Login Security and Authentication - FAQs

Although WorkflowMax uses the same login system as Xero, the requirements and usage of multi-factor authentication (MFAMulti-factor authentication (MFA) is a security process that uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account.) are slightly different, depending on whether you are using Xero or WorkflowMax. The following FAQs highlight any differences where necessary.

This article provides background information on the purpose, operation and setup of MFA. For instructions on changing MFA settings, see Changing your MFA settings.

ClosedMulti-factor authentication (MFA) overview

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is a security process that uses at least two different factors, something you know (your password) and something you have (mobile device), before you can enter your account. This second layer of security is designed to prevent anyone but you from accessing your account even if they know your password. MFA is also referred to as 2FA (two-factor authentication) or 2SA (two-step authentication). MFA helps protect your valuable data by adding a second layer of security.

Why is MFA being mandated?

With the increase in security breaches and account compromises, it’s important to step up security. As custodians of sensitive client data, keeping everyone’s data secure is a top priority.

The threat to both enterprise and small business data has never been greater. According to the 2019 World Economic Forum Report, cyber threats are the fourth greatest risk to world economies, behind climate change and natural disasters. The world has witnessed an overall increase in cyber attacks, data breaches, data leaks and espionage which are estimated to cost the world $6 trillion annually by 2021.

Implementing multi-factor authentication is one of easiest, most effective actions companies can take to improve security of client data. It’s no longer a ‘nice to have’ but a genuine necessity.

Who is it mandatory for?

All Xero and WorkflowMax users (in all regions) invited into a Xero or WorkflowMax organisation will be required to enable MFA: Xero users by the end of 2021 and WorkflowMax users by the end of 2022.

MFA for WorkflowMax users will be progressively rolled out to all users worldwide on a region by region basis, during 2022. MFA will remain optional for WorkflowMax users until early 2022 and we'll let you know in advance when it's your turn.

In what regions is multi-factor authentication (MFA) mandatory?

Authentication has been offered as an optional feature since 2015, however, in Australia it became mandatory in 2018 due to the Australian Tax Office’s (ATO) Operational Framework that required all software companies interacting with the ATO to have multi-factor authentication. Meanwhile, as the business world operates online, and cyber attackers and hackers only get more sophisticated, modern security features like MFA offer an important layer of protection for you. Our customers will always be our highest priority.

Is MFA going to be compulsory for clients as well as partners?

Yes. We will be rolling it out in a phased approach and providing communications and instructions along the way. Please note that users who don’t need to use the Xero login system, like payroll employees and those who use the Xero portal and Ask portal, won’t need to set up MFA.

What is the value for WorkflowMax customers?

WorkflowMax customers’ account passwords are occasionally compromised, usually due to phishing or malware. Having multi-factor authentication enabled significantly reduces the risk of unauthorised access to a customer’s account as the attacker can only get the something they know (the user’s login and password), not the something they possess, so they can’t log in. This better protects our customers from fraud and damage to their business.

Why can’t I share my password?

It’s the first rule of security: “never share your passwords with anyone!” Not even your boss, accountant or bookkeeper, no-one. We suggest inviting new users instead of sharing your login credentials. Keep your WorkflowMax account safe; and add a new user to your organisation so there's an audit trail of access and data changes.

If you choose to share your login with other people, prepare to be annoyed with requests to login and authenticate much more frequently. In addition, access to some key functionality might be blocked, as your activity may be classified as suspicious.

Where do I go if I have questions about multi-factor authentication?

If you need any help, you’ll find setup videos on this MFA web page. You can also talk to your setup partner. If you experience any difficulties, take a look at this troubleshooting article or raise a case in Xero Central.

ClosedAuthentication apps

What is an authenticator app?

Authentication apps generate security codes for signing into sites that require a high level of security. These apps can be used to retrieve security codes and don’t need to have an internet connection. A mobile phone app is the typical example of an authentication app, but other forms exist, including applications for desktops and browser extensions (refer to next point). After installing and configuring the app to work with your account, you will be able to receive push notifications and security codes.

What is Xero Verify?

Xero Verify is Xero’s own authentication device which allows you to receive a push notification to verify that it’s you when you log in to Xero or WorkflowMax.

Where do I get the Xero Verify app?

The Xero Verify app is available on the Apple and Google app stores. Just search for ‘Xero Verify’, then download it to your smartphone or tablet. Please note that Xero Verify can only be used to authenticate Xero and WorkflowMax accounts.

Can I use another authentication app?

Yes, but you won’t receive push notifications when using them with Xero or WorkflowMax. If you’d still like to use an app other than Xero Verify, then we recommend Google Authenticator, FreeOTP, or Authy. With these apps, you’ll need to type or copy the code they provide into Xero or WorkflowMax when you log in.

Does using an authenticator app mean that I’m connecting my WorkflowMax data to a third party?

No, Xero Verify and other authenticator apps don’t connect to your Xero or WorkflowMax account. Xero Verify simply provides a push notification, and they all generate a time-based numeric passcode to enter during the login process. It means if someone guesses or knows your password, it’s not enough to access your account.

Which authenticator app do you recommend?

Of course, we recommend Xero Verify. It’s the only authentication app that allows push notifications to your Xero and WorkflowMax accounts. However, beyond that Xero doesn’t recommend any particular third-party authenticator app. It’s really up to you as to which app best suits your needs and the type of device you’re installing it on.

If I choose to use Google Authenticator instead of Xero Verify and I don't have a Google account, does this still apply to me?

Using the Google Authenticator app does not link your Xero or WorkflowMax account to Google, and does not require you to have a Google account. The Google app uses an industry standard TOTP (time-based one-time password) algorithm. There are also other apps you can use instead if you prefer, such as Authy or FreeOTP. Once the authenticator app is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Because it’s time-based, it doesn’t connect to anything to generate the code.

If I have Google Authenticator, do I have to switch to Xero Verify?

No. You are welcome to have either. What’s important is that you have the second layer of security with MFA. We recommend Xero Verify. It’s the only authentication app that allows push notifications to your Xero or WorkflowMax account. However, beyond that, Xero doesn’t recommend any particular third-party authenticator app. It’s really up to you as to which app best suits your needs and the type of device you’re installing it on.

ClosedAbout MFA setup and use

Do I have to authenticate each time I log in to Xero or WorkflowMax?

You’ll have the option to remember the device you’ve logged in with for 30 days but you’ll need to authenticate again at the end of the 30 days. You’ll also need to authenticate again if:

  • you log in with a new device/browser
  • another user logged in on the same device/browser
  • cookies & cache have been cleared (or not enabled)
  • you’re using a private browser, or a different internet connection.

If you authenticate with a back up method (email or security questions) you’ll only be remembered for up to 24 hours.

Can I use Xero Verify to authenticate outside Xero or WorkflowMax?

No. Xero Verify is only used to authenticate your Xero or WorkflowMax account.

What if I don’t want to set up MFA?

You will need to set up and use MFA. It’s a mandatory requirement if you want to continue to use Xero or WorkflowMax.

I don't have access to a smartphone at work. How can I use multi-factor authentication?

You can install an authenticator app on your desktop.

  • Authy has a desktop authenticator app for Windows and MacOS devices. Download Authy here.
  • If you’re using Windows, you can use WinAuth. Find WinAuth here.

Does my mobile device or tablet need to be connected to the internet to receive push notifications?

Yes. To receive a push notification with the Xero Verify app, you need to be connected to the internet.

Does my mobile device need to be connected to the internet to get a passcode from Xero Verify or another authentication app?

No. Once Xero Verify or the authenticator app of your choice is installed and set up on your mobile device, it doesn’t need a mobile or wireless connection to work. Authentication apps continually generate new codes that are valid for around 30 seconds.

Does the time setting on my mobile device matter?

Not for Xero Verify. However, if you are using a third party authentication app (such as Google Authenticator or Authy) you need to make sure the time on your authenticator device is in sync with the Xero login system. Xero login uses an automatic clock service to set the time, as do most mobile device service providers, so we recommend you allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an invalid code error.

How do I use multi-factor authentication with a new mobile device?

You use your existing multi-factor authentication (MFA) setup when moving MFA to a new mobile device. Just change the device under ‘Account settings’ in your account to your new mobile device. Visit our guide to using MFA with a new device for step-by-step instructions.

Do I need an authenticator for my phone, tablet and laptop AND do my staff all need one too?

Everyone logging into Xero or WorkflowMax who has access to an organisation needs to have MFA enabled on their account. You only need one instance of the authenticator app for each person to be able to log into their Xero or WorkflowMax account.

Can you set up multiple authenticators on the one mobile device?

Yes, but Xero Verify is the only one that sends a push notification which is the easiest way to confirm that it’s you.

What is a push notification and how do I get one?

A push notification is a pop-up notification that is sent to your mobile device. It enables you to confirm it’s you who is trying to log in. You simply tap a button to approve or deny access.

When you have enabled MFA in Xero or WorkflowMax, and accepted push notifications for authentication in the Xero Verify app, every time you log in, you’ll receive a pop-up message on your device asking you to confirm the login.

Can I verify my identity another way?

Yes. You can choose to use a backup email or security questions.

What is a backup email?

We’re making it easier to access Xero and WorkflowMax if you lose your mobile device. You can specify a backup email address when you set up MFA to provide a fallback option if Xero Verify or your other authenticator app isn’t available. You should use a strong and unique password with your backup email.

I’m locked out. How long will it take for customer service to unlock my account?

Xero has put extra resources into place to help businesses who experience this issue. Please log a case immediately and someone should be in touch within a few hours.

In the meantime, please try using one of the alternative methods (security questions or backup email) to authenticate yourself and let us know what you’ve tried so far.

How do I raise a case if I’m locked out of my account?

MFA issues - When the customer clicks the contact support button at the bottom of the Troubleshoot MFA page they’ll be directed to an unauthenticated case raise form.

Can’t Login - On the Can’t login to Xero page, there is a link to contact support about a login issue. This also takes customers to a form for raising an unauthenticated case. The form can also be accessed from the Status Page.

If I forget my phone, how do I get back into my account?

After inserting your username and password, choose your backup email address or security questions.

I’ve lost my phone, how do I get back into my account?

You can use your backup email or security questions. Be sure to go into your ‘Account settings page’ and remove your device. When you replace your device, you’ll need to set up the MFA authenticator on your new device.

Why doesn't the code work on my third-party authenticator? I keep getting an invalid code error

You need to make sure the time on your authenticator device is in sync with the Xero login system. Xero login uses an automatic clock service to set the time, as do most mobile device service providers, so we recommend you allow your network provider to set the time automatically. Manually setting the time can lead to out-of-sync issues and an invalid code error. However, if you are using the Xero Verify app for codes, you won’t receive an error message and what’s even better is the push notifications that Xero Verify provides.

ClosedSetting up MFA

How do I set up MFA during log in?

If you’re required to set up MFA before you can use WorkflowMax, you can set it up when you log in.

  1. Go to the WorkflowMax login screen.
  2. Enter your email address and password, then click Log in.
  3. Read more about MFA and when you are ready, click Set up multi-factor authentication.
  4. Choose the authenticator app to use. We recommend that you use Xero Verify, but you can use another app such as Google Authenticator or Authy if you wish.
  5. If you haven’t already done so, install the app.
  6. Follow the on-screen instructions to set up the authenticator app.
  7. Do one of the following:
    • Set up a backup email address. Type an email address to use if you get locked out of your account or if you don't have your phone. Your backup email address must be different from the address you use to log in to WorkflowMax. You'll need to enter the confirmation code sent to your backup email address. Click Confirm email.
    • Set up backup security questions. Click Add backup security questions instead. Select three question-and-answer pairs that are memorable for you and unlikely to be known by anyone else. Your answers can only contain letters or numbers, and not any symbols or special characters. Click Submit.
  8. Click Continue to complete the setup.

You're now set up to use MFA next time you log in to WorkflowMax.

How do I set up MFA once logged in?

Even if you’re not required to set up MFA before you can use WorkflowMax, you can still set it up for extra security.

  1. While logged in to WorkflowMax, click your initials or profile image at the top right of the screen, then select Account. The Xero | Account Settings screen opens in a new tab.
  2. On the Multi-factor authentication row, click Set up.
  3. Read more about MFA and when you are ready, click Set up multi-factor authentication.
  4. Choose the authenticator app to use. We recommend that you use Xero Verify, but you can use another app such as Google Authenticator or Authy if you wish.
  5. If you haven’t already done so, install the app.
  6. Follow the on-screen instructions to set up the authenticator app.
  7. Do one of the following:

    • Set up a backup email address. Type an email address to use if you get locked out of your account or if you don't have your phone. Your backup email address must be different from the address you use to log in to WorkflowMax. You'll need to enter the confirmation code sent to your backup email address. Click Confirm email.

    • Set up backup security questions. Click Add backup security questions instead. Select three question-and-answer pairs that are memorable for you and unlikely to be known by anyone else. Your answers can only contain letters or numbers, and not any symbols or special characters. Click Submit.
  8. Click Continue to complete the setup.
  9. Close the Xero | Account Settings tab to navigate back to your WorkflowMax tab. Alternatively, if you want to continue working in the new tab, you can click Back to WorkflowMax at top-left of the screen.

You're now set up to use MFA next time you log in to WorkflowMax.