Xero - beautiful accounting software

Xero Business Community

Xero Business Community

Hi everyone, Come on over to the new discussions in Xero Central. It’s a more intuitive way to connect and chat all things business with one another. Ask questions, dish out answers, and get involved.

You can still view topics in the Xero Business Community to see all the useful knowledge that’s been shared there; and you can restart conversations you feel have been of huge value to you on Xero Central.

If you have brilliant ideas for innovations, you can keep on adding feature requests in the Xero Business Community, and voting on existing requests. There’s more in store, as we come up with the best way to take on your thoughts and share developments
Community > Feature Requests >
Done

Extend timeout

Started by Jeff N in Feature Requests | Done!

Does anyohe else think the timeout should be extended to at least one hour if not longer? Or be configurable per user? I would be interested to know why Xero believe I should be locked out of my own accounts system if I don't touch it for 30 minutes.
We're serious about security and the 30 minute rolling time-out (only times out after inactivity) is one of the things we've implemented to ensure good safe practices. We know not everyone works in a public space and might find this time-out restrictive but we have peoples' business data to protect. We always have in mind ways to improve this while remaining secure.
 

Catherine Walker (Community Manager)

Catherine thank you for your reply. With respect that is not an answer and takes this no further on.

I am serious about security too. I don't need to you be serious for me. Every company which uses Xero is presumably owned or staffed by adults, and I think it is up to each company to decide what their own security arrangements are don't you?

You have people's business data to protect in the sense that your customers trust you to ensure your data centres are secure from physical and cyber threat. You are not responsible, nor should be expected to be responsible, for what happens on your customers' desktops. That is their concern.

I rather suspect that this is more to do with Xero not wanting to pay for more open ports on their servers.

When you say you have in mind ways of improving this, may I ask what they are? Why can you simply not provide your customers with a choice of timeout which suits their business?
 

Jeff N

Just pulling the same conversation/poll started on LinkedIn into here as well: Should the 30 minute timeout be changed?
 

Catherine Walker (Community Manager)

FYI, our Security Architect has posted an explanation on this and remembering login settings on this thread Remember me checkbox on Xero login page with more to come.
 

Catherine Walker (Community Manager)

I would also appreciate such a feature.

Catherine, you mention this timeout only applies during times of inactivity, but this is not the case when using features like the budget manager.

It can take some time to update the budget manager to make it current with all the budget information, but interacting with the screen doesn't seem to update the time-out and you end up losing all your data when you choose to save due to a time-out.

This is very frustrating for our accounts team.
 

Paul Velonis

@Paul - indeed you're right. Unfortunately the Budget Manager page works differently to the other pages and we're not able to continually save. You need to remember to manually save every 10-15 minutes. With the recent release of exporting, editing and importing the budget, does that give you an option for time-consuming work you need to do on the budget?
 

Catherine Walker (Community Manager)

I 100% agree that it should be configurable, I am so tired of continually entering my email and password that it really should be up to me as to when I want to time out (or never). All it takes is a little interruption and next thing you know it the password screen again (not withstanding that Xero actively stop browser password manager from activating).

I agree with Jeff, we don't need hand-holding on security, not many other desktop apps ask for a login every 30 mins (or even at all). Lets face it, Xero is not a bank site and I can't make payments from Xero, so it's not that important. The security I desire from Xero is the data on YOUR servers, not my local session.

Looking at other comments on other questions, I quite like the 'known computer' idea, i.e. this PC on this IP can stay logged in forever, otherwise default settings. Known computer could be verified by email confirmation.

In the meantime, I need to resort to LastPass or this this page loading add-on https://addons.mozilla.org/en-US/firefox/addon/reloadevery/ to allow me to just do my work.
 

Nick Crossman

I find it frustrating to be interrupted with real life stuff and come back to xero and what I was doing to then find the transaction I was originally searching for after scrolling the page, click on the link for it, and then be asked for the email and password again!
I agree also that we don't need such hand holding - when I step away from my computer I lock the desktop, as it's not just xero that has the sensitive information! Besides, it's quicker to unlock the desktop with just my password, than to re-login to xero with both the email address and password!
Could we at least have the time-out password prompt be just that, a password prompt? And remember out login email address from the page that is still in limbo in the background?
 

Stephanie Rockell

Configuration of the timeout would be great. I lock my desktop when I'm away but find the 1/2 hour timeout frustrating when i get a phonecall and come back to my xero window and i need to login again.
 

Avery Dorland

I agree, the timeout is frustrating. Xero, I appreciate your efforts to manage my security, I'd liek you to put as much effort onto addressing all teh other feature requests here. I like your product but i am getting a little frustrated at teh lack of functionality.
 

Lee Featherby

Hi everyone. As per this other voting thread on the same topic, the timeout was extended to 60 minutes in the last feature release. Thanks for all of your feedback!
 

Jules Desmond (Community Manager)

60 minutes is a good step but I am a developer using the API and I would like it totally configurable, e.g. up to 24 hours.
 

Bryan Wilkins

This should be User configurable as someone that sits at his desk most of the day I am sick to death of having to continually reenter my password.
 

Bruce Bromley

I just had the budget scare and searched for this feature request. I spent an hour (evidently) working on my budget and then was suddenly logged out. I use google apps to log in so I don't even know my password. Fortunately I was able to again on another tab and then was able to click save in my budget tab, but it was quite a scare.

Timeout as a security measure is a bit of a false comfort. If I care about security, I set a password on my screen saver at 5 minutes. If I really had a malicious employee and stepped away from my computer, 60 minutes or even 30 minutes is plenty of time for them to get at whatever they want to get at.

A more logical type of security would be a general timeout set by the customer and then secondary verification based on a shorter time out for cash or major export transactions, perhaps with a secondary short PIN just for those more sensitive transactions.
 

Daniel Helsten

+1 to have this configurable per user/account for up to 24 hours - or at least 8 hours to cover a typical workday? Security risk for me is negligible but convenience is very important.
 

Belinda Harris

I totally agree with the self config option - I work from a home office so the 24 hour timeout would be ideal in this environment.
 

Caroline Rose

YES PLEASE make it configurable and SOON!
 

Amanda Inskeep

I agree with the previous comments...

I work from home and the only person here is me, so there's no risk of anybody walking up & using my PC. I frequently need to "step away" from Xero, either physically or to use other apps.

If I was running a standalone accounting package on my PC, it wouldn't timeout (but as a previous poster mentioned I could just set my screensaver if I was concerned).

Surely, if server resources are scarce, it couldn't be that hard to set Xero to release the connection to the server during an extended period of inactivity, but then re-connect automatically when you come back (even if it takes a few seconds longer).

Anyway, I suppose it is not high on the priority list. The timeout for me is just an unnecessary annoyance.
 

Ray Taylor

Just use
https://chrome.google.com/webstore/detail/auto-refresh/ifooldnmmcmlbdennkpdnlnbgbmfalko

Set it to 8 minutes and the problem goes away
 

Bruce Bromley

We want to use Xero for OTC invoicing with those accessing it limited to sales invoicing or limited access. There will not be a steady flow of use so having to login most times while a customer is waiting for an invoice to be produced is painful for all concerned. I am willing to take responsibility for my time out periods and need the flexibility to set or nominate what I need to meet our OTC sales/invoicing requirements. Andy Ross
 

Andy Ross

I anyone still having issues with the program logging out before the 8 hours.
 

Jannett Smith

Please modify the "Hey user,are you still there?" timeout popup screen to allow the browser to place the browser stored password into it.

Going back to my password store to complete this screen is part of the frustration. Alternatively, I go back to the main login screen to re-authenticate and start again on whatever screen I was working on; = time wasting.

Another problem with this security timeout it is forced folks to make simple passwords so they can be typed in, as they need to keep re-entering it.
 

Mark Hawrylak

Why does the screen allow me to input data but when I go to save, it takes me back to login page and clears the data? I realize that it's timing out but why does it allow you to keep typing if it won't allow you to save it?
 

Kelly Hughes

I have just sent over an hour compiling a report/invoice for service work completed and I used the approve invoice tag..the message are you still there appeared, which I acknowledged... all my information on the report and invoice were lost...I AM NOT HAPPY..
 

Robert Smyth

We also are finding this frustrating! Some of our jobs require deatiled invoices and one small interruption always seems to end in lost information and having to start again or at least redo some of the work we already had done. This happens far too much and is causing serious stress and loss of very valuable time. We work in our home office and security is not at all a concern so not having a choice of time out length is ridiculous!
 

Renee Shackle

Absolutely agree, time out period should be configurable. XPM doesn't have a time out period. It is frustrating when jumping between XPM & My Xero and having to re-enter password. Understand the need for security however there needs to be a balance between security and freedom. That is freedom to choose your level of security.
 

Kellie Lawrence

Even my security software lets me choose when to log out, but Xero know better.
 

Lee Featherby

Circumstances differ markedly and Xero should recognise that by allowing the user to change from the Xero standard setting to the security settings of their choice. There is a big difference between an individual working privately with Nil security issues to users working in an open office environment. Hence the need for self choice rather than Xero's blanket approach.
 

Andy Ross

Another Xero user that loves the system but hates having to log back in every time I sit down to check some information or create an invoice. The time out NEEDS to be adjustable in the next update by the user, there is ZERO (pun intended) chance of a security breach in my workplace, very frustrating to have no option to adjust security settings.
 

A & L Artistic Framers Angelo

Why does the screen allow me to input data but when I go to save, it takes me back to login page and clears the data? I realize that it's timing out but why does it allow you to keep typing if it won't allow you to save it? I repeated this from up above as I believe every other user of xero should do
 

Wayne Knetter

I second Wayne Knetter's comment.
I've experienced the same numerous times and have wasted too much time re-typing data I'd already meticulously entered into an invoice. Please develop a proper time-out process so that the application does several if not all of the following: (a) warns you when about to log you out, (b) auto-saves unsaved data entered, (c) allows you to retain the data entered when subsequently prompting for credentials after timing out if in a data-entry screen.
These are standard concepts that are key to not frustrating the user experience. Please incorporate into future updates.
 

Dan Jermy

Just lost a load of meticulous work on an invoice. Pathetic implementation. Adding lines on an invoice should be blocked if the session has expired!
 

Simon Fuller

re: Simons comment above, adding lines to anything (invoice, bill etc) should be counted as activity and reset the timeout like any other action does. I commented on this thread probably 2 years and nothing has changed.

I note that the question is marked as done which is disingenuous as sure the timeout is now 60 minutes not 30 but it is not the custom timeout people have asked for. Facebook has private data of mine to store and manage yet I am always logged in to FB
 

Nick Crossman

I was just about to start a new topic asking for this.
I think it should be configurable. I would set it to 10 hours and just log in once per day.
 

Glenn Roberts

Why can't there at least be a popup that says "This session will time out in 60 seconds". That is what all my banks do. That way when I'm working on a large invoice or purchase I will be notified before it times out. I can then click the save button. Terrible idea to just popup and let us know we have timed out. No warning at all. I hate that. I have also lost a lot of work because of this.
 

Robert Loy

I understand that Xero takes data security as a top priority but it's MY DATA. Have a default set at one minute if you like but allow me to change to suit myself or to remove it completely.

I work in a locked office in a locked building and to have to keep logging back in again is stupid Not only that if my browser is set to remember passwords I don't even need to enter it anyway almost defeating the whole point.

If we have a choice then we the users can make that decision not Xero who DON'T know what's works best for us.

Does your car lock automatically once you get out of it? Does you front door lock automatically of course not because people would be up in arms about it if this was forced upon them.

Please Xero don't ruin a great service by annoying your customers. Only people like Apple manage to get away with that :)
 

Stuart Morley

This thread has been going for over two years.

The best you can do is add this plugin to Chrome
https://chrome.google.com/webstore/detail/auto-refresh/ifooldnmmcmlbdennkpdnlnbgbmfalko

Plain and simple, Xero doesn't give a toss about what the paying user of their software thinks.
 

Bruce Bromley

Don't ask about multiple contacts per company...that's coming up to 6 years and still no movement. They have now taken the dates of threads so people can't see how long it's taken. Thus I suggest you date every thread.

No, they don't give a toss, you are right.

Feb 18, 2019
 

Lee Featherby

That's a real shame as it's such an easy fix and would make so much difference. Crazy how they have taken the post date off.

Come on Xero, give us a real valid reason why you won't do this.

Feb 18, 2019
 

Stuart Morley

14.3.19
Sadly this Timeout issue also affects the new Get In Touch way of contacting support.
A very lengthy and complex description of my PayPal (!) mess lost with about 2 lines left to write.
AAgh
 

Paul JOHNSON

The whole thing is pathetic! - I should be able to decide on the security of MY data. I've stopped recommending Xero now to others. Glad to know that Xero know better than I do.


Stuart 14-3-19
 

Stuart Morley

This is also the thing that annoys me the most about Xero. Please let us stay logged in if we desire!

Kohde 27-Mar-19
 

Kohde Burford

Kohde, You are forgetting one thing. We the customers don't know what's best for us and OUR data but luckily Xero does. My computer has a screen saver after 5 mins, I'm in a locked office in a building that has secure access but Xero have thought about this and maybe someone would dig a tunnel into my office and then without my knowing run a P&L or post a credit note without me knowing and that would be the downfall of civilisation as we know it! :)
27-3-19
 

Stuart Morley

I wonder if the problem could be addressed with a different security approach for CLIENT and PRACTICE users?
 

Paul JOHNSON

I think it is simple. Have a standard timeout of anything and let us the users change it to what suits OUR security requirements. Much like when we choose to lock our car, house, office, computer and pretty much everything else. There is no reason why we can be logged in for as long as we like if we have other security methods in place.
 

Stuart Morley

What is laughable is that when you leave Xero for a while it asks for your password. If you go back to Xero.com and click login then your password is remembered and you click login so in effect it's pointless kicking you out in the first place. The whole thing is a joke and very annoying!
 

Stuart Morley

This sounds like your browser is set to remember your passwords, Stuart. Might be worth checking out your browser settings, and clearing this option if you don't want it populating your passwords.
 

Lauren C (Community Manager)

Hi Lauren, Thanks for your reply. I DO want the browser to remember my passwords as my PC is in a secure building with secure access to my office and a screen saver with password required for login to my machine. This is why the auto logout feature on Xero is such a pain and completely overkill. I am still unsure why Xero FORCES us to accept it's security settings.
 

Stuart Morley

Having the exact same issue here. I need to extend the timeout. I'm often alt-tabbing between browser sessions while working on Cin7 orders/inventory and then pushing back to Xero and checking what Xero receives. The timeout from Xero is a huge productivity killer as password field in the timeout popup doesn't even work with my password manager so I have to completely relogin in again. This is a stupid implementation and we need the option to extend our timeout
 

Sean Spratt

Couldn't agree more Sean! However, Xero knows best as you will see from the inactivity on this matter. Unlike almost every other software company who allows the CUSTOMER to decide how they use their software, Xero takes a different view and tells us how we should work. Xero is a great product but sometimes it feels like a luxury car without a steering wheel. The funny thing is that when asked for the password if you just refresh the page the autofill completes it anyway (although you may lose your work). Unfortunately, I missed the opportunity to visit them at a recent exhibition to tell them face to face how stupid this implementation is.
 

Stuart Morley

Yes I agree
 

Katrina Carson

Seconded. This should be amenable to the user's needs, and not unchangeable across the board. Please add ability to change or turn auto-logout OFF in settings.
 

Paul Maximus

Xero no longer cares about its users. this is just another case of a small company becoming too big, hires a big name CEO to keep stock price up and business is now about cost cutting and no real development. They have customer retention as it is just too hard to change products.

They refuse to implement RCTI's, consolidated entities etc.
 

Mark Whitaker

Spot on Mark, and the fact that they recently reduced the multi subscription discount from 15% to a measly 5% reinforces what you've stated, just another big greedy impersonal company now. Very disappointing
 

A & L Artistic Framers Angelo

Being a regular, daily, day-long user of Xero I would definitely appreciate a longer session timeout. In my circumstance there is little / no security concern in the locations I regularly use Xero from. Verifying by sms or email once a month is fine.

Like most users I have a pin / password on my computer, and don't need each and every application I use to timeout every hour.

Please allow session timeout to be configurable - 1 day or 1 week is reasonable.
 

Theo C

I totally agree with you but Xero know best ! - We've been asking for ages and they haven't taken any notice. Apparantly it's for security reasons and we aren't adult enough to look after our own security and decide upon how we implement and keep OUR data safe. I work in locked room in a locked office with a computer that self locks after 5 mins but even so Xero still needs to lock me out. Imagine someone breaking into my office, then my room, then hacking my computer and getting in. They could then raise an invoice or do a bank rec or even a VAT return :). Are we prepared to take the risk :). - Utter madness and ruins a great product. We should be able to change the default time out.
 

Stuart Morley

This is a cop-out response Xero.
For people who work from home, with Desktops it would be a huge help not to lose what your doing every 30 minutes due to a security timeout.

Perhaps have an option (disabled by default) to extend the session time?
 

Joel Rankin

It is a pointless timeout - but you can solve this with a Tab Refresh extension added to your browser, for example:

https://chrome.google.com/webstore/detail/tab-reloader-page-auto-re/dejobinhdiimklegodgbmbifijpppopn

https://addons.mozilla.org/en-US/firefox/addon/tab-reloader/?src=search

https://addons.opera.com/en/extensions/details/tab-reloader/

If any of those don't do exactly as you need, just search for "refresh" in your browser extension store and let us know here what works best.
 

Marcus Quinn

A little trick for this. Open a tab with your Dashboard, and set the Auto-Refresh Timer set for say 9 minutes with "Do not reload if tab is active" and "Use cache while reloading" set to On.

Then open other tabs to work in, you can do the same on any of you like and don't know which tab you want to work in. The important thing here is you always will have one tab open but not in the foreground, that's going to be your refresh gopher to stay logged in.

The unused Dashboard Tab will refresh every 9 minutes to keep you logged in but it won't interrupt your work on the active tabs.

Solved :)
 

Marcus Quinn

Excellent suggestion Marcus, thanks very much.
I will use this for the foreseeable future until Xero fix the real issue.

Update 03/09/2020: chrome addon doesn't seem to work very well. Xero still logs me out after a stupidly short time.
C'mon Xero, please extend the login time. Redonkulous.
 

Joel Rankin

...and surely in this environment where a lot of finance professionals etc are working from home, having a timeout on your home based PC or laptop makes little or zero sense. If someone is in my house then I have bigger problems than if my Xero is logged in or timed out.
 

Nick Crossman

I think everyone is missing the point. It is obvious that Xero doesn't trust us to keep our systems secure so they will NEVER resolve this as they know best. Pure arrogance on their part. The work around does look good though which makes the whole thing a farce. Totally agree with your comments Nick but Xero know best. As I have said my computer is locked when I walk away (and after 5 mins), it's in a locked office, in a locked building but hey that's still not enough security eh? :)
 

Stuart Morley

Can Xero please tell me what is in my accounting system that requires this level of security? I can access any bank accounts, I can maybe access payroll files but there isn’t anything important enough to insist on bank level security...but maybe they want to think they’re that important.
 

Lee Featherby

Well Lee, someone, if they had access, could adapt your invoice templates to their bank account number for payment, choose all outstanding invoices and send everyone a note saying "Please note my new bank account". This is a very real scam. I'm not saying this is a good reason for this stupid timeout, but it is a real problem if someone accessed your Xero. You'd potentially never know until you weren't paid!
 

Nick Crossman

I agree with Nick but there are (I imagine) much easier ways of scamming people than breaking into their office / home to change an invoice template :)
 

Stuart Morley

Thanks Nick. I did ask and you have at least given me some reason. I agree with Stuart though.
 

Lee Featherby

I agree, Xero login is as sensitive as Banking logins. Although, due to the lack of randomised 2FA inputs, you can login to Xero automatically with the password saved in the browser or a password manager, so all the forced shorter timeout does is encourage use of browser saved passwords (zero security) or password manager auto-population, which is better as most decent password managers have a configurable timeout.

I highly recommend Enpass for personal users and Bitwarden on Cloudron for business (team) users. You'll find lots of other interesting apps on Cloudron too. And if you Google my name to find my Blog & Twitter I'll post more tips on there.

Also recommend Integromat for automating all your mundane tasks. I'm following this thread now, so ping any more questions and suggestions and I'm sure we can solve pretty much anything with 3rd party tools.
 

Marcus Quinn

I think the timeout is shorter than the 10 minutes I think I saw someone suggest. If anyone knows the exact, then we can set to just under that. I'm setting to 4 minutes with those above browser extensions and settings and it works well. Let me know if it works for anyone else.
 

Marcus Quinn

View source suggests it is 10 minutes:

`"sessionTimeoutMinutes":60,"accountLockoutMinutes":10`

So a "Tab Reloader" extension setting of 9 minutes should be optimal. You can always test you settings with a short time of say 5 seconds first, if that works, up it to 9 minutes. If that doesn't, maybe it's shorter. Reasonably confident 9 minutes but again, let me know any issues and we'll solve as a community :)
 

Marcus Quinn

Another option could be an extension like "Resource Override"

https://addons.mozilla.org/en-US/firefox/addon/resourceoverride/

I haven't tried that yet but this would seem to be the part of the source-code to change:

sessionTimeoutMinutes":60,"accountLockoutMinutes":10
 

Marcus Quinn

Been logged in to Xero all day now with that 2 x tabs and 9 minutes setting with "Tab Reloader", so I believe a confirmed solution now.
 

Marcus Quinn

Well done. Great job all. Shame that Xero after all these years couldn't be bothered to offer a solution especially when it was so simple.
 

Stuart Morley

I've decided to post here every time I go to do something and Xero logs me out.
This is ridiculous.
 

Joel Rankin

Good Idea then maybe Xero will fix this simple issue and LISTEN to their customers. Great product made difficult to use by this simple issue. I know there are third party fixes as above but we shouldn't have to keep doing this just to use the product.
 

Stuart Morley

Day two of the Xero timeout report. Yup, it timed out while working.
 

Joel Rankin

Same here. Twice !
 

Stuart Morley

Day four of the Xero timeout report. Yup, it timed out while working.
It happen yesterday because I had the day off.
 

Joel Rankin

Yup they are fucking useless with their arrogant treatment to paying busineses.
 

Bruce Bromley

Day five of the Xero timeout report. Yup, it timed out while working.
 

Joel Rankin

Would also like to be configurable.
 

Charles Chan

Happened twice again on Friday.
 

Stuart Morley

They are a bunch of pricks and I guarantee they do not even monitor this thread!
 

Bruce Bromley

They don't monitor. And across the entire accounting community they are considered to have a callous disregard for their customers. I pay and use Xero, but only begrudgingly and due to a lack of viable alternatives. I can confirm using the tab reloader extension does act as a workaround.
 

Sean Spratt

Hi everyone 😊 Security is something we take very seriously at Xero and we have this timeout limitation for those working in shared spaces or where any data or information could be compromised. Understanding that this isn't the way everyone operates and works however we need to do our part to keep all users safe.

Really appreciate all of the discussion and work arounds/extensions that can help solve this niggle, we always love to see our users collaborate together! Be sure that we do monitor these threads and do take note of feedback however our teams work really hard and we'd love to be able to solve every feature request on our Community platform but this isn't realistic. We've got some information here on our blog about how we prioritise our work!
 

Jess W (Community Manager)

The answer at the top of the page incorrectly states it is 30 minutes, when review of the application source code shows it is 10 minutes.

It is very realistic to solve as it would be a very minor development any junior developer could implement and document. You ca keep your short-time as default, and then offer a setting for that value to be longer for the vast majority of people not in shared workspaces that expect to control their applications.

Don't forget who pays the wages. I've already studied your application and it is more likely to get cloned as an open source compatible alternative if you don't serve your customers adequately. Arrogance and ignorance of paying users rarely ends well in the long-run, especially when some of them will be equally experienced web application developers.

So the question is, shall we sponsor an open-source Xero-compatible alternative development or will you escalate this thread to the product managers to be taken more seriously than dismissing the feature as unrealistic to people that know that it is not a question of cost or difficulty to develop but one of consideration for the users that spend more time using the application than the temporary custodians of the development roadmap.
 

Marcus Quinn

Marcus, agreed. This should be a simple fix.
I get the feeling however that the Xero product team are more focused on what will bring them new sales, rather than improving the experience of existing users.
This type of feature is so basic and so core to any online system but sadly a feature that won't make or break new sales.
 

Joel Rankin

Xero is as much use as a chocolate fireguard. I keep getting auto logged out in less. than 15min. all my data entered deleted. so I can't check prices, talk to clients, or go to the toilet. it is a joke. the business owner should hold responsibility on how long the afk feature is.
 

keith Roberts

You can now make a Xero "Web App" with https://webcatalog.app and set:

Preferences > Extensions
> Reload web pages automatically = On
> Reload every 5 mins
> Only reload on inactivity = On

Stay logged in forever!

Add extra containers in the left sidebar if you have multiple logins / clients.

Completely agree the forced auto-logout is neither helpful nor does anything for security when so many other webapps I use, that could make this bogus argument, can stay logged in indefinitely. (Cloudflare, Github etc)

It's more likely that Xero doesn't want to pay for the session persistence hosting costs.

Anyway, problem solved. At least they are pretty decent at banking integrations, although Odoo or Akaunting are your next best bet if you're looking for alternatives.
 

Marcus Quinn

I am new to Xero and since this forum does not have timestamps (also a simple feature) I have no idea if this was discussed yesterday or 5 years ago.

I have no idea why this day in age that this is not configurable on the account. If I want to take on the liability of not logging out that is on me, not on the software company providing this.
 

Judah Ferst

This setting is very frustrating. Xero please stop controlling us, set defaults by all means, warnings etc but don't force down our throat and expect us to be happy....

Please take a responsible approach and not a controlling one!
 

Darren Murtagh

Okay this is just getting ridiculous.
I posted my original frustrations over a year ago (I note now Xero have removed the date/time from community posts, no doubt to cover up how long some issues have been around for).

I work from home.
I need to log timesheets between every 15 minutes to every couple of hours.
I can add over 10 timesheet entries per day (which means around 10 logins each day).
If the login time was less than a second, sure I could deal with it.
But this timeout seriously interrupts my flow.
I wouldn't be posting here if it didn't!

C'mon Xero, throw us a frickin bone!
 

Joel Rankin

The Xero timeout drives me crazy - XPM does not seem to time out? Many of the other programmes I use - such as my time sheet programme, have extended timeout limits & are secure. As an Accountant, I am working in Xero for a large part of my day but with interruptions so that when I deal with other issues, I come back to find I have been logged out of Xero. I use Practice Protect Password Manager but for some reason I cannot just click on their icon & log in again, I have to manually log on - more frustration :(
 

Carole Bone

Reminder, I posted a solution above that works with the "Tab Reloader" extension.

Also, highly recommend Bitwarden as a Password Manager. I've tried and tested them all, and this is definitely "the one" for me.
 

Marcus Quinn

I didn't see the post before, thanks, I will look into it.
 

Carole Bone

Hey Joel, you asked to be thrown a Bone, and Carole Bone answered.
Made me giggle.
Please everyone, date stamp your entries to let everyone know just how long Xero hasn't given a toss for!
22-5-2021
 

Adam Cullen

Thanks Marcus,
I've just installed....
https://addons.mozilla.org/en-US/firefox/addon/tab-reloader/?src=search
I'll see how it goes next time I want to go and have lunch, or anything else in my own home office. (Thanks Xero).
22-5-2021
Edit... 22-5-2021
Been in and out all day today and still on.
Thanks again Marcus.
 

Adam Cullen

Google docs and sheets (where we store all of our commercial documents) needs me to validate and re-login about once every 30 days, I think surely xero can manage it safely too? Or at least allow the user to override if for a specific machine/IP address.

The crazy thing is my password manager doesn't time out, and anyone who can access that can access xero anyway.

I don't think xero really wants a million users auto-refreshing idly every few minutes to keep their sessions alive either.
 

Dave Blakeman

Not only does Xero have this crazy system they have even just added two step authentication. Soon you'll spend more time logging into Xero rather than using it. Xero have lost the plot. This is my accounts package and not my Internet banking.
 

Stuart Morley

I work in tech for decades. This login timeout is one of the weirdest attempts at security I have seen. Here are a few reasons.

1) If the bad actor has access to the computer, you are already in trouble. logging out won't save you.
2) Most people will store the password in a password manager to make logging in simpler, thus rendering the short login timeout useless
3) Most progressive companies are moving to a passwordless environment, towards biometrics, yubikeys, etc... Short timeouts on passwords for what must be a tiny percentage of your userbase is laughable.
4) Microsoft, Google, etc... all give far greater flexibility in allowing their customers to choose their configuration, have a minimum standard. MFA is far more useful at stopping bad actors, than login timeouts. I haven't entered my password for nearly two weeks on my Microsoft account or desktop. It's infinitely more secure than password-only solutions.

It's time for a cold hard look at your security and maybe make the 10-minute logout an option for whoever thinks it helps. The rest of us would like a more sensible system.

2021-06-09
 

Edward Kenny

2FA and login timeout should be mutually exclusive, otherwise users will be less likely to engage 2fa and the system will be less secure?
 

Ian Wolstenholme

Thanks for all the great responses - hopefully Xero will make changes
 

Carole Bone

@Ian Wolstenholme. 100% agree.

 

Edward Kenny

We now recommend people NOT use XERO. We now will be forced to use 2FA. This is MY DATA and I should decide how i protect it. Making me login with 2FA has made the system even more difficult to use. This is just madness and XERO don't care less about what we the actual users think. Completely over engineered.
 

Stuart Morley

Hearing your frustration here team, just a little insight into our reasoning behind our MFA rollout, with the increase in security breaches and account compromises, we strongly believe it’s important to step up security.

We take our job as custodians of your sensitive data seriously and keeping everyone secure is a top priority for us!

To decrease the effect it has on your day to day, be sure to click the 'Skip this step' option so you only need to verify every 30days.
 

Maya W (Community Manager)

I understand you may feel the need to want to protect OUR data but the point is that it is OUR data and we should have the choice as to what level of security we wish to use. Also in the unlikely event someone hacks into the system what can they do? Print off a P&L?, Raise an Invoice? It's an accounting system not Internet banking.
 

Stuart Morley

@Maya, MFA is a cornerstone of good security practices. It should be used and will stop most security issues your clients will have, especially with password spray attacks. It doesn't however address the incredibly short timeout where we are challenged for our passwords frequently. In my previous post, I address why I feel this is the case.

It is a poor user experience and adds little to no value to a clients security posture.

I happily use MFA all of the time, for many products as I see it's value.
 

Edward Kenny

21/06/21
Maya - if you press Skip this Step it doesn't refresh every 30 days, it's every time you log in, which in my case is several times a day!
PLEASE listen to the thread which is years old now.
Let people make their own choice about security on their own account
Let us decide if we would like the 2 step verification - it we don't then let us switch off the reminders.
Most importantly - let us choose how long we would like the automatic log-out set to. I for one would substantially extend the time out.

Listen to your customers, before you lose them!
 

Nicky Summers

The answer is simple. Xero don't care and don't listen. If you're not happy with it then leave a one star review citing that it's a great accounts package but with overbearing security. They might start to take listen when we have a load of bad reviews. It's becoming a real pain.
 

Stuart Morley

23/06/21
I'm absolutely fuming at the moment! I've had to set up 2 step authentication, I didn't have an option to skip. Why should I set up a second email address for security? Why should I have to answer security questions? It's up to me to decide how secure my login in is, isn't it?

Then the timeout issue - don't get me started again...

Xero - DO SOMETHING ABOUT IT ALL - Listen to your customers!

If I can actually find out where to leave a review, I will be doing so.
 

Nicky Summers

Of course you don't have an option to skip, you have to do what they say.

No it's not up to you. It's your data but you don't get to choose how to secure it. Even Apple allows you to skip 2FA.

Leave reviews on facebook, youtube videos etc

Facebook: https://www.facebook.com/Xero.Accounting

Youtube: https://www.youtube.com/watch?v=6sjDwyOLNNY

Trustpilot: https://uk.trustpilot.com/review/www.xero.com
 

Stuart Morley