Login Security SSO and 2SA Setup and Use - FAQs

How do I set up Xero login and 2SA for WorkflowMax?

Watch this video to see how to set up your Xero login along with two-step authentication (2SA) for WorkflowMax.

Set up Xero login and 2SA for WorkflowMax (4 min 49 sec.)

Best practice for managing access security for your staff

Here are some tips to help you ensure that you and your staff use your WorkflowMax and Xero accounts securely.

Individual logins

Ensure each user has their own login and discourage users from sharing logins, including generic logins such as admin@yourcompany.com.

Individual logins provide much better security as it’s easier to manage access to organisations and you have a clear audit trail of work done by staff. If you use two-step authentication, it’s a requirement.

Invite new staff in with their existing Xero account

If a new staff member has used Xero before, invite them using their email for their existing Xero account.

The staff member can accept the invitation as an existing Xero user, then change their login email address to their new company address. They’ll keep their original account preferences, their Xero education records (including certification) and any organisations they had access to that weren’t clients of their previous company.

When a staff member leaves

Ensure the staff member’s access to each client organisation is removed, before you remove the user from the WorkflowMax account.

Remind them to change the email address for their Xero account, so they don’t lose their Xero certification and access.

What is single sign-on (SSO)?

Single sign-on (SSO) allows users to access related, but independent software systems – such as Xero and WorkflowMax – by using a single set of login credentials. This simplifies the login process – you only need to remember one set of credentials – as well as providing centralised and enhanced security control.

What is two-step authentication (2SA)?

2SA provides an extra level of security to your WorkflowMax login, by requiring an authentication code as well as your email address and password. The authentication code is generated by an app on your mobile device or computer. If you don’t already have an authenticator app, you can download one before setting up 2SA for your WorkflowMax login.

If you've enabled 2SA but don’t have access to your authenticator app, you can use a recovery option to gain access to your account. In WorkflowMax the recovery options are answering three questions about yourself, or entering a code sent to the email address you’ve nominated for recovery.

For further details, watch the video or see Two-step authentication explained in Xero Central.

What is the value of 2SA for our customers?

Our customers occasionally have their WorkflowMax account passwords compromised, usually by falling victim to phishing or malware. Having two-step authentication enabled significantly reduces the risk of unauthorised access to their account, because their login ID and password by themselves are no longer enough to be able to log in. This better protects each customer from fraud and damage to their business.

Why have we implemented 2SA?

Security is important to Xero and we’re continuously striving to protect our customers and their businesses by enhancing the security features of our products. Phishing and other scams are constantly targeting users to steal their login IDs and passwords as a means to gain access to their accounts. As Xero is used by more users, and awareness of the company grows, we increase the profile of Xero as a target to be attacked, so it’s important that we provide ways to protect the users of our software.

Install an authenticator app

Download and install the relevant authenticator app for your device:

Follow the installation instructions provided for your device to add an account.

Setting up 2SA during login

If 2SA is mandatory for your user role, you can set it up during the login process.

All Australian WorkflowMax users will need to have 2SA enabled as it’s a mandatory requirement of the Australian Tax Office (ATO).

  1. If you haven't already done so, install an authenticator app.
  2. In Xero, enter your email address and password, and click Login.
  3. Click Set up 2SA now.
  4. Scan the barcode into your authenticator app, or enter the key manually, then click Continue. Make sure you turn on Time-based if you enter the key manually.
  5. Enter the six-digit code generated by your authenticator app, then click Continue.
  6. Select three security questions as a recovery method, enter the answers, then click Continue.
  7. If you want to use an alternative email address as an additional recovery method, enter the email address then click Send Code. Enter the six-digit code we sent to that address, then click Confirm Email.
  8. Click Finish. You're now set up to use two-step authentication next time you log in to Xero.

Setting up 2SA after login

If you’re not prompted to set up 2SA while you log in to Xero, you can do it from your Account settings once you’re logged in.

  1. If you haven't already done so, install an authenticator app.
  2. In Xero, click your name, then click Account.

    Open your Xero account

  3. Under Two-step authentication, click Setup.
  4. Scan the barcode into your authenticator app, or enter the key manually, then click Next. Make sure you turn on Time-based if you enter the key manually.
  5. Enter the authentication code provided by your authenticator app into Xero, then click Next.
  6. Select your three security questions and type answers, then click Next. The security questions can be used as a backup if you don't have your device or the code is not working.
  7. Click Done.

The next time you log in to Xero, you'll need to enter an authentication code as well as your email address and password.

Adding an alternative recovery email address

If you’re already using 2SA you can add an alternative email address as another recovery method. The email address must be different from the one you use as your Xero login.

  1. Go to the Xero login page.
  2. Enter your email address and password, and click Login.
  3. Click Use another authentication method.
  4. In the Alternative email address box, click Set up.
  5. Verify your identity by entering an authentication code or answering your security questions.
  6. Enter the email address you want to use for recovery.
  7. Click Send code.
  8. Enter the six-digit code we sent to the alternative email address, then click Confirm Email.
  9. Click Finish.

How do I use the Xero login screen to access WorkflowMax?

WorkflowMax is a Xero-owned product and we now provide a single sign on (SSO) for WorkflowMax and Xero. This gives an additional layer of security protection for your data by using the Xero login screen.

To login to WorkflowMax:

  1. Navigate to your usual WorkflowMax login screen. You will be re-directed automatically to the Xero login screen.
  2. Type your WorkflowMax username and password.

    If you have forgotten your login details please use the Forgot your password? link. You will receive an email that contains a link to reset your password (the email may go into your spam folder).

  3. Click Login.

Notes

  • Using the Xero login screen to access your WorkflowMax account does not mean you need to have a Xero subscription.
  • If you’re logging into a custom domain (such as yourcompany.workflowmax.com) then your URL will automatically redirect to the Xero login screen.
  • If you have a saved bookmark for your old WorkflowMax login screen, you might want to replace it with the URL of the Xero login screen so it is easy to return to.
  • For security reasons, there is no Remember Me option.
  • Read this blog post about online security best practice.