Xero Mandatory Two Step Authentication – A Quick Guide For Accountants

Xero’s new mandatory Two Step Authentication (2SA) process makes logging in a little harder… but it’s all for good cause. In this article, we’ll explain what these changes mean for your accounting business, and how to login correctly to minimise disruption to your team’s workflow.

To be specific, we’ll explain:

  • Why the ATO requested that Xero activate Two Step Authentication (2SA)
  • How to set up Two Step Authentication
  • Merging your XPM and Xero log-ins

Why Did Xero Make These Changes?

As you may be aware, there’s been a significant increase in high-profile data breaches recently. Reported cyber-crime has grown more than 35% annually since 2015. Cyber criminals get more sophisticated by the day, and businesses are having to move ever faster to evolve their systems to stay ahead.

If you’re a Practice Protect user, you’ve already got your head around the potential implications of this for your business – and you’ve taken the necessary steps to protect your clients’ data.

Adding extra layers of security to systems that carry sensitive personal information is important – but there’s no denying it can create challenges for team members as they adjust.

New laws passed in February by the Federal Government will also have an impact for many businesses. The laws make it mandatory to report to your clients if the systems holding their data are breached. This can be time-consuming, costly and embarrassing for organisations caught out.

With Practice Protect, you’re protected against this, but it’s not much of a surprise that big organisations like the ATO are ramping up their data security even further.

The ATO Called For An Extra Layer Of Security

On 1 March, changes to Australian Tax Office (ATO) regulations kicked in, stating that all accountants and bookkeepers who use software to interact with its site are now required to use a two-step authentication (2SA) at log-in.

That means that rather than just logging in with the traditional email and password combination, which has become increasingly vulnerable to hackers, you’ll have to step through an additional layer of security by logging in with a second unique code generated on another device (an app on your phone, for example).

You’ll need an authentication code each time you sign in, although you can set an option to use one code for 30 days.

From March, if you don’t have 2SA set-up, you also won’t be able to access Xero Practice Manager, Xero Tax or Xero HQ.

You may already have experienced a 2SA system for your personal banking or other Government log-ins. This change is an anticipated, and necessary, improvement to the ATO’s security procedures and will mean the system – and your clients’ data – is less vulnerable.

However, like many changes, it may take a bit of getting used to. Here’s our guide for making the changes as easy as possible for your business.

Setting up Two Step Authentication (2SA)

We recommend setting up the 2SA for all users within your team as soon as possible if you haven’t already.

For step-by-step instructions on how to setup 2SA, click here.

If your team includes members who don’t have a mobile device that can be utilised to set up 2SA, setting up Windows Authenticator on their work PC is a good alternative.

Merging Your XPM and Xero Log-Ins

There have been prompts towards a new merged log-in popping up in some XPM users’ portals since January, so you’re probably already aware that Xero and XPM log-ins will now be merged into one.

The merging of the logins for XPM (Green) and Xero (Blue) into one single log-in is another important step forward in security and a necessary part of the switch to 2SA.

The company has not announced a schedule on when switching to the merged log in will become compulsory, but it’s expected to be soon and will likely be rolled-out to users in stages.

We recommend having your 2SA set up before going through the process to merge your logins (for those instructions again, click here.)

Once you’ve set up your 2SA, it’s time to merge the log-ins.

The Best Way To Merge

When it comes to the merge of your XPM or Xero portal log-in into the new joint log-in, there’s two ways to proceed. You can go it alone, or we’ll walk you through it if you schedule a session with us here.

As mentioned above, users have reported seeing the prompts to merge in their Practice Protect Portals for a couple of months.

It looks like this:

If you’d like us to walk you through it, ignore any prompts to merge your log-ins when logging in to your XPM or Xero portal for the moment by clicking ‘I’ll do this later’

If you feel comfortable to go it alone, follow the prompts to do so – but we recommend opening a second browser tab (right click and duplicate tab) and making sure it’s also logged before logging into XPM and following the steps.

Getting familiar with these changes  is key to minimising any disruptions to your business and, as always, remember our team is on hand to offer support if you need it.

About the author – Jamie Beresford, CEO of Practice Protect. A business that specialises in helping accountants secure data and mitigate risk with done for you technology, training and policy so busy firms can keep their reputation secure and get on with doing business with confidence.

Get Started With Practice Protect By Requesting A Free Cloud Security Consultation

The fastest and easiest way to learn more is to call us on 1300 010 114 or click here to schedule your free Cloud Security Consultation.