Xero Tip Of The Month March 2016 - Two Step Authentication

Introducing Xero’s new security feature – Two Step Authentication

Data security is an industry-wide issue and it is Xero’s number one priority. Phishing scams that attempt to steal account names and passwords are an ongoing issue for all online and financial services, so it’s vital that businesses everywhere who use these services ensure they have strong security practices and keep their information secure. Security is an issue that everyone needs to take seriously.

On the back of recent security updates, Xero have released Two-Step Authentication for all Xero customers, providing an additional layer of security for all Xero user accounts. Two-step authentication can help keep your Xero account from being compromised by phishing and malware.

Two-Step Authentication verifies the identity of a customer logging into the Xero dashboard by requiring them to use their existing password and a second, unique code randomly generated by the Google Authenticator app on their smartphone, each time they log in. Based on security best practice, Two-Step Authentication means only the Xero user with access to that trusted device will be able to log in, making it more difficult for unauthorised people to access their data.

So you’re probably asking your self right now, “How does the Two Step Authentication work?”

When you have Two-Step Authentication enabled you need to use a second method to login to Xero. In addition to your standard Xero username and password, you also have to enter a six-digit code provided by a separate app on your smartphone, Google Authenticator.

If you don’t have your mobile device available when you need to login to Xero, you will be able to fall back to answering questions you set up when you enabled Two-Step Authentication in order to gain access to Xero. The fallback questions should only be used when necessary and not as a regular alternative to the authenticator app.

Watch the video below to see how to setup and use Two-step authentication.

In addition, Xero’s Two-step authentication will have trusted device recognition. You’ll be able to select “Remember me for 30 days” as an optional setting. If you select “Remember me for 30 days” you won’t need to perform the second authentication step on that device for 30 days.

For this initial release, individual users can have the option of enabling Two-step authentication when they log-in to Xero. From within the Users Settings page, a Subscriber, or a user with Manage Users access, can see which users of their organisation have enabled Two-Step Authentication. Depending on the uptake of the feature, and the feedback we receive, we may look into making this an organisation-level setting enforceable by the Subscriber.

To find out more about Two-Step Authentication, please review Xero’sHelp Center.

Security is a constantly-evolving issue for the tech industry and we strongly encourage all Xero users – and technology users in general – to remain vigilant about the online solutions they use. If you have any questions about this area, please check Xero’s Security Page.

Click here to find out more now!

See all the Xero features that can help you run your business beautifully at

Previous Tips

February 2016 – Xero Search

January 2016 – File Storage in Xero

December 2015 – Invoice Reminders

November 2015 – Xero on the go, with Xero Touch

October 2015 – Invoice Payment Terms

September 2015 – Sales Invoice Customisation

August 2015 – Business Performance Review

July 2015 – Cash Coding In Xero

June 2015 – Xero to Xero Billing

May 2015 – Find and Recode

April 2015 – Online Invoicing