For the Xero team, the security of our partners and their small business clients is integral to building a trusted platform. By mandating the use of two-step authentication (2SA) here in Australia, we’ve been able to ensure we’re doing all we can to protect your data and the sensitive information that’s held in your subscription.
This important layer of protection was first introduced back in 2018 in line with the ATO’s updated online security requirements – resulting in a significant drop in suspicious activity. And with your helpful feedback, we’ve continued to make improvements to the 2SA process.
So we can keep putting the safety of our customers first, Xero is now rolling out multi-factor authentication (MFA) in order to meet security requirements across the globe. Why now? In recent years, there has been a dramatic increase in the number of cyber attacks designed to access online accounts and steal personal and business information. As custodians of your data, we’re going above and beyond to make sure Xero is the most trusted platform for small businesses.
So, what does this mean for Australian customers?
In short, all existing customers who are already authenticated won’t need to re-authenticate. However, from 2 March, new customers will follow a more streamlined and simplified MFA flow with the choice to use the Xero Verify app from the outset (they can also use Google Authenticator or another app of this nature). We’ve answered this for you in more detail, along with some further questions, below.
Wait, what’s the difference between 2SA and MFA with Xero?
Both 2SA and MFA are extra layers of security designed to prevent anyone but you from accessing your account – even if they know your password. Existing users with 2SA enabled can continue to use their existing setup under MFA. New users, and those who disable 2SA and setup MFA, will experience our new streamlined setup flow – and be able to enjoy the convenience of push-notifications if they choose to use the Xero Verify app.
Why did Xero decide to work on a new solution?
We’re constantly looking to make our solutions simpler and smarter for our customers. After rolling out 2SA in Australia, we took the learnings on board and have created an MFA solution that fits more seamlessly with the Xero experience (making it all the easier for our customers).
What is Xero Verify and who needs to use it?
To give you fast, easy and secure access to your Xero account using MFA, we’ve created our own authenticator app called Xero Verify. This free app is available on the Apple and Google app stores. Just search for ‘Xero Verify’, then download it to your smartphone or tablet (Xero Verify can only be used to authenticate Xero accounts). We know you’re busy, so we’ve made it beautifully fast and easy to use.
Is Xero Verify safe? How do I know it will stop someone from accessing my clients’ accounts?
Xero Verify is built using the highest security standards providing confidence that your account access is in safe hands. It doesn’t connect to your Xero account and nor do other authenticator apps. Xero Verify simply provides a push notification, generating a time-based numeric passcode to enter during the login process. This means that if someone guesses or knows your password, it’s not enough to access your account.
I’m confused, are you making us switch to something new?
No. If you’ve already enabled an authenticator app (like Google Authenticator) then you and your existing clients are welcome to keep using it. What’s important is that you have the second layer of security. However, we do recommend Xero Verify as it’s the only authentication app that allows push notifications to your Xero account – making the entire process easier and safer for you and your clients.
How do you switch from the current authenticator app to Xero Verify?
After logging in, and authenticating yourself, go to your ‘Account’ settings page, under ‘Additional Security’ and choose ‘Change Device’ to access the new authentication process. You will be presented with the option to choose Xero Verify. Follow the steps to set up and receive push notifications.
I had difficulties with 2SA, is the new MFA process easier?
The new experience visually guides you through, making it simple and streamlined to use. Better yet, it only takes about five minutes to set up – all of which saves you time and effort.
Does this mean I now have different clients with different authentication experiences?
There is no change for existing users, once they’re authenticated, they simply log in to Xero and use their chosen authentication app (inserting a single time code in the same way they do now).
New users will be given the choice of using Xero Verify, Google Authenticator or a desktop authenticator like Authy. After they’ve set up MFA, when a new user logs into Xero, they can authenticate themselves with a push notification via Xero Verify or through one time code via Google Authenticator or a desktop app.
Once my client has set up MFA, do they have to authenticate every time they login?
When you authenticate yourself, there is an option to pause reminders for 30 days which remembers the device you’ve logged in with. At the end of the 30 days (or if you log in with a new device or browser) you’ll need to authenticate again.
As always, the Xero team is here to support you should you have any queries or concerns – all the while ensuring that you and your clients stay safer and more secure than ever.