Stay safe online with Xero login + two-step authentication

978 million people in 20 countries were affected by cybercrime in 2017. One in four small businesses experienced a cyber attack or hacking attempt in New Zealand and Australia (Norton Cyber Security Insights Report 2017 Global Results).

Practicing sensible cyber safety has become a necessary part of modern life. Just one easily guessed password can stop your business in its tracks.


Xero takes data security extremely seriously and we’re pleased to extend the use of single sign-on (SSO) using Xero login, along with two-step authentication (2SA) to all of our WorkflowMax users.  

As the business world operates online, cyber attackers and hackers only get more sophisticated. Modern security features such as this offer an important layer of protection for you.  



For all our users globally, SSO becomes optional from Tuesday 6 November (NZDT) and will be mandatory from Tuesday 4 December (NZDT).

In addition, for our Australian users, in accordance with recent Australian Tax Office requirements, the use of 2SA will become compulsory at the same time.

How to set up Xero login

  1. Navigate to WorkflowMax login

    Navigate to your usual WorkflowMax login screen. You will be redirected automatically to the Xero login screen.

  2. Link your existing Xero login to WorkflowMax

    If you already have a Xero login, enter your Xero credentials to link this to your WorkflowMax account, and from now on you’ll simply select the “login with Xero” button each time you login.

  3. Create a Xero login if you don't have one

    If you’ve never had a Xero login, you’ll need to follow the steps to create one now, using a unique email and password.

  4. Your new Xero login

    This will now be your login across all Xero products and more importantly, will replace your old WorkflowMax login. Don't worry you don't have to be a Xero subscriber to use Xero login, it's free. Remember, all people in your team who log into WorkflowMax will need to set up a unique Xero login - no sharing email or passwords.

How to set up 2SA

  1. Step 1 - Download authenticator app

    Download an authenticator app to your phone (or desktop if you don't have a smartphone) from your app store. We suggest Google Authenticator and Authy.

    app-store google-play

  2. Step 2 - Sync the app with Xero

    Follow our WorkflowMax Support Centre instructions or watch our videos below to sync the authenticator app to your Xero login and set your security questions.

    Watch instructional videos

  3. Step 3 - Logging in to Xero

    Next time you login to Xero, you'll need to enter your email and password as per usual, then open your authenticator app and enter the passcode to sign in.


2SA Device set up

iPhone Set up


Android Set up

Android Setup

Desktop Set up


Ready to secure your data?
Download the Google Authenticator here
app-store google-play

Additional ways to secure your data

  • Set up an alternative email in case you need another way to verify who you are
  • Keep your software up to date; that includes the apps on your phone
  • Keep your login details to yourself. 
  • Use strong, unique, private passwords (not your cat's name!)

Frequently asked questions

Our customers occasionally have their account passwords compromised, usually by falling victim to phishing or malware. Using SSO with Xero + two-step authentication significantly reduces the risk of unauthorised access to your account as the attacker can only get "the something they know" (like your login and password), hackers can't usually get "the something they possess" (like the unique passcode generated by the app on your phone), so they can’t log in. This better protects yourself from fraud and damage to your business. 

Our lives are increasingly digital but many people still use and share weak passwords that are easily guessed, or fail to keep software and anti-malware up to date. For this reason, two-step authentication is being used more and more in everyday situations where security and privacy are important, including access to online banking and email.

What may appear to be temporarily inconvenient has been proven to significantly reduce the risk and inconvenience of a compromised account.

Yes, you’ll be able to use your Xero login on your mobile device (iOS and Android). But first, you will need to set up Xero login and 2SA (if applicable) on the web application. Then make sure to upgrade to the latest iOS or Android version to use your Xero login on your mobile.

There’s no specific Xero-branded authenticator app. Instead, you can choose from a number of industry-standard authenticator apps. Options include Google Authenticator, FreeOTP and Authy. Just search for ‘authenticator’ from your device in the app store and you’ll see the options available.
No, the authenticator app doesn’t connect to your Xero/WorkflowMax account. It simply provides a one-time time-based numeric passcode that's used as an extra security step during the login process. This means that knowing or guessing your password is not enough to access your account - the passcode is required as well.
For greater security, it’s preferable to have the authenticator app on a different device from the one you use to log in to Xero. But if that’s not possible, you can install an app such as Authy on your laptop or desktop computer. Suggested authenticator apps for phones and desktop computers are listed in one of our other support articles.

No. Once the authenticator app is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Because it’s continually generating new codes that are only valid for 30 seconds, it doesn’t need to connect to anything.

What you do need to make sure of though, is that the time on your authenticator device is in sync with Xero. Xero uses an automatic clock service to set the time, as do most mobile phone service providers, so we recommend you allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an Invalid code error.

If you still need help, please contact