Login Security SSO and 2SA Setup and Use - FAQs
- How do I set up Xero login and 2SA for WorkflowMax? (video)
- Best practice for managing access security for your staff
- What is single sign-on (SSO)?
- What is two-step authentication (2SA)?
- What is the value of 2SA for our customers?
- Why have we implemented 2SA?
- Install an authenticator app
- Setting up 2SA during login
- Setting up 2SA after login
- Adding an alternative recovery email address
- How do I use the Xero login screen to access WorkflowMax
Watch this video to see how to set up your Xero login along with two-step authentication (2SA) for WorkflowMax.
Here are some tips to help you ensure that you and your staff use your WorkflowMax and Xero accounts securely.
Ensure each user has their own login and discourage users from sharing logins, including generic logins such as firstname.lastname@example.org.
Individual logins provide much better security as it’s easier to manage access to
Invite new staff in with their existing Xero account
If a new staff member has used Xero before, invite them using their email for their existing Xero account.
The staff member can accept the invitation as an existing Xero user, then change their login email address to their new company address. They’ll keep their original account preferences, their Xero education records (including certification) and any
When a staff member leaves
Ensure the staff member’s access to each client
Remind them to change the email address for their Xero account, so they don’t lose their Xero certification and access.
Single sign-on (SSO) allows users to access related, but independent software systems – such as Xero and WorkflowMax – by using a single set of login credentials. This simplifies the login process – you only need to remember one set of credentials – as well as providing centralised and enhanced security control.
2SA provides an extra level of security to your WorkflowMax login, by requiring an authentication code as well as your email address and password. The authentication code is generated by an app on your mobile device or computer. If you don’t already have an authenticator app, you can download one before setting up 2SA for your WorkflowMax login.
If you've enabled 2SA but don’t have access to your authenticator app, you can use a recovery option to gain access to your account. In WorkflowMax the recovery options are answering three questions about yourself, or entering a code sent to the email address you’ve nominated for recovery.
Our customers occasionally have their WorkflowMax account passwords compromised, usually by falling victim to phishing or malware. Having two-step authentication enabled significantly reduces the risk of unauthorised access to their account, because their login ID and password by themselves are no longer enough to be able to log in. This better protects each customer from fraud and damage to their business.
Security is important to Xero and we’re continuously striving to protect our customers and their businesses by enhancing the security features of our products. Phishing and other scams are constantly targeting users to steal their login IDs and passwords as a means to gain access to their accounts. As Xero is used by more users, and awareness of the company grows, we increase the profile of Xero as a target to be attacked, so it’s important that we provide ways to protect the users of our software.
Download and install the relevant authenticator app for your device:
- Google Authenticator for Android, iPhone, iPod Touch, iPad, and BlackBerry devices (Google Accounts Help Center)
- Authy for iPhone, iPad, Android, Mac computers and Windows computers (Authy website)
- Windows Authenticator for Windows Phones (Microsoft Store).
Follow the installation instructions provided for your device to add an account.
If 2SA is mandatory for your user role, you can set it up during the login process.
All Australian WorkflowMax users will need to have 2SA enabled as it’s a mandatory requirement of the Australian Tax Office (ATO).
- If you haven't already done so, install an authenticator app.
- In Xero, enter your email address and password, and click Login.
- Click Set up 2SA now.
- Scan the barcode into your authenticator app, or enter the key manually, then click Continue. Make sure you turn on Time-based if you enter the key manually.
- Enter the six-digit code generated by your authenticator app, then click Continue.
- Select three security questions as a recovery method, enter the answers, then click Continue.
- If you want to use an alternative email address as an additional recovery method, enter the email address then click Send Code. Enter the six-digit code we sent to that address, then click Confirm Email.
- Click Finish. You're now set up to use two-step authentication next time you log in to Xero.
If you’re not prompted to set up 2SA while you log in to Xero, you can do it from your Account settings once you’re logged in.
- If you haven't already done so, install an authenticator app.
- In Xero, click your name, then click Account.
- Under Two-step authentication, click Setup.
- Scan the barcode into your authenticator app, or enter the key manually, then click Next. Make sure you turn on Time-based if you enter the key manually.
- Enter the authentication code provided by your authenticator app into Xero, then click Next.
- Select your three security questions and type answers, then click Next. The security questions can be used as a backup if you don't have your device or the code is not working.
- Click Done.
The next time you log in to Xero, you'll need to enter an authentication code as well as your email address and password.
If you’re already using 2SA you can add an alternative email address as another recovery method. The email address must be different from the one you use as your Xero login.
- Go to the Xero login page.
- Enter your email address and password, and click Login.
- Click Use another authentication method.
- In the Alternative email address box, click Set up.
- Verify your identity by entering an authentication code or answering your security questions.
- Enter the email address you want to use for recovery.
- Click Send code.
- Enter the six-digit code we sent to the alternative email address, then click Confirm Email.
- Click Finish.
WorkflowMax is a Xero-owned product and we now provide a single sign on (SSO) for WorkflowMax and Xero. This gives an additional layer of security protection for your data by using the Xero login screen.
To login to WorkflowMax:
- Navigate to your usual WorkflowMax login screen. You will be re-directed automatically to the Xero login screen.
- Type your WorkflowMax username and password.
If you have forgotten your login details please use the Forgot your password? link. You will receive an email that contains a link to reset your password (the email may go into your spam folder).
- Click Login.
- Using the Xero login screen to access your WorkflowMax account does not mean you need to have a Xero subscription.
- If you’re logging into a custom domain (such as yourcompany.workflowmax.com) then your URL will automatically redirect to the Xero login screen.
- If you have a saved bookmark for your old WorkflowMax login screen, you might want to replace it with the URL of the Xero login screen so it is easy to return to.
- For security reasons, there is no Remember Me option.
- Read this blog post about online security best practice.