Xero - beautiful accounting software

Xero Business Community

Xero Business Community

Hi everyone, Come on over to the new discussions in Xero Central. It’s a more intuitive way to connect and chat all things business with one another. Ask questions, dish out answers, and get involved.

You can still view topics in the Xero Business Community to see all the useful knowledge that’s been shared there; and you can restart conversations you feel have been of huge value to you on Xero Central.

If you have brilliant ideas for innovations, you can keep on adding feature requests in the Xero Business Community, and voting on existing requests. There’s more in store, as we come up with the best way to take on your thoughts and share developments
Community > Using Xero >

Two factor authentication - Australia

Started by Crystal Web Designs -   in Using Xero

I've logged on this morning to find that Xero are now forcing two factor authentication (not impressed with that, but that's another story).

Xero, your instructions at the login screen were terrible and not helpful at all, leaving me with no idea of what to do to set it up. when i clicked "not now" it just came up with what looks like a developer page (i didnt screenshot it sorry).
it was lucky that i remembered you had emailed us a while ago about the two factor authentication, so i had to refer to that email for what to actually do to get this set up.
Only a few of our team have been able to get two-step to work this morning. The rest are locke out.

We are following the instructions but, for some, Xero will not accept the code from the authenticator app.


Karen Bentley  

Thanks for raising Crystal Web and Karen, we're gradually introducing compulsory two-step authentication (2SA) across Australia, to help customers strengthen their security, protect your sensitive data, and is a mandatory requirement from the ATO.

This morning we introduced a new opt-in experience for Payroll Admin and Subscribers, to give our customers a few weeks to voluntarily set up 2SA before it becomes mandatory for this group on September 11, 2018.

Unfortunately like you've mentioned Crystal Web, there was a small glitch where the “Not now” button wasn't working correctly, which meant those customers were required to set up 2SA before they could log in.
We've rolled back our release and you should now be able to login as normal. Our development team hopes to have the correct flow available for you soon.

Kelly M (Community Manager)  

Got no idea at all from the 2SA screen what to do if using an iPhone. So I Googled "iPhone scanner" and discovered that has to be an app you install. After installing Free QR Scanner (it does barcodes too and has very good rating) I pointed it at the Xero barcode graphic and my iPhone screen showed what looked like an un-clickable url or plain info about the Xero barcode and nothing else. Does this mean I have completed the process? My regular computer logged me in like any other day - no splash screen saying I successfully applied 2SA. What is going on? Very, very poor customer experience and proof that the people running Xero have no idea about making their software user friendly because the people in charge and creating the IT do not actually use Xero like we do. So many other core essential features have been asked over and over and over again during the last 6 years without any action and this 2SA is a plain example of when something important is actually implemented it is done so very badly. If I was the CEO of Xero I'd be making major changes to management and how things are done. I actually spoke to management from NZ and Australia (Xero is primarily a NZ/Australian operation) and I can tell you they listen but I don't have confidence they will act and spend the time and money to support the software appropriately. As an Australian and CEO/Managing Director myself, it pains me to see so many disgruntled customers using Xero. Looks like they returned time stamps to forum posts so at least they listened on that front. But for goodness sake, before you email a million users and have them do something mandatory, make sure your change is 100% bullet-proof!! They are on notice about a lot of things - such as, do they not understand how annoying it is to constantly have to re-login all day long? Why isn't there something to stop the time-outs during a day for an admin login? Upon checking, it's a feature that has been requested for years. I also saw no time stamps there. So, I spoke too soon about that. Appears they only put time stamps on threads that suit Xero management? Another example of treating their customers like...

15 August 2018

Waddington Educational Resources  

Hi Neil, do appreciate with the recent experience there are some people a little confused around 2SA. Please do reach out to the team if you need any more help with this, we'll be happy to make sure you're all set up, and everything is working correctly.

Avoiding another surprise - I do want to confirm that date stamps were removed from Feature Requests only, and are still available on general discussions. We've been quite open on this change.
I know you've had a few troubles that you've voiced about Xero, and in particular the way tax is calculated. We do hope you find the value in the service and features we offer, and that we can continue to build on our relationship overtime.

Kelly M (Community Manager)  

Actions will always speak louder than words, Kelly M. At Xero, it is particularly important for that concept to get across to management.

As for the 2SA, looks like someone has been busy altering links and info to make it more understandable. Pity it wasn't actioned properly to start with. Now for all the other issues I and many others have been bringing to management's attention...

15 August 2018

Waddington Educational Resources  

Merged: 2 factor authentication

This forced 2 factor authentication thing is a farce.
Firstly it was rolled out with the most confusing instructions and unhelpful 'help' links.
Despite these problems I did manage to complete the process today.
I then went into my account settings and turned 2 part authentication off.

Guess what happens when I login again this afternoon? I’m now being asked to set up 2 part authentication again!
Why is this happening and can someone fix it asap?

Geoff Webb  

Sorry to hear the trouble you've noted about getting set up, Geoff. We are gradually introducing compulsory two-step authentication (2SA) across Australia, to add that extra layer of security to protect your sensitive data, and strengthen security of your financial info.

For any payroll administrators and subscribers of Australian organisations, having 2SA enabled is a mandatory requirement from the ATO (from September 11, 2018) which is why you're prompted to set this up again, after it's been disabled.

Once it's set up, you'll be asked to enter the code on each device you use - you'll have the option to enter it each time you login, or once every 30 days. Please do let the Support team know if you need any more help with this, we're more than happy to answer any questions you may have, or check it's set up correctly.

We do also have a bit more discussion on this over here, so I'll join your post in to keep this together.

Lauren C (Community Manager)  

I do not want to use my own mobile phone to download all of these apps required to login. I will not enter my telephone number on the internet as I believe it risks my privacy. How do I set this up without a mobile phone.

Accounts Data Entry  

I wasn't impressed either. Yesterday I could login and today I had to use 2SA, download apps etc. Not only did I need to download apps I needed to work out how to use the app. I still don't know how I get Authy to re-scan a QR code but after 30 minutes I was in. I also decided to disable it and then found out that I couldn't disable it and had to go through the process again.

Unlike others I don't remember seeing an email from Xero about this so I had to search to find some instructions.

I use 2SA with other systems but they automatically send me an SMS with a code, there's no having to put an app on my phone, scan my laptop, then try to type in a code quickly while looking from my phone to the laptop. It doesn't feel user friendly at all. I'm not sure how my dyslexic husband will cope.

Karen Leslie  

Xero what is going on with this 2SA??? We have followed instructions and scanned the barcode which then produces the code. But the next time we have to log in the new code generated by the app doesn't work so we have to go through the whole process again or answer the security questions. This is VERY frustrating. How do we fix this problem?

Andrew Walker  

Something does sound like it's not working quite right there, Andrew. Not something I can help with here from Community, but I see you've come into the team at Support and one of our specialists will be able to help look into what's going on. They'll be in touch soon

Kelly M (Community Manager)  

Xero, it is disappointing to see a company that is otherwise excellent introduce (by force) something so frustrating that I immediately reconsidered my subscription!

It is a HORRIBLE idea to force me to install another iPhone app (that I don't much like) to log in to a service that I chose mainly because of ease of use.

The government's myGov service is bad enough, but at least they SMS me a confirmation code. This is just ridiculous! Please give me the option to opt out.

Peter Sanad  

Merged: Forced 2 Factor Authentication.

Xero, it is disappointing to see a company that is otherwise excellent introduce (by force) something so frustrating that I immediately reconsidered my subscription!

It is a HORRIBLE idea to force me to install another iPhone app (that I don't much like) to log in to a service that I chose mainly because of ease of use.

The government's myGov service is bad enough, but at least they SMS me a confirmation code. This is just ridiculous! Please give me the option to opt out.

Peter Sanad  

This is the worst move I've ever seen a company this large make..

Paul Schmertmann  

Merged: Forced 2SA not OK, you are the only product I use that requires this..

Please don't bother to reply, I am not interested in the details of whatever the scripted response will be...

It is a joke that I have to have a non-Xero app involved in all logins, all the time, across platforms.

I can't stand it and it's making Xero a PAIN in the butt to use...

Please, just unwind this... OPTIONAL if people CARE about this hyper-conscious level of 'security' where there are still vulnerabilities

Paul Schmertmann  

I just tried to log in in order to respond to you Paul, and I had to go to the silly iPhone app just to log in to the forum too! Please Xero, can you give us the OPTION to disable this for ourselves?

On another note, I have noticed that rather than go to the app, you can just answer two security questions as an alternative. At least that's slightly less obtrusive!...

Peter Sanad  

Hello Paul,

This maybe tedious for you, however, Xero only complies what the ATO requires. Currently in Xero, 2SA is mandatory for partners, subscribers and payroll administrators of Australian organisations. It will soon be mandatory for all users of an Australian organisation in line with ATO requirements for software that interacts with their tax system. It is the right thing to do to help protect client data.

Kriesel Gaspar  


The issue is not with 2 factor authentication, it is with the use of an external app that needs to be installed and used for the purpose! It's not good marketing to force people to install an external third party app to log in to your service. That's what we're talking about.

Peter Sanad  

I've had to set up 2 factor authentication now at least three times, setting up the three questions and answers written, I presume, by an eighteen year old. Seriously. I hate those questions. Virtually none of them apply to an 50 year old. Did one of the directors get their 15 year old daughter to write them? I will admit though, having had to go through the painful process of finding 3 questions that I can stretch answers to, three times, I am slowly remembering them. Ridiculous. If you're going to force such a painful process on people then at least give them the choice of some decent questions or let them write them themselves. I'm not a 12 year old so please stop treating me like one. I realise this could just be part of a larger strategy by Xero to drive away as many customers as possible. Boy that is becoming increasingly a real possibility. Get your act together Xero.

James Orr  

Hi Peter!

I totally understand where you're coming from, and some business owners in Australia has been talking about this matter since some of them are not really interested on downloading an authenticator to their devices, and to add on Kriesel's response, this is actually an ATO requirement, which most of cloud accounting softwares should follow.

Xero does offer a 30-day window for 2FA authentications on trusted computers, which is a nice feature. Whenever you logged in, there's a tick box which you just click "Remember for 30 days." so the recognized device will allow you to login to your account :)

You can always flick an e-mail to Xero Support directly so they can help you discuss this concern.

Julius Corpuz  

Thanks for the feedback Julius.

It's actually quite simple. If the ATO demands two factor authentication then send me a confirmation SMS code to my mobile every 30 days. I do not want to install an app on my phone to use once every 30 days. Especially given that an increasing number of apps just cannot be trusted with personal information these days.

Peter Sanad  

Totally understand that, Peter. My Google account actually set up with a 2FA, both business and personal account, but the good thing with Google is that it sends SMS instead of entering a unique code, which I think pretty good, too.

I will try to look moreover with Xero's community and keep everyone updated if there's any update on this one. :)

Julius Corpuz  

Thanks for popping in here, Kriesel and Julius.

@Paul and Peter - I am sorry to hear Xero's 2 factor authentication is causing you both such frustration. Like above - we do need to comply with the ATO, and are rolling out mandatory 2SA to those who use the Australian version of Xero to meet the upcoming requirement. I do appreciate this slightly changes the way you work when opening Xero, but we do hope over time you'll come to see the benefit having this level of security is for your business. Please do let me know here if you're needing any help with setting this up or are having any technical issues and I can get one of our Support team in touch for a closer look to help 1-on-1.

If you're generally using one device to login, you can make use of the 'Remember me for 30 days' option. Or, for those that really don't want to use their phone or don't own a phone, there's the option of installing Authy on your computer.

I can see you've also shared your thoughts around this here and here, Peter. I'm going to merge all these discussion to this one so we can keep the conversation on this all together.

If there is a preferred service that you'd like Xero to be using for this process, please do share more detail of this and we can feed back to the team and gather interest in this here in the community.

Kelly M (Community Manager)  

Kelly M,

I’ve already made a suggestion that I believe would clear this up.
Do what every other software that requres 2 factor does:
Send me a code via SMS every 30 days.
I can easily delete it and no app involved.

How does that sound?

Peter Sanad  

All people here largely want is to be logged in ALL DAY, 2SA to be plain and simple for at least 30 days as it is but its introduction was done very badly. Being logged out multiple times during the day is so very UGLY! Somewhere along the line, possibly years ago, management lost the memo about the software having to be beautiful.

Waddington Educational Resources  

2SU is not working at our organisation. There are two of us that use Xero every day, and myself more than once a day.

We have both installed 2SU and downloaded the app (BOTH authy and google authenticator) and scanned the code and answered the security questions multiple times, and yet EVERY time we go to log in it makes us do the same. I have even tried to 'disable' the option via settings and it still does this. Clearly a glitch of some sort, it is extremely frustrating.

I have sent a support request but have not yet heard back, despite the auto reply email stating someone would be in contact in 10 hours.

Bronte English  

Hi Bronte
From what i discovered once it is setup you cannot disable it. I was under the impression that once it was set up we had the option to disable but it but I tried this and i was forced to go through the set up process again.

Accounts Data Entry  

Hi Accounts Data Entry,

I see. Even so - even when it hasn't been 'disabled' it still makes me set the whole thing up again every time I go to log in!

Bronte English  

Thanks for coming into the team for some help here, Bronte. Not an excuse at all, although the team do have quite a few more questions than usual atm, I do apologise for the wait you've had here. I see Maya has recently got back to your email - please do get back to her with screenshots of any errors that you're getting and they'll be able to take a closer look into these to help.

Kelly M (Community Manager)  

Merged: I HATE two-step authentification


While the rest of the entire world is making using apps and digital programs faster and simpler and requiring of fewer steps to get things done, Xero just added the super annoying two-step authentification.


Please get rid of this crap ASAP, or at the very least make it optional. If your software is not secure enough using a log in and password like practically every other software on the planet, then maybe you need to figure out why that might be, instead of creating an irritation for customers.


Hannah Moreno  

What a pain in the ass this is. Authy?
My Bank doesn't request this level of security.
What happens if I am on my computer - and my phone is out of battery? And I can't access Authy?
Total pain in the ass and unnecessary IMO.
You have the time to add this to Xero but I still can't do a 50% deposit invoice?

Declan Reynolds  

Hi Hannah, I'm sorry to hear using our 2SA is causing such frustration. In line with the ATO's requirements, 2SA is being rolled out as a mandatory feature for all those using Xero in AU.

Please do let our Support team know if you're having any difficulty in setting this up or working 2SA for Xero. I'm going to merge into this larger discussion around this so we can gather all feedback on around this change together.

Kelly M (Community Manager)