This article gives you an overview of how to set up and use multi-factor authentication (MFA) in .
Once MFA is set up, you can change your backup questions or change your authenticator app by following the instructions in the article Change your MFA settings.
-
What MFA is and why it's important
MFA stands for multi-factor authentication. It is the industry standard way of securing your data against malicious login attempts.
In summary, MFA consists of something you know, as well as something you have. In this case the something you know is your login details, the something you have is the device that has the authenticator on it.
MFA is currently optional for most users, although MFA is legally required in some countries, and new laws are being added every year around online security.
MFA helps to keep your business and your data safe.
-
Making MFA mandatory in an account
By enabling the Organisation setting Enforce MFA for All Users, the Account Owner can make MFA mandatory for all staff who can log in to the account.
Once mandatory MFA is enabled, all staff who access the account are required to authenticate using MFA when signing in to their account. Staff who have not yet enabled MFA on their account need to set up MFA the next time they sign in to by linking their account with an MFA Authenticator app and creating answers for backup security questions.
As soon as mandatory MFA is enabled, all staff automatically receive an email notifying them of this change, including instructions on the setup process.
-
Authenticator apps
There are a number of authenticator apps available. You can use any authenticator you like that has the ability to recognise ’s QR code or setup key.
It’s currently not possible to use Xero’s authenticator app because it can only be used for Xero logins.
Smartphone and tablet apps
This is option we recommend because it is the most secure. Having the device with the authenticator separate to the device you are most often logged into means that any malicious actor would need to have both to log in.
One of the biggest advantages of having the app on a device like a phone is that it is rare for many people to not have it on them at all times, this makes it more likely you will have your authenticator details on you if you need to log in on a new device or in a new location.
Within the Google Play store and Apple App store there are many different authenticator apps available. One that we can recommend is Google Authenticator. This is a commonly used app that has robust support systems.
If you already have an authenticator app for other logins (except Xero Authenticator) you can use this for your login. For example if you have the Microsoft authenticator you can use this here.
Browser extensions and Password managers
If you don’t have a smart phone, or don’t want to have your authenticator on your phone, you can set up a browser extension authenticator.
Many password managers such as 1Password also have an inbuilt authenticator option. If you use a password manager to keep track of your passwords, check to see if you already have access to an authenticator.
There are also stand alone authenticators that are available as browser extensions. To find these you will need to check your browser’s list of available extensions (the Chrome webstore, for example)
Depending on the option chosen, you may have trouble moving between computers, and may only be able to access your authenticator from one browser which may be an issue if you use multiple browsers. Some apps may have companion mobile or desktop versions.
Desktop apps
If you don’t have a smartphone or you prefer not to add any apps to your phone, you can choose to use a desktop authenticator.
This option is best for people who mainly log in on one device, and don’t share computers with anyone. You may find that you need to use your backup security questions when using a different device.
Any app that can recognise ’s setup key can be used. You can find and download desktop apps from the Windows store on your PC, or the app store on your mac. A recommended app for Windows users is WinAuth.
-
Set up MFA using a smartphone or tablet
Please note that all authenticators are different and may appear different between different devices. Please refer to the setup and help information from your authenticator for more detailed and personalized instructions. support won’t be able to provide app support beyond basic setup help.
Before you begin, get set up. Make sure you have downloaded your chosen authenticator app and have opened it for the first time. Some apps have a registration or login process.
We also recommend using two devices, the one you have installed the authenticator on, as well as a second device to log in on. Most users use a desktop to log in on, but a second phone or tablet can also be used.
If you aren’t comfortable working with multiple screens or windows you may like to ask for assistance. If you have someone in person with you it can be very helpful. If you get stuck, please contact our support team and let us know what step you get stuck on.
- Log in to using your email and password.
- Click your initials or profile image at the top-right of the screen, then select Profile Settings.
- On the Profile Settings screen, click the Enable Multi-Factor Authentication button. You will be shown a QR code and prompted to set up MFA.
- Open the authenticator app you downloaded and select the option to add a new account.
- Use the authenticator app to scan the QR code. The app may ask for permission to use your camera, it needs this to scan the QR code. Your authenticator app should now be linked with your login. Some apps may give you other settings at this point, you want a 6 digit code that expires every 30 seconds. If you aren’t given these options, don’t worry, most apps are set to this automatically.
- You will be taken to a screen where you can enter your backup questions, which you can use if you can’t access your authenticator. Make sure they have answers you can remember. A valid answer:
- must be at least four characters long
- can answer only one question
- is not case sensitive
- may contain spaces (which are are ignored).
- Enter the 6 digits from your authenticator into the box provided on the login screen.
You are now all set up. The next time you log in you will be asked for a 6 digit code, simply open your authenticator app and enter the newest 6 digit code in the app. The code will change every 30 seconds and will be different every time you log in. You can tick the Remember me option when logging in and you won't be asked to log in for 7 days. Only do this if you don’t share a device.
-
Set up MFA using a browser extension [Coming soon]
Please note that all authenticators are different and may appear different between different devices. Please refer to the setup and help information from your authenticator for more detailed and personalized instructions. support won't be able to provide app support beyond basic setup help.
Before you begin, get set up. Make sure you have added your chosen authenticator app to your browser, and have opened it for the first time. Some apps have a registration or login process.
If you have a large enough screen, or multiple screens we suggest having two copies of your browser open side by side so you can see both during the setup process.
If you aren’t comfortable working with multiple windows, you may like to ask for assistance. If you have someone in person with you it can be very helpful. If you get stuck, please contact our support team and let us know what step you get stuck on.
- Log in to using your email and password.
- Click your initials or profile image at the top-right of the screen, then select Profile Settings.
- On the Profile Settings screen, click the Enable Multi-Factor Authentication button. You will be shown a QR code and prompted to setup MFA. You will also see an option to use a setup key instead.
- Select the setup key option and copy the code you are given.
- Open the authenticator extension you installed and select the option to add a new account, it should ask you for your setup key.
- Paste the setup key into your authenticator app before clicking continue.
- Your authenticator app should now be linked with your login. Some apps may give you other settings at this point, if it does you want to select a 6 digit code that expires every 30 seconds. If you aren’t given these options, don’t worry, most apps are set to this automatically.
- Enter the 6 digits from your authenticator into the box provided on the login screen to finish the process.
- You will be taken to a screen where you can enter your backup questions, which you can use if you can’t access your authenticator. Make sure they have answers you can remember. A valid answer:
- must be at least four characters long
- can answer only one question
- is not case sensitive
- may contain spaces (which are are ignored).
You are now all set up. The next time you log in to you will be asked for a 6 digit code, simply open your authenticator app and enter the newest 6 digit code in the app. The code will change every 30 seconds and will be different every time you log in. You can tick the Remember me option when logging in which will bypass the MFA check. Only do this if you don’t share a device.
-
Set up MFA using a desktop app [Coming soon]
Please note that all authenticators are different and may appear different between different devices. Please refer to the setup and help information from your authenticator for more detailed and personalized instructions. support wont be able to provide app support beyond basic setup help.
Before you begin, get set up. Make sure you have downloaded your chosen authenticator app and have opened it for the first time. Some apps have a registration or login process.
If you have a large enough screen, or multiple screens we suggest having your browser and authenticator app side by side so you can see both during the setup process.
If you aren’t comfortable working with multiple windows, you may like to ask for assistance. If you have someone in person with you it can be very helpful. If you get stuck, please contact our support team and let us know what step you get stuck on.
- Log in to using your email and password.
- Click your initials or profile image at the top-right of the screen, then select Profile Settings.
- On the Profile Settings screen, click the Enable Multi-Factor Authentication button. You will be shown a QR code and prompted to setup MFA. You will also see an option to use a setup key instead.
- Select the setup key option and copy the code you are given.
- Open the authenticator app you downloaded and select the option to add a new account, it should ask you for your setup key.
- Paste the setup key into your authenticator app before clicking continue.
- Your authenticator app should now be linked with your login. Some apps may give you other settings at this point, if it does you want to select a 6 digit code that expires every 30 seconds. If you aren’t given these options, don’t worry, most apps are set to this automatically.
- Enter the 6 digits from your authenticator into the box provided on the login screen to finish the process.
- You will be taken to a screen where you can enter your backup questions, which you can use if you can’t access your authenticator. Make sure they have answers you can remember. A valid answer:
- must be at least four characters long
- can answer only one question
- is not case sensitive
- may contain spaces (which are are ignored).
You are now all set up. The next time you log in to you will be asked for a 6 digit code, simply open your authenticator app and enter the newest 6 digit code in the app. The code will change every 30 seconds and will be different every time you log in. You can tick the Remember me option when logging in which will bypass the MFA check. Only do this if you don’t share a device.
-
Troubleshooting and FAQ
Can we share logins?
No. For security reasons and to maintain a correct audit trail, every user should have their own unique login, each with MFA set up.
Can we turn off MFA?
At present, MFA is optional (but recommended). In future, MFA will be compulsory for all users who log in to .
How do I setup MFA if I don’t have a smartphone?
If you have a tablet you can use that as a mobile device. If you have no access to any mobile devices, you can choose to use a desktop authenticator or a browser extension authenticator.
But I can’t download software on my computer...
The best solution is to have your authenticator on a mobile device such as a phone or tablet. If this also isn’t an option, a browser extension is a great way to get around the block on software. These can be added from within your browser and often don’t trigger an IT block on new software. Alternatively you will need to contact your IT provider and ask for an exemption to be added for the authenticator app you would like to use, most companies are happy to allow this type of download because it is for business use.
I have a new phone/I can’t access the device with my authenticator
If you can, log in with your backup questions. These will allow you temporary access to your account.
Once logged in, click on your initials in the top right of the screen and select Profile. From here you will see the option to change the device used for your MFA. Once you click this you will be taken back to the setup screens and you will be able to setup MFA again on your new device.
My authenticator is asking for a QR code
This can happen if the app data has been cleared or deleted and re-downloaded.
If you can, log in with your backup questions. These will allow you temporary access to your account.
Once logged in, click on your initials in the top right of the screen and select Profile. From here you will see the option to change the device used for your MFA. Once you click this you will be taken back to the setup screens and you will be able to setup MFA again on your new device.
A staff member left, and we want to reuse their email address for a new staff member but MFA is still turned on.
Your Account owner will be able to reset the MFA setup for this login.
If your Account owner isn’t available, contact our support team and we can help the new staff member reset the MFA settings on the account.
I can’t remember my backup questions.
Your Account owner will be able to reset the MFA setup for your login.
If you are the Account owner or they aren’t available, contact our support team and we can help you reset the MFA settings on your account.
I get a 'something went wrong' message while setting up MFA
This means that the app didn’t link correctly with your login, or the setup took to long. Delete the account from your app and begin the setup process again. If you continue to have trouble, please contact support and let us know what you have tried.
If you have any problems or questions about working with MFA, please contact support.