a backup email and/or set up security questions as another way to verify your identity but you would need to first verify using an authenticator to set both up. You can find more information about adding a backup email here.

Jon Nash
July 29, 2021 at 6.53 am

I don’t want to set up yet more security !!!!! Why are we forced to have another App on our phones, it takes away what was nice and easy using Zero, I might as well go back to SAGE.
I am fed up with MFA’s for everything, totally OTT.
I really can’t be bothered to use Zero anymore it’s annoyed me so much !

Xero in reply to Jon Nash Xero
July 29, 2021 at 10.43 am

Hi Jon, so sorry that you feel MFA takes away what was nice and easy with using Xero but we believe that it significantly reduces the risk of unauthorised access to your account and data, which is incredibly important. If you do not wish to download another app on your phone, you can install an authenticator app on your desktop. Authy has a desktop authenticator app for Windows and MacOS devices and if you’re using Windows, you can use WinAuth. You also have the option to pause reminders for 30 days when you authenticate yourself, which remembers the device you’ve logged in with. At the end of the 30 days (or if you log in with a new device or browser), you simply need to re-authenticate and click the pause for another 30 days button.

steve melick
August 13, 2021 at 9.26 am

Why can’t we just be texted an authentication code to our phone without software like 99.9% of other systems requiring MFA? Even my bank does it using a text message.

Beeny Atherton in reply to steve melick Xero
August 17, 2021 at 12.49 pm

Hi Steve, MFA enabled significantly reduces the risk of unauthorised access to your account as the attacker because it uses at least two different factors: something you know (your password) and something you have (mobile device), before you can access your account. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password. MFA (also referred to as 2FA) is a lot more secure than using SMS. You may find this article interesting. Xero Verify is Xero’s own authentication device which allows you to receive a push notification to verify that it’s you – other authentication apps such as Google Authenticator, FreeOTP, or Authy require you to type or copy the code they provide into Xero when you log in.

Leave a reply

Your email address will not be published. Required fields are marked *