Over the last few years, our lives – and businesses across the world – have moved online at a rapid pace. Unfortunately, cybercriminals have followed and are using new, digital methods to target Australians. At Xero, we are custodians of your data and do all we can to protect the information held in your account.
One of the ways we do this is through multi-factor authentication (MFA), a process designed to secure how you log in to Xero and verify it’s really you. An upcoming Australian Tax Office (ATO) update to MFA regulations means anyone that accesses an Australian organisation globally needs to re-authenticate their device every 24 hours when logging in to Xero.
So, tell me more about what’s changing with MFA?
Many of our Australian customers would have started using MFA back in 2018, when it was first introduced by the ATO. Throughout 2021, Xero rolled out mandatory MFA for users in all other countries. Today, every Xero customer must use MFA when they login.
Recently, in response to growing cybersecurity threats, the ATO updated its regulations around MFA for software providers like Xero. This means that the length of time a device is trusted for must be limited to 24 hours for cloud based business applications, such as Xero.
From early October, ‘remember me on this device’ will change. Currently, you can skip authentication for 30 days when signing in to Xero via MFA (such as through the Xero Verify, Google Authenticator or Authy apps), which remembers the unique device you’ve logged in with. With this update, you will need to re-authenticate your trusted device (such as laptop, tablet or phone) every 24 hours.
When will this happen?
The 24 hour change to Xero’s MFA trust device frequency will start from early-October. From then, you’ll need to authenticate daily when you log in to your account.
Why is this being changed for Australian customers?
This is a regulatory change from the ATO and is to support cybersecurity measures to protect your valuable data – just think of all the critical information stored within your Xero account. It’s important to keep this safe.
You’ll likely remember when MFA was first mandated by the ATO. Just like last time, Xero is updating its platform to comply with this change and make it a smooth transition.
What if I’m in another country, like New Zealand, but access an Australian organisation in Xero?
This change doesn’t just apply to Australia but to anyone globally that accesses an Australian organisation – even if it’s just one account in Australia that you log in to. This is because you are accessing information (including personally identifiable information) that falls under the ATO’s remit.
Do I need to make any updates myself?
No – rest assured that the Xero platform will update automatically in early October. Since all Australian customers already use MFA, you won’t have to change anything about how you log in to Xero – except for daily authentication. This means you can continue to use your usual verification tool, whether it’s Xero Verify or a third-party app like Google Authenticator.
Why is cybersecurity so important and should I be worried?
Security has always been important at Xero and we want to keep your valuable business data safe. Since the start of the pandemic, activity by cybercriminals has been on the rise in Australia. As our lives have moved more and more online, so too have the approaches of cybercriminals.
They’ve continued to evolve and use increasingly sophisticated ways to entrap victims online. One of the most common types of cybercrime is phishing, which tricks you into clicking on a fraudulent email, text message or web link to then access your online accounts and steal your personal and business information.
How does MFA help protect me against cybersecurity threats?
MFA is one of many important tools used to safeguard against cybersecurity threats. It’s a security process which uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.
This second layer of security is designed to prevent anyone else accessing your account, even if they know your password. In fact, research shows that MFA can prevent up to 80% of data breaches.
This is taking a bit of extra time and I’m super busy. Is there an easier way to verify every day?
We know this change may be a little different to how you’re used to logging in to Xero. You can keep on using any verification tool that you like, but we do suggest giving Xero Verify a go if you’re after a more streamlined solution. It was launched last year so you might not have had a chance to test it out yet. Trust us though – it’s a game changer.
Why should I consider using Xero Verify?
Xero Verify provides fast, easy and secure access to your Xero account using MFA. It’s the only app which lets you authenticate with push notifications, as well as creating a time-based numeric passcode in case there’s no wifi, so you can always access your Xero account.
The free app is available on the Apple and Google app stores – just search for ‘Xero Verify’, then download it to your smartphone or tablet. The set up takes approximately five minutes and will make signing in a breeze.
Do I have to switch to Xero Verify?
No. You can keep using the authenticator app you already are. We suggest Xero Verify because it allows for push notifications, making daily authentication seamless.
What does this mean for Xero’s mobile apps?
Xero’s suite of mobile apps, such as the Xero Accounting App, Xero Expenses and Xero Projects, will also be impacted by these new regulations. When the new versions are introduced, you will no longer be able to choose the lock device option ‘Don’t lock it’. You will either need to use a security code, which will be available on Android for the first time and is currently available on iOS, or use Face ID.
What if I normally share my login with members of my team?
Shared logins reduce the security of your Xero account. The more people who have access to a login, the more likely it is to be compromised. Everyone who accesses an organisation in Xero should have their own login details (as per our terms and conditions).
If they don’t already, now is the time to make sure everyone is set up with what they need to securely use Xero.
You can read more about MFA here and troubleshoot any possible issues here.
Would have been nicer if Xero had just locked the ATO-interfacing functions behind a second MFA prompt and not bothered us every time we log on.
Totally agree, James.
I think Xero has misinterpreted the guidelines.
Remember me on this device to be limited to 24 hours – i.e. session (cookies) and not 2FA expiry.
Hi Richard, ‘Remember me’ or ‘Trust this device’ is a function of MFA. We use cookies to set the 2FA expiry, which is why this functionality falls under the remit of these requirements. You can read more about this on the ATO site under the ‘Authentication’ section.
Well this sucks
Dear Xero, while I understand that you are required to follow the regulations, I am not impressed by the ATO changes.
This seems to me to infer that the ATO does not trust anyone.
Is there some way to certify a trusted device beyond the 24 hours required by the new regulations?
Hi John, as this is a regulatory requirement from the ATO, it can’t be changed beyond 24 hours. This important shift is all about supporting cyber security measures to protect your valuable data and Xero is updating its platform to provide you with even stronger security as threats evolve.
As if this program is so important you have to have Fort Knox security. OMG. It is rediculous – you need to get over yourselves.
It is just a glorified calculator and sometimes not that good.
My Life is hard enough without you inventing ways to make it more time consuming
Two things:
1. The ATO link takes me to their home page – not the page dealing with MFA. Rather than make all your customer have to search and hunt, why not just offer the specific link?
2. you said “How does MFA help protect me against cybersecurity?” assume you meant “How does MFA help protect me against cybersecurity threats?”
Hi Mike, sorry for the confusion, we’ve since updated the blog to include the specific ATO link which you can find here (jump to the ‘Authentication’ section).
What a pain in the neck! Very annoying! It’s bad enough having to do it every 30 days or when you do a clean up of your files, but everytime you log in…. crazy.
Hi Cathy, to clarify, you don’t need to authenticate every time you click “Trust this device” when you log in – only when 24 hours has passed since you last did so.
I can’t find any press releases or information from the ATO about this regulation. Is there somewhere on this website? I doubt I’ll ever see it, but I’d love to see some actual concrete justification about why this is necessary and why it’s not yet more arbitrary bureaucratic overreach (hint: it’s definitely the latter)
Hi Luke, you can find more information on MFA from the ATO at this link (jump to the ‘Authentication’ section).
only use Xero intermittently and having to remember to log in EVERY DAY is RIDICULOUS
How do I set up individual access for family/Partner MFA access to Xero
Hi Neil, it’s easy to set up MFA with Xero. Each user just needs their own login account and an authenticator app on their mobile device. We recommend Xero Verify as it’s the only app using push notifications. Check out our support article on Xero Central for all the steps to follow. If you get stuck, just reach out to our support team for help.
Good morning, we all certainly support improving security in this increasingly online world. As many will know it is possible to hand off authentication to another identity provider, such as Microsoft or Google, who arguably, are at the forefront of identity protection. Microsoft for example offer strong authentication, and passwordless authentication, which is a stronger that ‘regular’ multi-factor authentication.
Many cloud service providers support Single Sign-On (SSO) to these more sophisticated identity providers. When do you this Xero will understand the value of this SSO and get onboard also?
Xero keeps disconnecting our job management system app. As I am the Administrator for Xero, it seems I am the one who can log in every time to reconnect it. My colleague has access to purchases only so she can’t restablish the link. This is really frustrating as if I am on leave, I keep on having to log in to relink the app. Any solutions?
Any plan to update to PassKey/WebAuthn support (new open Apple/Google/Microsoft standard to replace the standard login/password authentication we use today)? If not, please make it high priority.
It’ll be supported in Chrome & Safari in the next couple of weeks.. will enable easier sign in (faceID, touchID, or PIN) than the current 2FA authenticator app…
Hi Tom, thank you for your suggestion. This isn’t currently on our roadmap, so please do go ahead and add it to Xero Product Ideas for consideration. Thanks.
Is there any item on the Xero roadmap for using an external ID provider (Like Azure AD) for SSO?
This has been requested in the Xero community chats for some time now, would reduce risk more than just shortening the time for MFA.
Just my 2 cents but the belly aching about MFA is ridiculous, people need to understand the sheer risk of cyber attack is massive. I run an IT business and help many customers weekly recover from the aftermath of a cyber attack and it’s truly horrible. I’ve had customers end up in hospital from the stress induced by it!
MFA is a proven mitigation technique to cyber attack and shortened device trust times while inconvenient will help to strengthen the security further.
While Xero could certainly make things more seamless for their customers by implementing SSO and other auto push capable apps. Changing to the Xero MFA app with auto push will make it much quicker and easier for now daily MFA challenges than typing OTP codes.
Security is always a trade off with convenience but trust me it’s worth the extra effort to not have to deal with the aftermath of an attack.
When I don’t have my usual phone with me outside Australia the ‘Secret Questions’ method doesn’t work. I made a note of the secret questions and answers including case sensitivity, the correct answers are rejected and then I am required to answer questions that I have not set an answer to. Very frustrating.
Although I’ve been have a bit of frustration setting up MFA for other users in my organization, I honestly can’t believe the amount of whinging in these comments! Authentication – even every 24 hours – is not that big a pain, especially if you compare it with the pain of being hacked.
I, for one, am glad Xero is on top of this.