From 11 Sep 2018, Xero is making it compulsory for users who have access to sensitive data (eg. payroll, the subscriber, and anyone who can change bank details in the software) to have increased security when logging in to the software.
This is to reduce the risk of internet hackers using their login to change bank details to make staff payroll, supplier payment files, or bank details on sales invoices, to be modified to pay an unauthorised 3rd party.
For most users, this involves using an app on their phone that will give them an extra code to enter when logging in – they can set this up so that it will ‘trust’ a computer for 30 days.
For those not wanting to use a phone app, Xero advises:
“If you don’t have access to your authentication device for any reason (eg you left your phone at home), you can still log in using a recovery method. You can either answer a couple of questions about yourself, or get a one-time authentication code from an alternative email address.
You have to select recovery questions when setting up 2SA, but providing an alternative email address is optional. If you do provide an alternative email address, you can use either the security questions or alternative email as the recovery method if you don’t have access to your authentication device.
The alternative email address cannot be the same as your login email address.”
Some help links here:
MYOB, Xero, and Intuit QBO all have 2FA solutions available, and the ATO have mandated this type of extra security for Bookkeepers and Accountants with access to multiple client files.