2sa-authentication

2SA and the authentication process: It’s fundamental to good security

For many Xero customers in Australia, using two-step authentication (2SA) to access their Xero account is now mandatory – and you will start to see this security being enforced more throughout the year, in line with ATO recommendations. Wherever you are in the world, we recommend all of our customers use 2SA to better protect their data and reduce the risk of malicious access to the sensitive personal and financial information that’s held in their Xero account. 

Over November and December we are rolling out single sign-on with Xero + 2SA for all WorkflowMax users. For our Australian customers 2SA will be mandatory, but 2SA, 2FA, MFA (two-factor or multi-factor authentication) or 2SV (two-step verification) all add another layer of security that makes it significantly harder for someone to get access to your account, even if they have somehow managed to get hold of your password.

We also recommend that customers use 2FA, MFA or 2SV to protect their email accounts, and all other online accounts that contain sensitive information. All too often we see email account compromises that result in invoice fraud and malicious access to other unrelated accounts.  

But it’s also important to be aware that these solutions are not a magic wand to protect you, and you still need to be vigilant when it comes to the risks of phishing and clicking on links or attachments.

Please always check the URL of the page you are being asked to log into to access Xero. You should only ever enter your Xero login and password credentials into Xero’s login pages at the URLs https://login.xero.com/ or https://practicemanager.xero.com/.

You also need to keep the software on your device up to date and use good anti-malware software to prevent someone potentially infecting and taking control of your device.    

How does the authenticator app work?

As we’ve rolled out 2SA, we’ve had a lot of questions from our customers about the authenticator app that’s required for using 2SA. I’d like to clarify what it’s all about.

The authenticator app that you need to install in order to use 2SA generates a six-digit time-based one-time password (TOTP) that changes every 30 seconds. (If you enjoy a bit of technical reading, RFC 6238 defines the requirements for the TOTP algorithm that generates the authentication code.)  

You can choose an authenticator app

A number of companies have developed authenticator apps to the RFC 6238 specification for use on a variety of devices. One of the most well known is Google Authenticator. Using Google Authenticator in no way links your Xero account to Google. Once the app is installed on your device, it can be used for multiple services that use TOTP authentication. You also have the choice of using other authenticator apps, including those from Authy who provide TOTP apps for Android, iOS, Windows and MacOS. There is no specific Xero-branded authenticator app.

You choose the device

A number of customers have raised concern that they don’t have a smartphone or adequate room on their phone to install an authenticator app. The great news is that with the variety of providers in this space, you can usually find an option to suit your needs and preferences – whether you install on any breed of phone, or the desktop of your computer.

How it works

So what actually links an authenticator app to your Xero account? Well, when you enable 2SA you’re asked to scan a QR code with the authenticator app. If you’re not able to scan the QR code, you’re asked to enter a secret key manually. That secret key is unique to your Xero account and is used as input to the TOTP algorithm to generate the authentication code, so no two Xero accounts generate the same TOTP code. Xero uses the same secret key for your account to generate a code at our end and to match the code you provide at login to verify it’s you.

Keeping time in sync

Because the TOTP code is time-based, no network connection is required to generate the code.  Even if you’ve got no signal on your phone and can’t make a call, your authenticator app will keep rolling over a new code every 30 seconds. What you do need to make sure of though, is that the time on your authenticator device is in sync with Xero. We use an automatic clock service to set our time, as do most mobile phone service providers, so we recommend setting your smartphone up to allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an invalid code error.

Visit Xero Central for more information about 2SA in Xero.

Security is a joint responsibility

Security is of the utmost importance for Xero and like every other online business we must be constantly vigilant and educate customers on how to protect against phishing attacks and account takeovers. We’re all responsible for using good security procedures and continually investing in online security. As an online community we need to work together to ensure we’re all protecting one another and keeping our data safe from cyber criminals.

For more information, visit Xero’s security page; get updates on the latest security issues on Xero’s security noticeboard; and forward any suspicious, Xero branded emails to phishing@xero.com.

Related Articles