Most Xero users would agree that securing their financial data is critically important.
By following some best practices around passwords, multi-factor authentication, and software updates, you can dramatically strengthen the security of your Xero account.
In this post, you'll learn specific tactics to safeguard your account, like enabling Xero Verify, crafting robust passwords, recognizing phishing attempts, and more.
Introduction to Xero Account Security
Maintaining robust security for your Xero accounting software is critical to safeguard sensitive financial data. Implementing multi-factor authentication and following cybersecurity best practices helps reinforce your Xero account's protection.
Understanding the Importance of Cybersecurity in Xero
As a cloud-based accounting platform housing confidential business and customer information, Xero requires stringent security measures. Enabling multi-factor authentication introduces an additional layer of account verification, making it much harder for unauthorized users to gain access. Adopting strong, unique passwords also minimizes vulnerability to brute force attacks. Overall, prioritizing cybersecurity helps mitigate the risk of data breaches which could prove financially and reputationally devastating.
Setting Up Multi-Factor Authentication for Enhanced Protection
Activating multi-factor authentication on your Xero account provides enhanced security by necessitating multiple forms of identity verification during login attempts. After enabling the Xero Verify mobile authenticator app, you will need to enter both your password and a rotating one-time passcode generated by the app. This extra credential check makes phishing and password guessing extremely difficult. Alternatively, you can use Google Authenticator or Authy for multi-factor authentication through their mobile apps. Just ensure your device utilizing the authenticator app is also protected by a PIN or biometric lock. With multi-factor authentication enabled, you can rest assured your Xero data remains safe from unauthorized access.
How is Xero secure?
Xero takes data security very seriously. Here are some of the key ways Xero keeps your data safe:
Secure data centers and servers
- Xero stores all data in secure servers and data centers that have robust physical security controls.
- Facilities are monitored 24/7 with video surveillance and access controls.
- Regular security audits are performed to identify and address any vulnerabilities.
Encryption
- Data is encrypted in transit and at rest using industry-standard encryption protocols like TLS and AES-256.
- Encryption keys are securely managed to prevent unauthorized access.
Access controls
- You control who has access to your Xero organization's data through user permissions.
- Multi-factor authentication can be enabled for additional account security.
Security monitoring
- Xero has dedicated cybersecurity teams that monitor systems and networks to quickly identify and respond to threats.
- Regular penetration testing is done to validate security controls.
So in summary, Xero utilizes encryption, access controls, secure facilities, and continuous monitoring to keep your data safe. You also have control over who can access your organization's accounting data.
How do I add a security question in Xero?
To change your security questions in Xero, you need to turn off multi-factor authentication (MFA), then set it up again and choose new questions and answers.
Here are the steps:
-
Log in to Xero using a web browser.
-
Click your initials or profile image, then select Account.
-
Under Additional Security, click the menu icon next to Multi-factor authentication.
-
Turn off MFA.
-
Click the menu icon again and select Set up to re-enable MFA.
-
When prompted, choose new security questions and provide new answers.
Some key things to note:
-
You cannot edit existing security questions in Xero. You have to disable MFA and set it up again to change them.
-
Come up with security questions that are unique and not easily guessable by others. Avoid common questions like "What's your mother's maiden name?".
-
Give answers that only you would know and no one else could easily guess. Don't use real answers either.
-
Xero allows up to 5 security questions. Use as many as you can for better account security.
-
After changing security questions, you'll have to re-verify any linked devices using MFA as well.
Following these steps allows you to refresh your Xero MFA security questions when needed. Using unpredictable questions and fictional answers helps protect your financial data.
Is it safe to use Xero?
Xero is generally considered a safe and secure accounting software platform. Here are some of the key reasons why:
-
Encryption: Xero uses bank-level AES-256 bit encryption to protect data in transit and at rest. This helps prevent unauthorized access to sensitive financial information.
-
Access controls: Xero has role-based access controls so administrators can restrict employee access to only the data they need. This limits exposure in the event of a compromised account.
-
Multi-factor authentication (MFA): Xero supports MFA through options like Xero Verify, Google Authenticator, or Authy. MFA adds an extra layer of protection by requiring a code from a separate device when logging in. This makes it much harder for hackers to access accounts.
-
Auditing: Actions like viewing reports or editing transactions are logged in Xero. This creates an audit trail administrators can use to detect suspicious activity.
-
Secure data centers: Xero uses top-tier data centers with multiple physical and operational controls to safeguard infrastructure. Centers are SOC 1 and SOC 2 audited.
-
Updates: Xero frequently updates its software to address the latest security threats and fix vulnerabilities. This helps prevent exploits before they occur.
So in summary, Xero has implemented security best practices like encryption, access controls, MFA, auditing, infrastructure safeguards, and timely updates that give it strong protections overall for an accounting SaaS platform. Businesses can feel confident entrusting their data to Xero.
Can you lock accounts in Xero?
You can lock accounts in Xero to prevent edits to transactions before a certain date. This is useful when preparing financial records for tax reporting or at the end of a sales tax period.
To lock accounts in Xero:
- You need the "Adviser" user permission level
- Navigate to Settings > General Settings
- Under "Lock Dates" click "Set Lock Dates"
- Choose the date you want to lock transactions before
- Click "Set Lock Date"
Once a lock date is set, users cannot:
- Add new transactions dated on or before the lock date
- Edit existing transactions dated on or before the lock date
- Delete existing transactions dated on or before the lock date
However, users can still:
- View all transactions, even those before the lock date
- Add, edit, or delete transactions dated after the lock date
Lock dates are useful for preserving the integrity of financial records leading up to important reporting deadlines. Just be aware that once set, lock dates cannot be removed. You would need to contact Xero support to undo a lock date.
So in summary - yes, advisers can set lock dates in Xero to effectively "lock" financial transactions before a certain date. This prevents edits that could impact tax filings or financial statements.
sbb-itb-beb59a9
sbb-itb-beb59a9
sbb-itb-beb59a9
Strengthening Your Password Practices
Crafting Robust Passwords for Your Xero Account
When creating a password for your Xero account, it's important to make it as strong as possible to prevent unauthorized access. Here are some tips:
- Use at least 8-10 characters, combining upper and lowercase letters, numbers, and symbols. The longer and more complex, the better.
- Avoid using dictionary words, names, dates, or other personal information that could be easily guessed.
- Consider using a passphrase - a sequence of words that is easy to remember but hard to crack. For example, "CatBird7*Shoe".
- Never reuse the same password across multiple accounts. Use a unique password for your Xero login.
- Periodically change your password every 90 days or so. This limits the damage if your password does get compromised somehow.
The Role of Password Managers in Xero Security
Using a dedicated password manager app can greatly improve your Xero account security:
- Password manager apps generate and store strong, random passwords for each of your logins. You only need to remember one master password.
- Features like auto-fill help apply the proper passwords as you access accounts like Xero. This avoids reuse across sites.
- Many password managers include two-factor authentication, adding an extra layer of security beyond just a password.
Popular options like LastPass, 1Password, and Dashlane integrate directly with Xero for convenience. Just be sure to choose a password manager with robust encryption to keep your credentials safe. Making the switch takes your Xero password practices to the next level.
Navigating Multi-Factor Authentication on Xero
Multi-factor authentication adds an extra layer of security to your Xero account by requiring two forms of authentication when logging in. This prevents unauthorized access even if your password is compromised.
Setting Up Multi-Factor Authentication with Xero Verify
Here are the steps to set up multi-factor authentication using Xero Verify:
- Log in to your Xero account and go to Settings > Security.
- Under Multi-factor authentication, click Set up.
- Choose Xero Verify and click Confirm. This will open the Xero Verify app.
- Follow the prompts in the Xero Verify app to scan the QR code and enter the 6-digit code displayed.
- Multi-factor authentication using Xero Verify is now activated.
Alternative Authenticators: Google Authenticator and Authy for PC/Desktop
If you prefer not to use your mobile device for multi-factor authentication, Google Authenticator and Authy are two alternatives that can be used on a PC or desktop:
Google Authenticator
- Install the Google Authenticator extension on Chrome or Firefox.
- In Xero, choose Google Authenticator as the verification method.
- Scan the QR code shown. This will save the account in the Authenticator app.
- Enter the 6-digit code displayed in the app when prompted.
Authy
- Install the Authy desktop app and create an account.
- In Xero, choose Authy as the verification service.
- Scan the QR code in the Authy app to link your Xero account.
- Retrieve and enter the codes from Authy when logging into Xero.
Troubleshoot Multi-Factor Authentication Issues
Here are some tips for troubleshooting common multi-factor authentication issues:
- If codes are not being received, check your device's date/time and restart the authenticator app.
- If you get locked out, use backup codes or account recovery options to regain access.
- If multi-factor authentication stops working when you get a new device, unlink and relink your account.
- Contact Xero Support if you continue having issues setting up or using multi-factor authentication.
How to Use Multi-Factor Authentication on a New Device
Follow these instructions to start using multi-factor authentication on a new mobile device or computer:
- Install the Xero Verify app or your preferred authenticator app on the new device.
- Sign in to your Xero account and go to Settings > Security.
- Under Multi-factor authentication, click Set up.
- Choose the same verification method previously used.
- Use the QR code or manual set up option to link the app to your Xero account.
- You can now use multi-factor authentication on your new device when logging into Xero for enhanced security.
Enabling multi-factor authentication is crucial for securing access to your Xero accounting data. With Xero Verify, Google Authenticator, or Authy properly set up, you can rest assured knowing your account is protected behind an extra authentication layer even if your password is compromised.
Guarding Against Phishing and Scams
Phishing scams targeting Xero users are unfortunately common, often attempting to steal login credentials or install malware. Being vigilant and proactive is key to protecting yourself and your Xero account.
Recognizing and Reporting Phishing in the Xero App Store
The Xero App Store hosts hundreds of legitimate third-party apps that integrate with Xero's accounting platform. However, fraudsters sometimes create fake apps that mimic real ones in an attempt to steal user data.
Signs of a potential phishing app include:
- Suspicious or generic-sounding name (e.g. "Xero Tool")
- Very few or no reviews
- Vague or questionable app description
- Requests for sensitive permissions or data
If an app seems suspicious:
- Do not download or connect it to Xero.
- Report it immediately by clicking "Report this app" on the app page.
- Notify Xero Support so they can investigate further.
Taking quick action helps Xero identify and remove fraudulent apps faster, improving safety for all users.
BeCyberSmart: Tips for Xero Users to Avoid Phishing
Xero partners with BeCyberSmart to educate customers on cybersecurity best practices, including how to avoid phishing attempts. Their advice includes:
-
Use unique, complex passwords for your Xero account, and enable 2-factor authentication. This prevents stolen credentials from being reused elsewhere.
-
Carefully inspect links and sender addresses before clicking or entering login details. Phishing links often appear similar to legitimate ones.
-
Do not trust unexpected password reset requests. Instead, independently navigate to Xero and change passwords if concerned about your account security.
-
Keep software updated, including your web browser, to ensure you have the latest security protections enabled.
Following cybersecure habits makes it much harder for phishers to successfully target you or access your Xero account. Leveraging tools like 2FA and vigilantly verifying links provides important layers of protection.
Regularly Updating and Auditing Your Xero Software
Regularly updating your Xero software and auditing account activity are critical to maintaining the security of your Xero account.
Keeping Your Xero Software Up-to-Date
Installing the latest updates for Xero ensures you benefit from the newest security features and fixes for potential vulnerabilities. Xero releases updates on a regular basis to improve software performance and address security issues.
It is highly recommended to enable automatic updates in your Xero software settings so you receive each update as soon as it becomes available. Manual updates can also be initiated from the Updates section. Staying current with software updates reduces the risk of your Xero data or account being compromised.
Leveraging Xero's Audit Logs for Security Oversight
Auditing account activity through Xero's detailed audit logs allows you to monitor actions performed in your organization's ledger and detect any suspicious behavior.
The audit log documents every change made within your Xero account, capturing critical details like the date, user, record affected, and the nature of the change.
Reviewing audit logs regularly enables you to identify irregular account usage that could indicate unauthorized access or other security issues needing investigation. This oversight is key to confirming your Xero environment remains secure.
Conclusion: Safeguarding Your Financial Data
Protecting your Xero account is crucial for securing sensitive financial information and maintaining operational integrity. By enabling two-factor authentication and carefully managing user access, businesses can mitigate risks from data breaches, unauthorized access, and cyber threats.
Regularly reviewing account activity, updating passwords, restricting integration permissions, and utilizing verification codes for suspicious logins are also vital practices. With cyberattacks growing exponentially every year, no organization can afford to neglect proper account security policies and procedures.
By implementing best practices like the ones outlined here, finance teams can effectively safeguard their accounts while still enabling convenient access and collaboration capabilities. As cybercriminals become more sophisticated, an ongoing commitment to improving defenses is essential. Through vigilance, training, and the right mix of security tools, companies can keep their data, customers, and finances protected from constantly evolving threats.