The protection of their partners and their small business clients is critical to the development of a trusted platform for the Xero team. They‘ve been able to ensure they‘re doing whatever they can to secure your data and the personal information stored in your subscription by mandating the use of two-step authentication (2SA) in Australia.
This vital layer of security was first enforced in 2018 in response to the ATO’s revised online security criteria, resulting in a major decrease in suspicious behaviour, and they‘ve started to develop the 2SA process as a result of the users’ positive suggestions.
Xero is also carrying out multi-factor authentication (MFA) to satisfy security standards around the world, so they can keep putting their customers’ protection first.
You might ask, why are they doing this now? In recent years, the number of cyber-attacks aimed at gaining access to online accounts and stealing personal and company information has risen significantly. As guardians of your data, the Xero team took the extra mile in securing Xero as the most trusted platform for small businesses.
What does this mean for Australian Customers?
Current consumers that have previously been authenticated would not be required to do so again. Although, new customers will adopt a more streamlined and simpler MFA flow starting on March 2nd, with the option to use the Xero Verify software from the start (they can also use Google Authenticator or another app of this nature).
What’s the difference between 2SA and MFA with Xero?
2SA and MFA are both additional levels of authentication that prohibit someone other than you from having access to your account, even though they know your password. Users that have 2SA allowed will continue to use their current configuration with MFA. New users, as well as those who disable 2SA and enable MFA, would benefit from our new simplified setup process, as well as the added convenience of push alerts if they decided to use the Xero verify app.
Why did Xero decide to work on a new solution?
The team from Xero are constantly working to make their products easier and safer for us users. After rolling out 2SA in Australia, they took the lessons on board and built an MFA approach that blends more well with the Xero experience, making it all the easier for the users.
What is Xero Verify and who needs to use it?
To give you fast, simple and safe access to your Xero account using MFA, Xero has built their own Xero Verify authenticator app. This free app is available in the Apple and Google app stores. Simply search for ‘Xero Verify’ and save it to your mobile or tablet. Although, take note that Xero Verify can only be used to authenticate Xero accounts. They know we‘re busy, so they made it gorgeously quick and simple to use.
Is Xero Verify safe? How do I know it will stop someone from accessing my clients’ accounts?
Xero Verify is designed using the highest security criteria to ensure that our access to our account is in secure hands. It doesn’t bind to your Xero account or other authenticator software. Xero Verify merely delivers a push update, creating a time-based numeric passcode to be entered during the login process. This means that if anyone guesses or learns your password, that’s not enough for them to gain access to it.
I’m confused, are you making us switch to something new?
Definitely not. If you have already activated the authenticator app (like Google Authenticator) then you and your current clients are free to continue using it. What’s important is that you’ve got a second layer of security. However, we do suggest Xero Verify as the only verification app that helps you to push updates to your Xero account – making the whole process faster and simpler for you and to keep everything under one place.
How do you switch from the current authenticator app to Xero Verify?
After signing in and authenticating yourself, go to the ‘Account’ configuration tab under ‘Additional Security’ and select ‘Change Device’ to access the new authentication method. The choice to select Xero Verify will be given to you. Take the measures you need to set up and accept push alerts.
I had difficulties with 2SA, is the new MFA process easier?
The new experience visually leads you around, making it quick and easy to use. Best still, it only takes about five minutes to set up, all of which saves you time and effort.
Does this mean I now have different clients with different authentication experiences?
There is no change for current users. Once authenticated, they will just have to log in to Xero and use their preferred authentication app (inserting a single time code in the same way they do now).
New users would have the option of using Xero Verify, Google Authenticator or a Desktop Authenticator such as Authy. After setting up MFA, anytime a new user signs in to Xero, they will authenticate themselves with a push notification via Xero Verify or a one-time code via Google Authenticator or a desktop app.
Once my client has set up MFA, do they have to authenticate every time they login?
If you authenticate yourself, you can postpone alerts for 30 days that recall the account you signed in to. You will need to authenticate again at the end of 30 days (or if you log in using a new laptop or browser).
As always, the Xero team and AURIC Financial are here to help you if you have any questions or complaints – while ensuring that you and your clients are safer and more secure.
Dai is a Master of Business Administration graduate of the University of New England, Registered BAS Agent and member of the Institute of Certified Bookkeepers. For 16 years he owned, operated and managed businesses in the tourism and hospitality industry – particularly Accommodation, Event Management, and Food & Beverage Management. In recent years, Dai has worked in the Not for Profit sector, Real Estate, Motorsports, and Motor Trades industry and business services, in Finance, Administration, and Practice Management roles, before becoming a Professional Bookkeeper in 2009.