Over the last few years, our lives – and businesses across the world – have moved online at a rapid pace. Unfortunately, cybercriminals have followed and are using new, digital methods to target Australians. At Xero, we are custodians of your data and do all we can to protect the information held in your account.
One of the ways we do this is through multi-factor authentication (MFA), a process designed to secure how you log in to Xero and verify it’s really you. An upcoming Australian Tax Office (ATO) update to MFA regulations means anyone that accesses an Australian organisation globally needs to re-authenticate their device every 24 hours when logging in to Xero.
So, tell me more about what’s changing with MFA?
Many of our Australian customers would have started using MFA back in 2018, when it was first introduced by the ATO. Throughout 2021, Xero rolled out mandatory MFA for users in all other countries. Today, every Xero customer must use MFA when they login.
Recently, in response to growing cybersecurity threats, the ATO updated its regulations around MFA for software providers like Xero. This means that the length of time a device is trusted for must be limited to 24 hours for cloud based business applications, such as Xero.
From early October, ‘remember me on this device’ will change. Currently, you can skip authentication for 30 days when signing in to Xero via MFA (such as through the Xero Verify, Google Authenticator or Authy apps), which remembers the unique device you’ve logged in with. With this update, you will need to re-authenticate your trusted device (such as laptop, tablet or phone) every 24 hours.
When will this happen?
The 24 hour change to Xero’s MFA trust device frequency will start from early-October. From then, you’ll need to authenticate daily when you log in to your account.
Why is this being changed for Australian customers?
This is a regulatory change from the ATO and is to support cybersecurity measures to protect your valuable data – just think of all the critical information stored within your Xero account. It’s important to keep this safe.
You’ll likely remember when MFA was first mandated by the ATO. Just like last time, Xero is updating its platform to comply with this change and make it a smooth transition.
What if I’m in another country, like New Zealand, but access an Australian organisation in Xero?
This change doesn’t just apply to Australia but to anyone globally that accesses an Australian organisation – even if it’s just one account in Australia that you log in to. This is because you are accessing information (including personally identifiable information) that falls under the ATO’s remit.
Do I need to make any updates myself?
No – rest assured that the Xero platform will update automatically in early October. Since all Australian customers already use MFA, you won’t have to change anything about how you log in to Xero – except for daily authentication. This means you can continue to use your usual verification tool, whether it’s Xero Verify or a third-party app like Google Authenticator.
Why is cybersecurity so important and should I be worried?
Security has always been important at Xero and we want to keep your valuable business data safe. Since the start of the pandemic, activity by cybercriminals has been on the rise in Australia. As our lives have moved more and more online, so too have the approaches of cybercriminals.
They’ve continued to evolve and use increasingly sophisticated ways to entrap victims online. One of the most common types of cybercrime is phishing, which tricks you into clicking on a fraudulent email, text message or web link to then access your online accounts and steal your personal and business information.
How does MFA help protect me against cybersecurity threats?
MFA is one of many important tools used to safeguard against cybersecurity threats. It’s a security process which uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.
This second layer of security is designed to prevent anyone else accessing your account, even if they know your password. In fact, research shows that MFA can prevent up to 80% of data breaches.
This is taking a bit of extra time and I’m super busy. Is there an easier way to verify every day?
We know this change may be a little different to how you’re used to logging in to Xero. You can keep on using any verification tool that you like, but we do suggest giving Xero Verify a go if you’re after a more streamlined solution. It was launched last year so you might not have had a chance to test it out yet. Trust us though – it’s a game changer.
Why should I consider using Xero Verify?
Xero Verify provides fast, easy and secure access to your Xero account using MFA. It’s the only app which lets you authenticate with push notifications, as well as creating a time-based numeric passcode in case there’s no wifi, so you can always access your Xero account.
The free app is available on the Apple and Google app stores – just search for ‘Xero Verify’, then download it to your smartphone or tablet. The set up takes approximately five minutes and will make signing in a breeze.
Do I have to switch to Xero Verify?
No. You can keep using the authenticator app you already are. We suggest Xero Verify because it allows for push notifications, making daily authentication seamless.
What does this mean for Xero’s mobile apps?
Xero’s suite of mobile apps, such as the Xero Accounting App, Xero Expenses and Xero Projects, will also be impacted by these new regulations. When the new versions are introduced, you will no longer be able to choose the lock device option ‘Don’t lock it’. You will either need to use a security code, which will be available on Android for the first time and is currently available on iOS, or use Face ID.
What if I normally share my login with members of my team?
Shared logins reduce the security of your Xero account. The more people who have access to a login, the more likely it is to be compromised. Everyone who accesses an organisation in Xero should have their own login details (as per our terms and conditions).
If they don’t already, now is the time to make sure everyone is set up with what they need to securely use Xero.