What is multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is a security process that uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password. MFA is also referred to as 2FA, which stands for two-factor authentication. MFA helps protect your invaluable data by adding a second layer of security.
Why is MFA being mandated?
With the increase in security breaches and account compromises, it’s important to step up security. As custodians of sensitive client data, keeping everyone’s data secure is a top priority.
The threat to both enterprise and small business data has never been greater. According to the 2019 World Economic Forum Report, cyber threats are the fourth greatest risk to world economies, behind climate change and natural disasters. The world has witnessed an overall increase in cyber attacks, data breaches, data leaks and espionage, which are estimated to cost the world $6 trillion annually by 2021.
Implementing multi-factor authentication is one of the easiest, most effective actions companies can take to improve security of client data. It’s no longer a ‘nice to have’ but a genuine necessity.
Who is it mandatory for?
All Xero users in all regions invited into an Xero organisation will be required to enable MFA by the end of 2021 (following any trial period that applies to the user).
In what regions is multi-factor authentication (MFA) mandatory?
Authentication has been offered as an optional feature since 2015. However, in Australia, it became mandatory in 2018 due to the Australian Tax Office’s (ATO) Operational Framework that required all software companies interacting with the ATO to have multi-factor authentication.
Meanwhile, as the business world operates online and cyber attackers and hackers only get more sophisticated, modern security features like MFA offer an important layer of protection for you. Our customers will always be our highest priority.
Is MFA going to be compulsory for clients as well as partners?
Yes. We will be rolling it out in a phased approach and providing communications and instructions along the way. Please note users who don’t need to log in to Xero, like payroll employees and those who use the Xero portal and Ask portal, won’t need to set up MFA. In addition, MFA will be optional for users during any trial period but users will be required to set up MFA at the end of the trial period.
What is the value for Xero customers?
Xero customers’ account passwords are occasionally compromised, usually due to phishing or malware. Having multi-factor authentication enabled significantly reduces the risk of unauthorised access to a customer’s account, as the attacker can only get the something they know (the user’s login and password), not the something they possess, so they can’t log in. This better protects our customers from fraud and damage to their business.
Why can’t I share my password?
It’s the first rule of security: ‘never share your passwords with anyone’, not even your boss, accountant or bookkeeper.
With Xero, there are no limits on the number of users you can invite into an organisation or client file. We suggest inviting new users instead of sharing your login credentials. If you choose to share your login with other people, prepare to be annoyed with requests to log in and authenticate much more frequently. In addition, access to some key functionality might be blocked, as your activity may be classified as suspicious.
Here are some useful resources:
Where do I go if I have questions about multi-factor authentication?
What is an authenticator app?
An authenticator or authentication app generates security codes for logging in to sites that require a high level of security. These apps can be used to retrieve security codes and don’t need to have an internet connection. A mobile phone app is a typical example of an authentication app, but other forms exist, including applications for desktops and browser extensions. After installing and configuring the app to work with your account, you’ll be able to receive push notifications and security codes.
What is Xero Verify?
Xero Verify is Xero’s own authentication app that allows you to receive a push notification to verify it’s you.
Where do I get the Xero Verify app?
The Xero Verify app is available on the Apple and Google app stores. Just search for ‘Xero Verify’, then download it to your smartphone or tablet. Please note that Xero Verify can only be used to authenticate Xero accounts.
Can I use another authentication app?
Yes, but you won’t receive push notifications when using them with Xero. If you’d still like to use an app other than Xero Verify, we recommend Google Authenticator, FreeOTP or Authy. With these apps, you’ll need to type or copy the code they provide into Xero when you log in.
Does using an authenticator app mean I’m connecting my Xero data to a third party?
No. Xero Verify doesn’t connect to your Xero account, nor do other authenticator apps. Xero Verify simply provides a push notification, and they all generate a time-based numeric passcode to enter during the login process. That means if someone guesses or knows your password, it’s not enough to access your account.
Which authenticator app do you recommend?
Of course, we recommend Xero Verify. It’s the only authentication app that allows push notifications to your Xero account. However, beyond that, Xero doesn’t recommend any particular third-party authenticator app. It’s really up to you as to which app best suits your needs and the type of device you’re installing it on.
Setup and use
Do I have to authenticate each time I log in to Xero?
You’ll have the option to remember the device you’ve logged in with for 30 days, but you’ll need to authenticate again at the end of the 30 days, or if you log in with a new device or browser.
Can I use Xero Verify to authenticate outside Xero?
No. Xero Verify is only used to authenticate your Xero account.
What if I don’t want to set up MFA?
You’ll need to set up and use MFA. It’s a mandatory requirement if you want to continue to use Xero.
What is a push notification and how do I get one?
A push notification is a pop-up notification sent to your mobile device. It enables you to confirm that it’s you who’s trying to log in. You simply tap a button to approve or deny access.
When you have enabled MFA in Xero and accepted push notifications for authentication in the Xero Verify app, every time you log in, you’ll receive a pop-up message on your device asking you to confirm the login.
Does my mobile device or tablet need to be connected to the internet to receive push notifications?
Yes. To receive a push notification with the Xero Verify app, you need to be connected to the internet.
Does my mobile device need to be connected to the internet to get a passcode from Xero Verify or another authentication app?
No. Once Xero Verify or the authenticator app of your choice is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Authentication apps continually generate new codes that are valid for around 30 seconds.
Why doesn’t the code work on my third-party authenticator? I keep getting an invalid code error.
You need to make sure the time on your authenticator device is in sync with Xero. Xero uses an automatic clock service to set the time, as do most mobile device service providers, so we recommend you allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an invalid code error. However, if you are using the Xero Verify app for codes, you won’t receive an error message, and what’s even better is the push notifications that Xero Verify provides.
If I choose to use Google Authenticator instead of Xero Verify and I don’t have a Google account, does this still apply to me?
Using the Google Authenticator app does not link your Xero account to Google, and does not require you to have a Google account. The Google app uses an industry-standard TOTP (time-based one-time password) algorithm.
There are also other apps you can use instead if you prefer, such as Authy or FreeOTP. Once the authenticator app is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Because it’s time-based, it doesn’t connect to anything to generate the code.
If I have Google Authenticator, do I have to switch to Xero Verify?
No. You are welcome to have either. What’s important is that you have the second layer of security with MFA.
We recommend Xero Verify. It’s the only authentication app that allows push notifications to your Xero account. However, beyond that, Xero doesn’t recommend any particular third-party authenticator app. It’s really up to you as to which app best suits your needs and the type of device you’re installing it on.
Do I need an authenticator for my phone, tablet and laptop, and do my bookkeeper and staff all need one too?
Everyone logging in to Xero who has access to an organisation needs to have MFA enabled on their account. You only need one instance of the authenticator app for each person to be able to log in to their Xero account.
Can you set up multiple authenticators on one mobile device?
Yes, but Xero Verify is the only one that sends a push notification, which is the easiest way to confirm that it’s you.
I don’t have access to a smartphone at work. How can I use multi-factor authentication?
You can install an authenticator app on your desktop.
Can I verify my identity another way?
Yes. You can choose to use a backup email or security questions.
What is a backup email?
We’re making it easier to access Xero if you lose your mobile device. You can specify a backup email address when you set up MFA to provide a fallback option if Xero Verify or your other authenticator app isn’t available. You should use a strong and unique password with your backup email.
I’m locked out. How long will it take for customer service to unlock my account?
Xero has put extra resources in place to help businesses who experience this issue. Please log a case immediately and someone should be in touch within a few hours.
In the meantime, please try using one of the alternative methods (security questions or backup email) to authenticate yourself, and let us know what you’ve tried so far.
I’ve lost my phone. How do I get back into my account?
You can use your backup email or security questions. Be sure to go into your ‘Account settings’ page and remove your device. When you replace your device, you’ll need to set up MFA on your new device.
If I forget my phone, how do I get back into my account?
After inserting your username and password, choose your backup email address or security questions.
How do I use multi-factor authentication with a new mobile device?
You use your existing multi-factor authentication setup when moving MFA to a new mobile device. Just change the device under ‘Account settings’ in your account to your new mobile device. Visit our guide to using MFA with a new device for step-by-step instructions.
Does the time setting on my mobile device matter?
Not for Xero Verify. However, if you are using a third-party authentication app (Google Authenticator, Authy, etc), you need to make sure the time on your authenticator device is in sync with Xero. Xero uses an automatic clock service to set the time, as do most mobile device service providers, so we recommend you allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an invalid code error.