As more people around the world embrace digital technologies, the number of cyber attacks continues to increase. One of the most common types of cybercrime is phishing, designed to access your online accounts and steal your personal and business information.
At Xero, we are custodians of your data and we take that responsibility very seriously. We don’t just tick the boxes when it comes to security – we go above and beyond to make sure Xero is the most trusted platform for small businesses.
To make sure we continue to keep your Xero account secure, we’re making Multi-Factor Authentication (MFA) mandatory for all Xero customers globally in the year ahead.
A global change to protect your business
MFA is a log in verification process that goes beyond typing in your username and password. It gives you access to your account using something you know (your username and password) and something you have (your mobile device or computer).
Think of it like putting an additional bolt on the door. It’s a small but important thing that significantly reduces the risk of unauthorised access to your account, because it’s much harder to steal something you know and something you have.
In fact, research shows that MFA can prevent up to 80% of data breaches. The beauty of using your phone as an authentication method is that it’s always with you, which means you can still access your Xero account anywhere, at any time.
Introducing the new Xero Verify app
To give you fast, easy and secure access to your Xero account using MFA, we’ve created our own authenticator app called Xero Verify. It’s built using the highest security standards and gives us confidence that your account access is in safe hands.
When MFA became mandatory in Australia, we saw a significant drop in account takeovers. We expect it won’t be long before other governments take Australia’s lead. So like everything we do in security at Xero, we’re staying ahead of the game and making it mandatory for all customers globally.
Xero Verify is now available free of charge in the Apple and Google app stores. It only takes a few minutes to set up and sends a push notification to your phone when you log in, so you can just tap and go. We know you’re busy, so we’ve made it beautifully fast and easy to use.
How we’ll help you prepare for MFA
While we encourage you to download Xero Verify and opt-in to MFA when it’s available in your country, we’ll give you plenty of notice before it becomes mandatory. As always, our team is here to support you over the coming weeks and months, to make it as easy as possible for you to stay safe and secure. In the meantime, take a look at our frequently asked questions for all the details.
Great software. Horrible support. Cryptic slow and unhelpful. Takes several hours and basically useless
Hi Michael, so sorry you feel that way about our support. Do you have your case number to hand so I can take a look into this for you? Thanks!
I’m surprised to see the comment from Michael Hayes about support. We’ve raised many support cases over the years for a variety of clients and situations. Yes, support can take a few hours but I don’t see that as a problem, I don’t regard a same day response as slow. But cryptic and unhelpful? Never. Usually I get the answer I need in one go, sometimes I have to explain a bit more if I haven’t been clear enough or if I still can’t see how to put things right.
Cant access Xero to file my VAT return as I am on holiday,not in my office. The new MFA has locked me out – just like that whether I wanted it or not. Extremely bad form – whoever sprung this on just like that should be shot for bad management and bad customer relations.
Hi Peter, I’m sorry to hear that you’re experiencing some trouble accessing Xero. If you need to set up MFA, you can find everything to help you get up and running here. If you have already set up MFA and are locked out, please contact us here providing your email address so we can get in touch with you. You can also find some troubleshooting tips here. Hope that helps.
Completely agree Peter – this is absolutely abysmal form.
Despite the hype, I really have to question the supposed “increased security” around this…
I would bet that if the permissions granted to the app upon install were examined the true reasons for it being forced upon everyone would become clear.
Hi, thanks so much for sharing your thoughts with us. We strongly believe that authenticator apps, such as Google Authenticator and Xero Verify, do provide increased security. Cyber attackers and hackers are getting more and more sophisticated and so modern security features like MFA offer an important layer of protection by requiring at least two different factors, something you know (your password) and something you have (mobile device) before allowing access to your account. This second layer of security is designed to prevent anyone but you from accessing your account even if an attackers knows your password.
Agree, it’s astonishing how thoughtless this was!! I have exactly zero interest in using MFA, I don’t have anything in my Xero that requires MFA. I don’t pay employees or pay my bills using Xero, so there is no financial information being stored in my account that anyone could ever use to hack someone else.
Contemplating finding another solution, only went with Xero because my accountant suggested it but had no idea they’d hold me hostage like this to use something I have no interest in using 🙁
Hi James, we’re sorry to hear that you feel MFA doesn’t add any value to you – however, we believe it does. You may not pay employees or bills using Xero but there will still be some very valuable information stored about you in Xero that could cause some trouble should it ever fall into the wrong hands. You do have the option to remember the device you’ve logged in with for 30 days saving you having to authenticate every time.
Agree. I’ll move to another accounting software too.
Hi Jay, sorry to hear that you’re having some trouble with multi-factor authentication. Can you please let us know what you’re having some trouble with so that we can give you a hand? Thanks!
MFA is great but it is frustrating that a whole new app needs to be downloaded for this type of thing. It might not seem like it but it is definately a barrier for some users I work with. Building this into the existing app or using existing contact info would have made this easier and more seamless. Even better would be working with apple authentication options for seamless biometric verification.
Hi George, you don’t need to download a new authenticator app – you can continue to use another authenticate such as Google Authenticator or another app of this nature. The benefit of using Xero Verify is that it allows you to receive a push notification to verify that it’s you – if you choose to use another authenticator app, you’ll need to type or copy the code they provide into Xero when you log in. Find out more here.
I had MFA set up already and now you have cleverly disabled that with this mandatory roll out. Classy
Hi Mike, if you already have MFA set up you shouldn’t need to re-authenticate. We’ve just created a more streamlined and simplified MFA flow for all new customers to help protect everyone’s data and the sensitive information held on Xero with the choice to use the Xero Verify app from the outset (however, you can choose to use another authenticate such as Google Authenticator or another app of this nature). If you need any further help, please refer to our help article here.
Not sure if it’s just me but there is a very long delay in the push notification coming through from Xero Verify as in about 15min difference. I log in and unlike push notifications from other apps eg. Banking app. Nothing comes through, I log in using the code and then 15mins later my phone will ask me “Are you trying to log in” This has happened using different computers, browsers, wifi networks etc
I downloaded the Xero Verify app as I thought it would have been quicker and easier than opening up google authenticator to put in a code but appears not!
Hi Olivia, thanks so much for sharing your experience with us – and sorry that the push notification via the Xero Verify app is taking so long to come through. I will share your experience with my team so we can investigate what may be happening here. If you continue to experience such lengthy delays, please can you raise a case with our Support Team. Thanks!
Hi again, Olivia – I’m just checking in to see whether you are still experiencing delays with your push notification. I have spoken in depth with my team and there may be a number of reasons why the notification was delayed depending on the device you are using. In many cases, the delay may be being caused by some sort of power-saving settings on your phone. If you are still experiencing issues, we would be really grateful if you can help with our investigations by submitting a case with our Support Team providing the make and model of the device you are using. Thank you so much for your help!
This verify issue is not the greatest for someone that is on Xero 20 to 30 times a day. It is a pain. If you don’t use Xero constantly you are asked to put your password in again, and now you have to verify every time you need to reactivate Xero. Do we get an option to ask this verify to sleep for a week or a month and continue on with our password to get in? Xero was supposed to be very convenient and easy. It’s heading in the other direction.
Hi Sharon, there is an option when you authenticate yourself to skip authentication for 30 days, which remembers the device you’ve logged in with. You’ll need to authenticate again at the end of the 30 days, or if you log in with a new device or browser.
Hi,
I’m having trouble with the Authenticator for the iPhone app too. I always tick the box to remember me for 30 days but recently it’s made no difference and it’s started to ask me for the code every time I log in.
Is there any way this can be changed? It’s really frustrating!
Hi Rob, can you please raise a case with our support team so we can take a look into what may be happening here and give you a hand? Thanks!
Not cool, accounting is the least enjoyable part of the business and Xero ‘promises’ to make it simple. It doesn’t really. And now the 2 factor authentication requires a new iPhone (ours aren’t iOS13 ). Not cool, not ‘low hassle’. To lock my Xero account with the new mandatory rules is getting in the way of us working today.
Now we have to spend valuable time searching the internet for solutions, buy a new iPhone or yet again ring the accountant to ask how to solve a Xero problem.
Guys and girls in Xero, we don’t work in an office with good internet and new iPhones. PLEASE get your product people to ask some real users before doing this stuff. This really hurts the business where there’s already aren’t enough hours in the day. This just isn’t how it’s meant to be done.
Hi Brian, I’m so sorry to hear that you’re experiencing some difficulties with MFA. If you are unable to use your mobile phone as a means to verify yourself, you can install an authenticator app on your desktop. Authy has a desktop authenticator app for Windows and MacOS devices. You can download Authy from here. If you’re using Windows, you can use WinAuth, which you can find here. You can also choose to use a backup email or set security questions if you would prefer to verify your identity another way. I appreciate that using your mobile phone may be more convenient so I have passed your feedback onto my team.
I am OK with using MFA but I don’t want to install another app for it. MFA using SMS or email is quite secure, why not allow these options?
Hi James, you’re not required to install Xero Verify if you don’t wish to. If you already have another authenticator app installed, such as Google Authenticator, FreeOTP, or Authy, then you can continue to use that app – you’ll just need to type or copy the code they provide into Xero when you log in. Xero Verify is the only authentication app that allows push notifications to your Xero account. You can also specify a backup email address when you set up MFA – however, using an authentication app is less time consuming and easier.
I have loaded the xreo verify app on my Iphone 11 and it is stuck it has been doing it for hour’s not happy.
Hi Carolann, I’m so sorry to hear that you’re having some trouble with the Xero Verify app. If you are still experiencing issues, please reach out to our support team here.
I really want to Opt Out.
I don’t want another app. I don’t want another piece of software. I don’t want to have to use even more codes.
We don’t all have the latest hardware and software.
Just let me log in with my secure password, please.
Xero’s site says it will take 5 minutes, this has cost me at least an hour today, and I have to re-authenticate every single time I access the site.
Hi Simon, it is not mandatory to install Xero Verify if you already use another authenticator app, such as Google Authenticator, FreeOTP, or Authy, on your device to access other accounts (e.g. your bank) – you can continue to use that app to access Xero. With these apps, you’ll just need to type or copy the code they provide into Xero when you log in. Of course, we recommend Xero Verify because it’s the only authentication app that allows push notifications to your Xero account removing the need to type/paste in codes – however, it’s really up to you as to which app best suits your needs and the type of device you’re installing it on. There is also an option to pause reminders when you authenticate yourself, which remembers the device you’ve logged in with for 30 days after which you’ll need to authenticate again (or if you log in with a new device or browser), which can save you some time.
I can’t log my book keeper in if I am logged in. I have to log out, authenticate when she tries to log in and then relog in myself. This is worse than the 2 step verification I currently use on ebay and amazon when she logs in. Why is there no facility to have more than one phone to berify
Hi Jackie, thanks for your comment. Can I please clarify the steps you and your bookkeeper are taking – are you both trying to log into Xero using the same credentials (username and password)? We strongly advise not to share your password with anyone, including your bookkeeper, to keep your account secure. With Xero, there are no limits on the number of users you can invite into an organisation or client file so we suggest inviting your bookkeeper instead of sharing your login credentials with them. You can find more information about adding a new user to your organisation here.
This is absolute garbage. I don’t have *any* authenticator apps on my phone and don’t want any more apps on my phone (snooping on everything). I now can’t use the Xero app because I don’t have iOS13 and all this was suddenly thrown on to the account without warning. It’s a disgrace. I don’t need MFA on my account. Just want a nice simple and quick way to access the information. I guess my only option is to look for an alternative piece of software. No customer service phone numbers anywhere to be seen yet you’re making a fortune in subscriptions from customers.
Hi Sam, you don’t need an authenticator app on your phone to access Xero if you do not wish to. An alternative option is to add a backup email address or set up a few security questions. The easiest option is to provide a back-up email address – simply add a secondary email address when setting up MFA (please make sure the email address is different to the one you use to log into Xero) then just select this option when you log in. Alternatively, you can set up security questions and select this option when you log in instead. You can find more information about MFA and setting up backup methods here.
I do not use apps on my phone and do not want to download any. Please could you let me know how I can access my account without it please
Hi Kate, that’s fine if you do not want to download an authentication app. Another option is to add a backup email address or set security questions. A backup email address is the easiest option. You simply enter a backup email address when you set up MFA – just make sure it’s different to the one you use to log in to Xero. Then whenever you log in to Xero, you just need choose the option to enter your backup email address instead. If you’d rather set up security questions – you can provide answers to some security questions from a drop-down list then you can use this backup method whenever you log in to Xero. You can find more information here.
Another unwanted and complicated verify system. If one is needed, text it to a phone – if HMRC can manage that, so can Xero. Looking for alternatives.
Thanks for your comment, Jon – I have passed your feedback on to my team.
(When adding backup email for MFA)
“There were problems sending the email. Please try again later”
(add backup security questions)
“There were some problems sending your security questions. Please try again”
Not impressed. As usual the only people this will inconvenience are the legitimate users of your software.
Hi Andrew, I’m so sorry that you experienced some difficulties adding your back-up email address and setting up security questions. We will look into this urgently to see what may be causing the issue. Thanks for raising it with us.
Please take MFA away and put Xero login back to how it used to work, or at least let the user decide whether MFA is a useable option for them. I can’t get the 30 day ‘leave me alone’ option to work so am having to get up and get my phone every login – 20/30 times a day. Please, please take it away.
Hi Chas, I’m so sorry to hear that you’re having some trouble with MFA. When trying to set the 30-day ‘remember my device’ option, are you logging into the same device/browser each time? Has another user logged in on the same device/browser in between that time? Have you cleared your cookies & cache (or are cookies not enabled on your device) or are you using a private browser, or a different internet connection? If you answer “yes” to any of those questions then you will need to authenticate each time. If that’s not the case – would you mind raising a case with my Support Team so we can investigate what may be preventing you from setting the 30-day ‘snooze’ option. Thanks!
I now can’t log in to a client’s records because he’s away on leave – I used to say that Xero was OK – not any more – are you being paid by Quickbooks?
Hi Andrew, thanks for getting in touch. I just want to make sure I understand the issue you’re experiencing correctly. Are you trying to access your client’s records using their log in credentials or have they invited you into their organisation or client file but you’re unable to get in? Thanks!
Please advise how I can login xero with just the login password i.e. without any further MFA nor any authentication nor verifications steps involve on a PERMANENT basis (I am aware of the skip 30 days option – not good enough for me). I am aware this maybe less secure for my accounts but I am not concern about it for now. Thanks.
Hi Jim, thanks for your message. With the increase in security breaches and account compromises, we believe it’s incredibly important to step up security. As custodians of sensitive client data, keeping everyone’s data secure is a top priority for us. I appreciate that there are a couple of additional steps but the safest of your information is paramount – we don’t want it falling into the wrong hands and I’m sure you don’t either. You already know about the ‘remember me’ function, which is the only option to bypass the authentication steps for 30 days (unless you log in using a different device/browser).
I’ve taken the day off today to try and catch up with my accounts but have now found I can’t even log in to Xero without signing up for this. There is no opt out option. I have a very old phone, one which does not support Xero Verify. So I cannot get on with any work today! I’ve selected the part that says ‘don’t have a smart phone’ and it doesn’t seem to offer me any solutions! I need to get on!
Hi Julie, so sorry that you’re unable to set up Xero Verify on your phone. You can still set up MFA by installing an authenticator app on your desktop.
Authy has a desktop authenticator app for Windows and MacOS devices. You can download Authy here. If you’re using Windows, you can use WinAuth, which can be found here. You can find more information about setting up MFA without a smartphone or tablet on this Xero Central article. We also recommend adding a backup email or setting up security questions as a fallback option if your other authenticator app is not available for any reason. You can find instructions on how to set up a backup email here. Finally, there’s an option when you authenticate yourself, to pause reminders for 30 days which remembers the device you’ve logged in with removing the need to authenticate every time you log in during that time. At the end of the 30 days, you’ll need to authenticate again, or if you log in with a new device or browser. I hope that helps.
I would also like to voice my disdain for this choice, and to propose a solution. When I heard that MFA was becoming mandatory, I assumed it was to be either a text/email confirmation or the use of security questions. Making people download an additional app (even IF they opt not to use yours) just to use your service is excessive when less demanding measures can yield the same benefit. I’d recommend including an option that involves security questions or
Hi Evan, thanks for your comment. I have shared your thoughts with my team. We do have a way to add a backup email and/or set up security questions as another way to verify your identity but you would need to first verify using an authenticator to set both up. You can find more information about adding a backup email here.
I don’t want to set up yet more security !!!!! Why are we forced to have another App on our phones, it takes away what was nice and easy using Zero, I might as well go back to SAGE.
I am fed up with MFA’s for everything, totally OTT.
I really can’t be bothered to use Zero anymore it’s annoyed me so much !
Hi Jon, so sorry that you feel MFA takes away what was nice and easy with using Xero but we believe that it significantly reduces the risk of unauthorised access to your account and data, which is incredibly important. If you do not wish to download another app on your phone, you can install an authenticator app on your desktop. Authy has a desktop authenticator app for Windows and MacOS devices and if you’re using Windows, you can use WinAuth. You also have the option to pause reminders for 30 days when you authenticate yourself, which remembers the device you’ve logged in with. At the end of the 30 days (or if you log in with a new device or browser), you simply need to re-authenticate and click the pause for another 30 days button.
Why can’t we just be texted an authentication code to our phone without software like 99.9% of other systems requiring MFA? Even my bank does it using a text message.
Hi Steve, MFA enabled significantly reduces the risk of unauthorised access to your account as the attacker because it uses at least two different factors: something you know (your password) and something you have (mobile device), before you can access your account. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password. MFA (also referred to as 2FA) is a lot more secure than using SMS. You may find this article interesting. Xero Verify is Xero’s own authentication device which allows you to receive a push notification to verify that it’s you – other authentication apps such as Google Authenticator, FreeOTP, or Authy require you to type or copy the code they provide into Xero when you log in.
This an extremely poor, clumsy third rate substitute for putting in the money and resources to maintain basic security on the service provider’s end, as every other company does. Horrible and stupid.
Hi John, we’re sorry to hear that you feel that way. We believe multi-factor authentication is one of the best ways to keep our customers’ information secure. Your feedback has been shared with the rest of the team.
Hi
When will MFA become compulsory in Ireland? We would like to make it compulsory for all our Users but I can’t find that option.
Thanks in advance.
Michael
Hi Michael, multi-factor authentication (MFA) should now be compulsory on all Xero accounts. Here’s everything you need to know to set up MFA: https://central.xero.com/s/article/Set-up-multi-factor-authentication. You can also find useful videos, FAQs and more by visiting the MFA web page. If you need some help, this troubleshooting article will also come in handy. If you still have questions, please reach out to our support team, who will be more than happy to give you a hand. Thanks!
Costing me time and frustration to do something I already do. Terrible idea. Might start looking for alternatives accounting software Vas I have only Just got this and it is anything But easy to access.
Hi Freddy, we’re so sorry to hear that you are having some trouble with MFA. We have a number of troubleshooting tips here. Alternatively, if you still need a hand, please drop us your email here and we will get in touch with you directly to give you a hand.
MFA, utterly ridiculous and un-required. Im still locked out of my account days later and the 24/7 “support” that I am paying for seems very slow in replying, have requested someone call me to sort this out but am still waiting. Paying $$ to a subscription that I cannot access due to you putting this stupid MFA on. My phone does not work at home where the PC is so cannot use this to work with the MFA. Any other recommendations for alternative software?
Hi Melissa, so sorry to hear that you’re experiencing some issues with MFA – has this matter now been resolved? Thanks!
This is BS. Just setup an account and forced to go though this inconvenience. Stop forcing shit down customers thoats. If a customer wants MFA great but don’t force it. I don’t want it i don’t need it. Don’t tell me I HAVE to use it because I won’t – I’m taking my business elsewhere. SCREW YOU XERO!
We’re so sorry to hear that you’r not happy about setting up multi-factor authentication – however, with the increase in security breaches and account compromises, it’s important to step up security. As custodians of sensitive client data, keeping everyone’s data secure is a top priority for us. If you need any help getting MFA set up, please reach out to our support team.
Downloaded the trial, everything seemed fine at first, then I got hit with the 2FA requirements. Luckily I had not done any serious work yet. I’m glad I found out about this now and not at the end of a 30-day trial where I would have already done a lot of work. I’m going to try out Sage instead. Listen to your customers, Xero!